| 
									
										
										
										
											2015-01-24 20:40:40 +01:00
										 |  |  | <chapter xmlns="http://docbook.org/ns/docbook" | 
					
						
							| 
									
										
										
										
											2015-12-07 20:41:18 +01:00
										 |  |  |          xmlns:xlink="http://www.w3.org/1999/xlink" | 
					
						
							|  |  |  |          xml:id="chap-packageconfig"> | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |  <title>Global configuration</title> | 
					
						
							|  |  |  |  <para> | 
					
						
							|  |  |  |   Nix comes with certain defaults about what packages can and cannot be | 
					
						
							|  |  |  |   installed, based on a package's metadata. By default, Nix will prevent | 
					
						
							|  |  |  |   installation if any of the following criteria are true: | 
					
						
							|  |  |  |  </para> | 
					
						
							|  |  |  |  <itemizedlist> | 
					
						
							|  |  |  |   <listitem> | 
					
						
							|  |  |  |    <para> | 
					
						
							|  |  |  |     The package is thought to be broken, and has had its | 
					
						
							|  |  |  |     <literal>meta.broken</literal> set to <literal>true</literal>. | 
					
						
							|  |  |  |    </para> | 
					
						
							|  |  |  |   </listitem> | 
					
						
							|  |  |  |   <listitem> | 
					
						
							|  |  |  |    <para> | 
					
						
							|  |  |  |     The package isn't intended to run on the given system, as none of its | 
					
						
							|  |  |  |     <literal>meta.platforms</literal> match the given system. | 
					
						
							|  |  |  |    </para> | 
					
						
							|  |  |  |   </listitem> | 
					
						
							|  |  |  |   <listitem> | 
					
						
							|  |  |  |    <para> | 
					
						
							|  |  |  |     The package's <literal>meta.license</literal> is set to a license which is | 
					
						
							|  |  |  |     considered to be unfree. | 
					
						
							|  |  |  |    </para> | 
					
						
							|  |  |  |   </listitem> | 
					
						
							|  |  |  |   <listitem> | 
					
						
							|  |  |  |    <para> | 
					
						
							|  |  |  |     The package has known security vulnerabilities but has not or can not be | 
					
						
							|  |  |  |     updated for some reason, and a list of issues has been entered in to the | 
					
						
							|  |  |  |     package's <literal>meta.knownVulnerabilities</literal>. | 
					
						
							|  |  |  |    </para> | 
					
						
							|  |  |  |   </listitem> | 
					
						
							|  |  |  |  </itemizedlist> | 
					
						
							|  |  |  |  <para> | 
					
						
							|  |  |  |   Note that all this is checked during evaluation already, and the check | 
					
						
							|  |  |  |   includes any package that is evaluated. In particular, all build-time | 
					
						
							|  |  |  |   dependencies are checked. <literal>nix-env -qa</literal> will (attempt to) | 
					
						
							|  |  |  |   hide any packages that would be refused. | 
					
						
							|  |  |  |  </para> | 
					
						
							|  |  |  |  <para> | 
					
						
							|  |  |  |   Each of these criteria can be altered in the nixpkgs configuration. | 
					
						
							|  |  |  |  </para> | 
					
						
							|  |  |  |  <para> | 
					
						
							|  |  |  |   The nixpkgs configuration for a NixOS system is set in the | 
					
						
							|  |  |  |   <literal>configuration.nix</literal>, as in the following example: | 
					
						
							| 
									
										
											  
											
												nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
    stdenv.mkDerivation {
      name = "foobar-1.2.3";
      ...
      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
    Known issues:
     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation
    You can install it anyway by whitelisting this package, using the
    following methods:
    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:
         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:
         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
  NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
											
										 
											2017-02-16 21:02:13 -05:00
										 |  |  | <programlisting> | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  |   nixpkgs.config = { | 
					
						
							|  |  |  |     allowUnfree = true; | 
					
						
							|  |  |  |   }; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | </programlisting> | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |   However, this does not allow unfree software for individual users. Their | 
					
						
							|  |  |  |   configurations are managed separately. | 
					
						
							|  |  |  |  </para> | 
					
						
							|  |  |  |  <para> | 
					
						
							|  |  |  |   A user's of nixpkgs configuration is stored in a user-specific configuration | 
					
						
							|  |  |  |   file located at <filename>~/.config/nixpkgs/config.nix</filename>. For | 
					
						
							|  |  |  |   example: | 
					
						
							| 
									
										
										
										
											2015-12-07 20:41:18 +01:00
										 |  |  | <programlisting> | 
					
						
							|  |  |  | { | 
					
						
							| 
									
										
										
										
											2015-02-15 18:29:52 +01:00
										 |  |  |   allowUnfree = true; | 
					
						
							| 
									
										
										
