diff --git a/doc/configuration.xml b/doc/configuration.xml
index 12e3b8ae851..064c72a7630 100644
--- a/doc/configuration.xml
+++ b/doc/configuration.xml
@@ -4,83 +4,213 @@
Global configuration
-Nix packages can be configured to allow or deny certain options.
+Nix comes with certain defaults about what packages can and
+cannot be installed, based on a package's metadata. By default, Nix
+will prevent installation if any of the following criteria are
+true:
-To apply the configuration edit
-~/.config/nixpkgs/config.nix and set it like
+
+ The packages is thought to be broken, and has had
+ its meta.broken set to
+ true.
+ The package's meta.license is set
+ to a license which is considered to be unfree.
+
+ The package has known security vulnerabilities but
+ has not or can not be updated for some reason, and a list of issues
+ has been entered in to the package's
+ meta.knownVulnerabilities.
+
+
+Each of these criteria can be altering the nixpkgs
+configuration.
+
+The nixpkgs configuration for a NixOS system is set in the
+configuration.nix, as in the following example:
+
+{
+ nixpkgs.config = {
+ allowUnfree = true;
+ };
+}
+
+However, this does not allow unfree software for individual users.
+Their configurations are managed separately.
+
+A user's of nixpkgs configuration is stored in a user-specific
+configuration file located at
+~/.config/nixpkgs/config.nix. For example:
{
allowUnfree = true;
}
+
-and will allow the Nix package manager to install unfree licensed packages.
+
+ Installing broken packages
-The configuration as listed also applies to NixOS under
- set.
-
+ There are two ways to try compiling a package which has been
+ marked as broken.
-
- Allow installing of packages that are distributed under
- unfree license by setting allowUnfree =
- true; or deny them by setting it to
- false.
+
+
+ For allowing the build of a broken package once, you can use an
+ environment variable for a single invocation of the nix tools:
- Same can be achieved by setting the environment variable:
+ $ export NIXPKGS_ALLOW_BROKEN=1
+
+
+
+ For permanently allowing broken packages to be built, you may
+ add allowBroken = true; to your user's
+ configuration file, like this:
+
+
+{
+ allowBroken = true;
+}
+
+
+
+
+
+ Installing unfree packages
+
+ There are several ways to tweak how Nix handles a package
+ which has been marked as unfree.
+
+
+
+ To temporarily allow all unfree packages, you can use an
+ environment variable for a single invocation of the nix tools:
+
+ $ export NIXPKGS_ALLOW_UNFREE=1
+
+
+
+ It is possible to permanently allow individual unfree packages,
+ while still blocking unfree packages by default using the
+ allowUnfreePredicate configuration
+ option in the user configuration file.
+
+ This option is a function which accepts a package as a
+ parameter, and returns a boolean. The following example
+ configuration accepts a package and always returns false:
+
+{
+ allowUnfreePredicate = (pkg: false);
+}
+
+
+
+ A more useful example, the following configuration allows
+ only allows flash player and visual studio code:
-$ export NIXPKGS_ALLOW_UNFREE=1
+{
+ allowUnfreePredicate = (pkg: elem (builtins.parseDrvName pkg.name).name [ "flashplayer" "vscode" ]);
+}
+
-
-
+
+ It is also possible to whitelist and blacklist licenses
+ that are specifically acceptable or not acceptable, using
+ whitelistedLicenses and
+ blacklistedLicenses, respectively.
+
-
- Whenever unfree packages are not allowed, single packages
- can still be allowed by a predicate function that accepts package
- as an argument and should return a boolean:
+ The following example configuration whitelists the
+ licenses amd and wtfpl:
-allowUnfreePredicate = (pkg: ...);
+{
+ whitelistedLicenses = with stdenv.lib.licenses; [ amd wtfpl ];
+}
+
- Example to allow flash player and visual studio code only:
+ The following example configuration blacklists the
+ gpl3 and agpl3 licenses:
-allowUnfreePredicate = with builtins; (pkg: elem (parseDrvName pkg.name).name [ "flashplayer" "vscode" ]);
+{
+ blacklistedLicenses = with stdenv.lib.licenses; [ agpl3 gpl3 ];
+}
+
+
+
-
-
+ A complete list of licenses can be found in the file
+ lib/licenses.nix of the nixpkgs tree.