										
											2015-12-07 20:41:18 +01:00
										 |  |  | } | 
					
						
							|  |  |  | </programlisting> | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |  </para> | 
					
						
							|  |  |  |  <para> | 
					
						
							|  |  |  |   Note that we are not able to test or build unfree software on Hydra due to | 
					
						
							|  |  |  |   policy. Most unfree licenses prohibit us from either executing or | 
					
						
							|  |  |  |   distributing the software. | 
					
						
							|  |  |  |  </para> | 
					
						
							|  |  |  |  <section xml:id="sec-allow-broken"> | 
					
						
							| 
									
										
											  
											
												nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
    stdenv.mkDerivation {
      name = "foobar-1.2.3";
      ...
      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
    Known issues:
     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation
    You can install it anyway by whitelisting this package, using the
    following methods:
    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:
         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:
         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
  NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
											
										 
											2017-02-16 21:02:13 -05:00
										 |  |  |   <title>Installing broken packages</title> | 
					
						
							| 
									
										
										
										
											2015-12-07 20:41:18 +01:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |   <para> | 
					
						
							|  |  |  |    There are two ways to try compiling a package which has been marked as | 
					
						
							|  |  |  |    broken. | 
					
						
							|  |  |  |   </para> | 
					
						
							| 
									
										
										
										
											2015-12-07 20:41:18 +01:00
										 |  |  | 
 | 
					
						
							| 
									
										
											  
											
												nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
    stdenv.mkDerivation {
      name = "foobar-1.2.3";
      ...
      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
    Known issues:
     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation
    You can install it anyway by whitelisting this package, using the
    following methods:
    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:
         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:
         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
  NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
											
										 
											2017-02-16 21:02:13 -05:00
										 |  |  |   <itemizedlist> | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |    <listitem> | 
					
						
							|  |  |  |     <para> | 
					
						
							|  |  |  |      For allowing the build of a broken package once, you can use an | 
					
						
							|  |  |  |      environment variable for a single invocation of the nix tools: | 
					
						
							|  |  |  | <programlisting>$ export NIXPKGS_ALLOW_BROKEN=1</programlisting> | 
					
						
							|  |  |  |     </para> | 
					
						
							|  |  |  |    </listitem> | 
					
						
							|  |  |  |    <listitem> | 
					
						
							|  |  |  |     <para> | 
					
						
							|  |  |  |      For permanently allowing broken packages to be built, you may add | 
					
						
							|  |  |  |      <literal>allowBroken = true;</literal> to your user's configuration file, | 
					
						
							|  |  |  |      like this: | 
					
						
							| 
									
										
										
										
											2017-02-26 10:31:55 +01:00
										 |  |  | <programlisting> | 
					
						
							| 
									
										
											  
											
												nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
    stdenv.mkDerivation {
      name = "foobar-1.2.3";
      ...
      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
    Known issues:
     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation
    You can install it anyway by whitelisting this package, using the
    following methods:
    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:
         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:
         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
  NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
											
										 
											2017-02-16 21:02:13 -05:00
										 |  |  | { | 
					
						
							|  |  |  |   allowBroken = true; | 
					
						
							| 
									
										
										
										
											2017-02-26 10:31:55 +01:00
										 |  |  | } | 
					
						
							|  |  |  | </programlisting> | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |     </para> | 
					
						
							|  |  |  |    </listitem> | 
					
						
							| 
									
										
											  
											
												nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
    stdenv.mkDerivation {
      name = "foobar-1.2.3";
      ...
      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
    Known issues:
     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation
    You can install it anyway by whitelisting this package, using the
    following methods:
    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:
         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:
         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
  NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
											
										 
											2017-02-16 21:02:13 -05:00
										 |  |  |   </itemizedlist> | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |  </section> | 
					
						
							|  |  |  |  <section xml:id="sec-allow-unsupported-system"> | 
					
						
							| 
									
										
										
										
											2018-04-17 16:08:21 -04:00
										 |  |  |   <title>Installing packages on unsupported systems</title> | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   <para> | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |    There are also two ways to try compiling a package which has been marked as | 
					
						
							|  |  |  |    unsuported for the given system. | 
					
						
							| 
									
										
										
										
											2018-04-17 16:08:21 -04:00
										 |  |  |   </para> | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   <itemizedlist> | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |    <listitem> | 
					
						
							|  |  |  |     <para> | 
					
						
							|  |  |  |      For allowing the build of a broken package once, you can use an | 
					
						
							|  |  |  |      environment variable for a single invocation of the nix tools: | 
					
						
							|  |  |  | <programlisting>$ export NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1</programlisting> | 
					
						
							|  |  |  |     </para> | 
					
						
							|  |  |  |    </listitem> | 
					
						
							|  |  |  |    <listitem> | 
					
						
							|  |  |  |     <para> | 
					
						
							|  |  |  |      For permanently allowing broken packages to be built, you may add | 
					
						
							|  |  |  |      <literal>allowUnsupportedSystem = true;</literal> to your user's | 
					
						
							|  |  |  |      configuration file, like this: | 
					
						
							| 
									
										
										
										
											2018-04-17 16:08:21 -04:00
										 |  |  | <programlisting> | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  |   allowUnsupportedSystem = true; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | </programlisting> | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |     </para> | 
					
						
							|  |  |  |    </listitem> | 
					
						
							| 
									
										
										
										
											2018-04-17 16:08:21 -04:00
										 |  |  |   </itemizedlist> | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   <para> | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |    The difference between an a package being unsupported on some system and | 
					
						
							|  |  |  |    being broken is admittedly a bit fuzzy. If a program | 
					
						
							|  |  |  |    <emphasis>ought</emphasis> to work on a certain platform, but doesn't, the | 
					
						
							|  |  |  |    platform should be included in <literal>meta.platforms</literal>, but marked | 
					
						
							|  |  |  |    as broken with e.g. <literal>meta.broken = | 
					
						
							|  |  |  |    !hostPlatform.isWindows</literal>. Of course, this begs the question of what | 
					
						
							|  |  |  |    "ought" means exactly. That is left to the package maintainer. | 
					
						
							| 
									
										
										
										
											2018-04-17 16:08:21 -04:00
										 |  |  |   </para> | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |  </section> | 
					
						
							|  |  |  |  <section xml:id="sec-allow-unfree"> | 
					
						
							| 
									
										
											  
											
												nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
    stdenv.mkDerivation {
      name = "foobar-1.2.3";
      ...
      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
    Known issues:
     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation
    You can install it anyway by whitelisting this package, using the
    following methods:
    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:
         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:
         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
  NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
											
										 
											2017-02-16 21:02:13 -05:00
										 |  |  |   <title>Installing unfree packages</title> | 
					
						
							| 
									
										
										
										
											2015-12-07 20:41:18 +01:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |   <para> | 
					
						
							|  |  |  |    There are several ways to tweak how Nix handles a package which has been | 
					
						
							|  |  |  |    marked as unfree. | 
					
						
							|  |  |  |   </para> | 
					
						
							| 
									
										
										
										
											2015-12-07 20:41:18 +01:00
										 |  |  | 
 | 
					
						
							| 
									
										
											  
											
												nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
    stdenv.mkDerivation {
      name = "foobar-1.2.3";
      ...
      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
    Known issues:
     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation
    You can install it anyway by whitelisting this package, using the
    following methods:
    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:
         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:
         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
  NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
											
										 
											2017-02-16 21:02:13 -05:00
										 |  |  |   <itemizedlist> | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |    <listitem> | 
					
						
							|  |  |  |     <para> | 
					
						
							|  |  |  |      To temporarily allow all unfree packages, you can use an environment | 
					
						
							|  |  |  |      variable for a single invocation of the nix tools: | 
					
						
							|  |  |  | <programlisting>$ export NIXPKGS_ALLOW_UNFREE=1</programlisting> | 
					
						
							|  |  |  |     </para> | 
					
						
							|  |  |  |    </listitem> | 
					
						
							|  |  |  |    <listitem> | 
					
						
							|  |  |  |     <para> | 
					
						
							|  |  |  |      It is possible to permanently allow individual unfree packages, while | 
					
						
							|  |  |  |      still blocking unfree packages by default using the | 
					
						
							|  |  |  |      <literal>allowUnfreePredicate</literal> configuration option in the user | 
					
						
							|  |  |  |      configuration file. | 
					
						
							|  |  |  |     </para> | 
					
						
							|  |  |  |     <para> | 
					
						
							|  |  |  |      This option is a function which accepts a package as a parameter, and | 
					
						
							|  |  |  |      returns a boolean. The following example configuration accepts a package | 
					
						
							|  |  |  |      and always returns false: | 
					
						
							| 
									
										
										
										
											2015-12-07 20:41:18 +01:00
										 |  |  | <programlisting> | 
					
						
							| 
									
										
											  
											
												nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
    stdenv.mkDerivation {
      name = "foobar-1.2.3";
      ...
      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
    Known issues:
     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation
    You can install it anyway by whitelisting this package, using the
    following methods:
    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:
         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:
         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
  NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
											
										 
											2017-02-16 21:02:13 -05:00
										 |  |  | { | 
					
						
							|  |  |  |   allowUnfreePredicate = (pkg: false); | 
					
						
							|  |  |  | } | 
					
						
							| 
									
										
										
										
											2015-12-07 20:41:18 +01:00
										 |  |  | </programlisting> | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |     </para> | 
					
						
							|  |  |  |     <para> | 
					
						
							|  |  |  |      A more useful example, the following configuration allows only allows | 
					
						
							|  |  |  |      flash player and visual studio code: | 
					
						
							| 
									
										
										
										
											2015-12-07 20:41:18 +01:00
										 |  |  | <programlisting> | 
					
						
							| 
									
										
											  
											
												nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
    stdenv.mkDerivation {
      name = "foobar-1.2.3";
      ...
      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
    Known issues:
     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation
    You can install it anyway by whitelisting this package, using the
    following methods:
    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:
         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:
         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
  NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
											
										 
											2017-02-16 21:02:13 -05:00
										 |  |  | { | 
					
						
							|  |  |  |   allowUnfreePredicate = (pkg: elem (builtins.parseDrvName pkg.name).name [ "flashplayer" "vscode" ]); | 
					
						
							|  |  |  | } | 
					
						
							| 
									
										
										
										
											2015-12-07 20:41:18 +01:00
										 |  |  | </programlisting> | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |     </para> | 
					
						
							|  |  |  |    </listitem> | 
					
						
							|  |  |  |    <listitem> | 
					
						
							|  |  |  |     <para> | 
					
						
							|  |  |  |      It is also possible to whitelist and blacklist licenses that are | 
					
						
							|  |  |  |      specifically acceptable or not acceptable, using | 
					
						
							|  |  |  |      <literal>whitelistedLicenses</literal> and | 
					
						
							|  |  |  |      <literal>blacklistedLicenses</literal>, respectively. | 
					
						
							|  |  |  |     </para> | 
					
						
							|  |  |  |     <para> | 
					
						
							|  |  |  |      The following example configuration whitelists the licenses | 
					
						
							|  |  |  |      <literal>amd</literal> and <literal>wtfpl</literal>: | 
					
						
							| 
									
										
										
										
											2015-12-07 20:41:18 +01:00
										 |  |  | <programlisting> | 
					
						
							| 
									
										
											  
											
												nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
    stdenv.mkDerivation {
      name = "foobar-1.2.3";
      ...
      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
    Known issues:
     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation
    You can install it anyway by whitelisting this package, using the
    following methods:
    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:
         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:
         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
  NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
											
										 
											2017-02-16 21:02:13 -05:00
										 |  |  | { | 
					
						
							|  |  |  |   whitelistedLicenses = with stdenv.lib.licenses; [ amd wtfpl ]; | 
					
						
							|  |  |  | } | 
					
						
							| 
									
										
										
										
											2015-12-07 20:41:18 +01:00
										 |  |  | </programlisting> | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |     </para> | 
					
						
							|  |  |  |     <para> | 
					
						
							|  |  |  |      The following example configuration blacklists the <literal>gpl3</literal> | 
					
						
							|  |  |  |      and <literal>agpl3</literal> licenses: | 
					
						
							| 
									
										
										
										
											2015-12-07 20:41:18 +01:00
										 |  |  | <programlisting> | 
					
						
							| 
									
										
											  
											
												nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
    stdenv.mkDerivation {
      name = "foobar-1.2.3";
      ...
      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
    Known issues:
     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation
    You can install it anyway by whitelisting this package, using the
    following methods:
    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:
         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:
         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
  NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
											
										 
											2017-02-16 21:02:13 -05:00
										 |  |  | { | 
					
						
							|  |  |  |   blacklistedLicenses = with stdenv.lib.licenses; [ agpl3 gpl3 ]; | 
					
						
							|  |  |  | } | 
					
						
							| 
									
										
										
										
											2015-12-07 20:41:18 +01:00
										 |  |  | </programlisting> | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |     </para> | 
					
						
							|  |  |  |    </listitem> | 
					
						
							| 
									
										
											  
											
												nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
    stdenv.mkDerivation {
      name = "foobar-1.2.3";
      ...
      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
    Known issues:
     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation
    You can install it anyway by whitelisting this package, using the
    following methods:
    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:
         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:
         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
  NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
											
										 
											2017-02-16 21:02:13 -05:00
										 |  |  |   </itemizedlist> | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |   <para> | 
					
						
							|  |  |  |    A complete list of licenses can be found in the file | 
					
						
							|  |  |  |    <filename>lib/licenses.nix</filename> of the nixpkgs tree. | 
					
						
							|  |  |  |   </para> | 
					
						
							|  |  |  |  </section> | 
					
						
							|  |  |  |  <section xml:id="sec-allow-insecure"> | 
					
						
							|  |  |  |   <title>Installing insecure packages</title> | 
					
						
							| 
									
										
										
										
											2015-12-07 20:41:18 +01:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |   <para> | 
					
						
							|  |  |  |    There are several ways to tweak how Nix handles a package which has been | 
					
						
							|  |  |  |    marked as insecure. | 
					
						
							|  |  |  |   </para> | 
					
						
							| 
									
										
											  
											
												nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
    stdenv.mkDerivation {
      name = "foobar-1.2.3";
      ...
      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
    Known issues:
     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation
    You can install it anyway by whitelisting this package, using the
    following methods:
    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:
         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:
         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
  NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
											
										 
											2017-02-16 21:02:13 -05:00
										 |  |  | 
 | 
					
						
							|  |  |  |   <itemizedlist> | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |    <listitem> | 
					
						
							|  |  |  |     <para> | 
					
						
							|  |  |  |      To temporarily allow all insecure packages, you can use an environment | 
					
						
							|  |  |  |      variable for a single invocation of the nix tools: | 
					
						
							|  |  |  | <programlisting>$ export NIXPKGS_ALLOW_INSECURE=1</programlisting> | 
					
						
							|  |  |  |     </para> | 
					
						
							|  |  |  |    </listitem> | 
					
						
							|  |  |  |    <listitem> | 
					
						
							|  |  |  |     <para> | 
					
						
							|  |  |  |      It is possible to permanently allow individual insecure packages, while | 
					
						
							|  |  |  |      still blocking other insecure packages by default using the | 
					
						
							|  |  |  |      <literal>permittedInsecurePackages</literal> configuration option in the | 
					
						
							|  |  |  |      user configuration file. | 
					
						
							|  |  |  |     </para> | 
					
						
							|  |  |  |     <para> | 
					
						
							|  |  |  |      The following example configuration permits the installation of the | 
					
						
							|  |  |  |      hypothetically insecure package <literal>hello</literal>, version | 
					
						
							|  |  |  |      <literal>1.2.3</literal>: | 
					
						
							| 
									
										
											  
											
												nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
    stdenv.mkDerivation {
      name = "foobar-1.2.3";
      ...
      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
    Known issues:
     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation
    You can install it anyway by whitelisting this package, using the
    following methods:
    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:
         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:
         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
  NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
											
										 
											2017-02-16 21:02:13 -05:00
										 |  |  | <programlisting> | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  |   permittedInsecurePackages = [ | 
					
						
							|  |  |  |     "hello-1.2.3" | 
					
						
							|  |  |  |   ]; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | </programlisting> | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |     </para> | 
					
						
							|  |  |  |    </listitem> | 
					
						
							|  |  |  |    <listitem> | 
					
						
							|  |  |  |     <para> | 
					
						
							|  |  |  |      It is also possible to create a custom policy around which insecure | 
					
						
							|  |  |  |      packages to allow and deny, by overriding the | 
					
						
							|  |  |  |      <literal>allowInsecurePredicate</literal> configuration option. | 
					
						
							|  |  |  |     </para> | 
					
						
							|  |  |  |     <para> | 
					
						
							|  |  |  |      The <literal>allowInsecurePredicate</literal> option is a function which | 
					
						
							|  |  |  |      accepts a package and returns a boolean, much like | 
					
						
							|  |  |  |      <literal>allowUnfreePredicate</literal>. | 
					
						
							|  |  |  |     </para> | 
					
						
							|  |  |  |     <para> | 
					
						
							|  |  |  |      The following configuration example only allows insecure packages with | 
					
						
							|  |  |  |      very short names: | 
					
						
							| 
									
										
											  
											
												nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
    stdenv.mkDerivation {
      name = "foobar-1.2.3";
      ...
      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
    Known issues:
     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation
    You can install it anyway by whitelisting this package, using the
    following methods:
    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:
         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:
         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
  NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
											
										 
											2017-02-16 21:02:13 -05:00
										 |  |  | <programlisting> | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  |   allowInsecurePredicate = (pkg: (builtins.stringLength (builtins.parseDrvName pkg.name).name) <= 5); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | </programlisting> | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |     </para> | 
					
						
							|  |  |  |     <para> | 
					
						
							|  |  |  |      Note that <literal>permittedInsecurePackages</literal> is only checked if | 
					
						
							|  |  |  |      <literal>allowInsecurePredicate</literal> is not specified. | 
					
						
							|  |  |  |     </para> | 
					
						
							|  |  |  |    </listitem> | 
					
						
							| 
									
										
											  
											
												nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
    stdenv.mkDerivation {
      name = "foobar-1.2.3";
      ...
      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
    Known issues:
     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation
    You can install it anyway by whitelisting this package, using the
    following methods:
    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:
         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:
         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
  NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
											
										 
											2017-02-16 21:02:13 -05:00
										 |  |  |   </itemizedlist> | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |  </section> | 
					
						
							| 
									
										
										
										
											2015-12-07 20:41:18 +01:00
										 |  |  | <!--============================================================--> | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |  <section xml:id="sec-modify-via-packageOverrides"> | 
					
						
							|  |  |  |   <title>Modify packages via <literal>packageOverrides</literal></title> | 
					
						
							| 
									
										
										
										
											2015-04-20 17:54:39 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |   <para> | 
					
						
							|  |  |  |    You can define a function called <varname>packageOverrides</varname> in your | 
					
						
							|  |  |  |    local <filename>~/.config/nixpkgs/config.nix</filename> to override nix | 
					
						
							|  |  |  |    packages. It must be a function that takes pkgs as an argument and return | 
					
						
							|  |  |  |    modified set of packages. | 
					
						
							| 
									
										
										
										
											2015-12-07 20:41:18 +01:00
										 |  |  | <programlisting> | 
					
						
							|  |  |  | { | 
					
						
							| 
									
										
										
										
											2015-04-20 23:09:45 +02:00
										 |  |  |   packageOverrides = pkgs: rec { | 
					
						
							|  |  |  |     foo = pkgs.foo.override { ... }; | 
					
						
							|  |  |  |   }; | 
					
						
							| 
									
										
										
										
											2015-12-07 20:41:18 +01:00
										 |  |  | } | 
					
						
							|  |  |  | </programlisting> | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |   </para> | 
					
						
							|  |  |  |  </section> | 
					
						
							|  |  |  |  <section xml:id="sec-declarative-package-management"> | 
					
						
							| 
									
										
										
										
											2017-05-20 22:25:05 -05:00
										 |  |  |   <title>Declarative Package Management</title> | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   <section xml:id="sec-building-environment"> | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |    <title>Build an environment</title> | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |    <para> | 
					
						
							|  |  |  |     Using <literal>packageOverrides</literal>, it is possible to manage | 
					
						
							|  |  |  |     packages declaratively. This means that we can list all of our desired | 
					
						
							|  |  |  |     packages within a declarative Nix expression. For example, to have | 
					
						
							|  |  |  |     <literal>aspell</literal>, <literal>bc</literal>, | 
					
						
							|  |  |  |     <literal>ffmpeg</literal>, <literal>coreutils</literal>, | 
					
						
							|  |  |  |     <literal>gdb</literal>, <literal>nixUnstable</literal>, | 
					
						
							|  |  |  |     <literal>emscripten</literal>, <literal>jq</literal>, | 
					
						
							|  |  |  |     <literal>nox</literal>, and <literal>silver-searcher</literal>, we could | 
					
						
							|  |  |  |     use the following in <filename>~/.config/nixpkgs/config.nix</filename>: | 
					
						
							|  |  |  |    </para> | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | <screen> | 
					
						
							| 
									
										
										
										
											2017-05-20 22:25:05 -05:00
										 |  |  | { | 
					
						
							|  |  |  |   packageOverrides = pkgs: with pkgs; { | 
					
						
							|  |  |  |     myPackages = pkgs.buildEnv { | 
					
						
							|  |  |  |       name = "my-packages"; | 
					
						
							|  |  |  |       paths = [ aspell bc coreutils gdb ffmpeg nixUnstable emscripten jq nox silver-searcher ]; | 
					
						
							|  |  |  |     }; | 
					
						
							|  |  |  |   }; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  |     </screen> | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |    <para> | 
					
						
							|  |  |  |     To install it into our environment, you can just run <literal>nix-env -iA | 
					
						
							|  |  |  |     nixpkgs.myPackages</literal>. If you want to load the packages to be built | 
					
						
							|  |  |  |     from a working copy of <literal>nixpkgs</literal> you just run | 
					
						
							|  |  |  |     <literal>nix-env -f. -iA myPackages</literal>. To explore what's been | 
					
						
							|  |  |  |     installed, just look through <filename>~/.nix-profile/</filename>. You can | 
					
						
							|  |  |  |     see that a lot of stuff has been installed. Some of this stuff is useful | 
					
						
							|  |  |  |     some of it isn't. Let's tell Nixpkgs to only link the stuff that we want: | 
					
						
							|  |  |  |    </para> | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | <screen> | 
					
						
							| 
									
										
										
										
											2017-05-20 22:25:05 -05:00
										 |  |  | { | 
					
						
							|  |  |  |   packageOverrides = pkgs: with pkgs; { | 
					
						
							|  |  |  |     myPackages = pkgs.buildEnv { | 
					
						
							|  |  |  |       name = "my-packages"; | 
					
						
							|  |  |  |       paths = [ aspell bc coreutils gdb ffmpeg nixUnstable emscripten jq nox silver-searcher ]; | 
					
						
							|  |  |  |       pathsToLink = [ "/share" "/bin" ]; | 
					
						
							|  |  |  |     }; | 
					
						
							|  |  |  |   }; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  |     </screen> | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |    <para> | 
					
						
							|  |  |  |     <literal>pathsToLink</literal> tells Nixpkgs to only link the paths listed | 
					
						
							|  |  |  |     which gets rid of the extra stuff in the profile. <filename>/bin</filename> | 
					
						
							|  |  |  |     and <filename>/share</filename> are good defaults for a user environment, | 
					
						
							|  |  |  |     getting rid of the clutter. If you are running on Nix on MacOS, you may | 
					
						
							|  |  |  |     want to add another path as well, <filename>/Applications</filename>, that | 
					
						
							|  |  |  |     makes GUI apps available. | 
					
						
							|  |  |  |    </para> | 
					
						
							| 
									
										
										
										
											2017-05-20 22:25:05 -05:00
										 |  |  |   </section> | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   <section xml:id="sec-getting-documentation"> | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |    <title>Getting documentation</title> | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |    <para> | 
					
						
							|  |  |  |     After building that new environment, look through | 
					
						
							|  |  |  |     <filename>~/.nix-profile</filename> to make sure everything is there that | 
					
						
							|  |  |  |     we wanted. Discerning readers will note that some files are missing. Look | 
					
						
							|  |  |  |     inside <filename>~/.nix-profile/share/man/man1/</filename> to verify this. | 
					
						
							|  |  |  |     There are no man pages for any of the Nix tools! This is because some | 
					
						
							|  |  |  |     packages like Nix have multiple outputs for things like documentation (see | 
					
						
							|  |  |  |     section 4). Let's make Nix install those as well. | 
					
						
							|  |  |  |    </para> | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | <screen> | 
					
						
							| 
									
										
										
										
											2017-05-20 22:25:05 -05:00
										 |  |  | { | 
					
						
							|  |  |  |   packageOverrides = pkgs: with pkgs; { | 
					
						
							|  |  |  |     myPackages = pkgs.buildEnv { | 
					
						
							|  |  |  |       name = "my-packages"; | 
					
						
							|  |  |  |       paths = [ aspell bc coreutils ffmpeg nixUnstable emscripten jq nox silver-searcher ]; | 
					
						
							| 
									
										
										
										
											2018-05-11 15:31:56 -04:00
										 |  |  |       pathsToLink = [ "/share/man" "/share/doc" "/bin" ]; | 
					
						
							| 
									
										
										
										
											2017-05-20 22:25:05 -05:00
										 |  |  |       extraOutputsToInstall = [ "man" "doc" ]; | 
					
						
							|  |  |  |     }; | 
					
						
							|  |  |  |   }; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  |     </screen> | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |    <para> | 
					
						
							|  |  |  |     This provides us with some useful documentation for using our packages. | 
					
						
							|  |  |  |     However, if we actually want those manpages to be detected by man, we need | 
					
						
							|  |  |  |     to set up our environment. This can also be managed within Nix expressions. | 
					
						
							|  |  |  |    </para> | 
					
						
							| 
									
										
										
										
											2017-05-20 22:25:05 -05:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  | <screen> | 
					
						
							| 
									
										
										
										
											2017-05-20 22:25:05 -05:00
										 |  |  | { | 
					
						
							|  |  |  |   packageOverrides = pkgs: with pkgs; rec { | 
					
						
							|  |  |  |     myProfile = writeText "my-profile" '' | 
					
						
							|  |  |  | export PATH=$HOME/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/sbin:/bin:/usr/sbin:/usr/bin | 
					
						
							|  |  |  | export MANPATH=$HOME/.nix-profile/share/man:/nix/var/nix/profiles/default/share/man:/usr/share/man | 
					
						
							|  |  |  |     ''; | 
					
						
							|  |  |  |     myPackages = pkgs.buildEnv { | 
					
						
							|  |  |  |       name = "my-packages"; | 
					
						
							|  |  |  |       paths = [ | 
					
						
							|  |  |  |         (runCommand "profile" {} '' | 
					
						
							|  |  |  | mkdir -p $out/etc/profile.d | 
					
						
							|  |  |  | cp ${myProfile} $out/etc/profile.d/my-profile.sh | 
					
						
							|  |  |  |         '') | 
					
						
							|  |  |  |         aspell | 
					
						
							|  |  |  |         bc | 
					
						
							|  |  |  |         coreutils | 
					
						
							|  |  |  |         ffmpeg | 
					
						
							|  |  |  |         man | 
					
						
							|  |  |  |         nixUnstable | 
					
						
							|  |  |  |         emscripten | 
					
						
							|  |  |  |         jq | 
					
						
							|  |  |  |         nox | 
					
						
							|  |  |  |         silver-searcher | 
					
						
							|  |  |  |       ]; | 
					
						
							| 
									
										
										
										
											2018-05-11 15:31:56 -04:00
										 |  |  |       pathsToLink = [ "/share/man" "/share/doc" "/bin" "/etc" ]; | 
					
						
							| 
									
										
										
										
											2017-05-20 22:25:05 -05:00
										 |  |  |       extraOutputsToInstall = [ "man" "doc" ]; | 
					
						
							|  |  |  |     }; | 
					
						
							|  |  |  |   }; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  |     </screen> | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |    <para> | 
					
						
							|  |  |  |     For this to work fully, you must also have this script sourced when you are | 
					
						
							|  |  |  |     logged in. Try adding something like this to your | 
					
						
							|  |  |  |     <filename>~/.profile</filename> file: | 
					
						
							|  |  |  |    </para> | 
					
						
							| 
									
										
										
										
											2017-05-20 22:25:05 -05:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  | <screen> | 
					
						
							| 
									
										
										
										
											2017-05-20 22:25:05 -05:00
										 |  |  | #!/bin/sh | 
					
						
							|  |  |  | if [ -d $HOME/.nix-profile/etc/profile.d ]; then | 
					
						
							|  |  |  |   for i in $HOME/.nix-profile/etc/profile.d/*.sh; do | 
					
						
							|  |  |  |     if [ -r $i ]; then | 
					
						
							|  |  |  |       . $i | 
					
						
							|  |  |  |     fi | 
					
						
							|  |  |  |   done | 
					
						
							|  |  |  | fi | 
					
						
							|  |  |  |     </screen> | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |    <para> | 
					
						
							|  |  |  |     Now just run <literal>source $HOME/.profile</literal> and you can starting | 
					
						
							|  |  |  |     loading man pages from your environent. | 
					
						
							|  |  |  |    </para> | 
					
						
							| 
									
										
										
										
											2017-05-20 22:25:05 -05:00
										 |  |  |   </section> | 
					
						
							| 
									
										
										
										
											2018-04-17 16:08:21 -04:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-05-20 22:25:05 -05:00
										 |  |  |   <section xml:id="sec-gnu-info-setup"> | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |    <title>GNU info setup</title> | 
					
						
							| 
									
										
										
										
											2017-05-20 22:25:05 -05:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |    <para> | 
					
						
							|  |  |  |     Configuring GNU info is a little bit trickier than man pages. To work | 
					
						
							|  |  |  |     correctly, info needs a database to be generated. This can be done with | 
					
						
							|  |  |  |     some small modifications to our environment scripts. | 
					
						
							|  |  |  |    </para> | 
					
						
							| 
									
										
										
										
											2017-05-20 22:25:05 -05:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  | <screen> | 
					
						
							| 
									
										
										
										
											2017-05-20 22:25:05 -05:00
										 |  |  | { | 
					
						
							|  |  |  |   packageOverrides = pkgs: with pkgs; rec { | 
					
						
							|  |  |  |     myProfile = writeText "my-profile" '' | 
					
						
							|  |  |  | export PATH=$HOME/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/sbin:/bin:/usr/sbin:/usr/bin | 
					
						
							|  |  |  | export MANPATH=$HOME/.nix-profile/share/man:/nix/var/nix/profiles/default/share/man:/usr/share/man | 
					
						
							|  |  |  | export INFOPATH=$HOME/.nix-profile/share/info:/nix/var/nix/profiles/default/share/info:/usr/share/info | 
					
						
							|  |  |  |     ''; | 
					
						
							|  |  |  |     myPackages = pkgs.buildEnv { | 
					
						
							|  |  |  |       name = "my-packages"; | 
					
						
							|  |  |  |       paths = [ | 
					
						
							|  |  |  |         (runCommand "profile" {} '' | 
					
						
							|  |  |  | mkdir -p $out/etc/profile.d | 
					
						
							|  |  |  | cp ${myProfile} $out/etc/profile.d/my-profile.sh | 
					
						
							|  |  |  |         '') | 
					
						
							|  |  |  |         aspell | 
					
						
							|  |  |  |         bc | 
					
						
							|  |  |  |         coreutils | 
					
						
							|  |  |  |         ffmpeg | 
					
						
							|  |  |  |         man | 
					
						
							|  |  |  |         nixUnstable | 
					
						
							|  |  |  |         emscripten | 
					
						
							|  |  |  |         jq | 
					
						
							|  |  |  |         nox | 
					
						
							|  |  |  |         silver-searcher | 
					
						
							|  |  |  |         texinfoInteractive | 
					
						
							|  |  |  |       ]; | 
					
						
							|  |  |  |       pathsToLink = [ "/share/man" "/share/doc" "/share/info" "/bin" "/etc" ]; | 
					
						
							|  |  |  |       extraOutputsToInstall = [ "man" "doc" "info" ]; | 
					
						
							|  |  |  |       postBuild = '' | 
					
						
							|  |  |  |           if [ -x $out/bin/install-info -a -w $out/share/info ]; then | 
					
						
							|  |  |  |             shopt -s nullglob | 
					
						
							|  |  |  |             for i in $out/share/info/*.info $out/share/info/*.info.gz; do | 
					
						
							|  |  |  |                 $out/bin/install-info $i $out/share/info/dir | 
					
						
							|  |  |  |             done | 
					
						
							|  |  |  |           fi | 
					
						
							|  |  |  |       ''; | 
					
						
							|  |  |  |     }; | 
					
						
							|  |  |  |   }; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  |     </screen> | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |    <para> | 
					
						
							|  |  |  |     <literal>postBuild</literal> tells Nixpkgs to run a command after building | 
					
						
							|  |  |  |     the environment. In this case, <literal>install-info</literal> adds the | 
					
						
							|  |  |  |     installed info pages to <literal>dir</literal> which is GNU info's default | 
					
						
							|  |  |  |     root node. Note that <literal>texinfoInteractive</literal> is added to the | 
					
						
							|  |  |  |     environment to give the <literal>install-info</literal> command. | 
					
						
							|  |  |  |    </para> | 
					
						
							| 
									
										
										
										
											2017-05-20 22:25:05 -05:00
										 |  |  |   </section> | 
					
						
							| 
									
										
										
										
											2018-05-01 19:54:21 -04:00
										 |  |  |  </section> | 
					
						
							| 
									
										
										
										
											2015-04-20 17:54:39 +02:00
										 |  |  | </chapter> |