+
-
- Whenever unfree packages are not allowed, packages can still
- be whitelisted by their license:
+
+
+
+ Installing insecure packages
+
+
+ There are several ways to tweak how Nix handles a package
+ which has been marked as unfree.
+
+
+
+ To temporarily allow all insecure packages, you can use an
+ environment variable for a single invocation of the nix tools:
+
+ $ export NIXPKGS_ALLOW_INSECURE=1
+
+
+
+ It is possible to permanently allow individual insecure
+ packages, while still blocking other insecure packages by
+ default using the permittedInsecurePackages
+ configuration option in the user configuration file.
+
+ The following example configuration permits the
+ installation of the hypothetically insecure package
+ hello, version 1.2.3:
+
+{
+ permittedInsecurePackages = [
+ "hello-1.2.3"
+ ];
+}
+
+
+
+
+
+ It is also possible to create a custom policy around which
+ insecure packages to allow and deny, by overriding the
+ allowInsecurePredicate configuration
+ option.
+
+ The allowInsecurePredicate option is a
+ function which accepts a package and returns a boolean, much
+ like allowUnfreePredicate.
+
+ The following configuration example only allows insecure
+ packages with very short names:
-whitelistedLicenses = with stdenv.lib.licenses; [ amd wtfpl ];
+{
+ allowInsecurePredicate = (pkg: (builtins.stringLength (builtins.parseDrvName pkg.name).name) <= 5);
+}
-
-
-
-
- In addition to whitelisting licenses which are denied by the
- allowUnfree setting, you can also explicitely
- deny installation of packages which have a certain license:
-
-
-blacklistedLicenses = with stdenv.lib.licenses; [ agpl3 gpl3 ];
-
-
-
-
-
-
-A complete list of licenses can be found in the file
-lib/licenses.nix of the nix package tree.
+
+ Note that permittedInsecurePackages is
+ only checked if allowInsecurePredicate is not
+ specified.
+
+
+
diff --git a/nixos/doc/manual/release-notes/rl-1703.xml b/nixos/doc/manual/release-notes/rl-1703.xml
index 3758a3bf2aa..38693437059 100644
--- a/nixos/doc/manual/release-notes/rl-1703.xml
+++ b/nixos/doc/manual/release-notes/rl-1703.xml
@@ -30,6 +30,14 @@ has the following highlights:
PHP now defaults to PHP 7.1
+
+
+ Packages in nixpkgs can be marked as insecure through listed
+ vulnerabilities. See the Nixpkgs
+ manual for more information.
+
+
The following new services were added since the last release:
diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix
index 34ba2fd8dd9..cb94db48f4b 100644
--- a/pkgs/stdenv/generic/default.nix
+++ b/pkgs/stdenv/generic/default.nix
@@ -75,6 +75,14 @@ let
isUnfree (lib.lists.toList attrs.meta.license) &&
!allowUnfreePredicate attrs;
+ allowInsecureDefaultPredicate = x: builtins.elem x.name (config.permittedInsecurePackages or []);
+ allowInsecurePredicate = x: (config.allowUnfreePredicate or allowInsecureDefaultPredicate) x;
+
+ hasAllowedInsecure = attrs:
+ (attrs.meta.knownVulnerabilities or []) == [] ||
+ allowInsecurePredicate attrs ||
+ builtins.getEnv "NIXPKGS_ALLOW_INSECURE" == "1";
+
showLicense = license: license.shortName or "unknown";
defaultNativeBuildInputs = extraBuildInputs ++
@@ -137,24 +145,62 @@ let
builtins.unsafeGetAttrPos "name" attrs;
pos'' = if pos' != null then "‘" + pos'.file + ":" + toString pos'.line + "’" else "«unknown-file»";
- throwEvalHelp = { reason, errormsg }:
- # uppercase the first character of string s
- let up = s: with lib;
- (toUpper (substring 0 1 s)) + (substring 1 (stringLength s) s);
- in
- assert builtins.elem reason ["unfree" "broken" "blacklisted"];
-
- throw ("Package ‘${attrs.name or "«name-missing»"}’ in ${pos''} ${errormsg}, refusing to evaluate."
- + (lib.strings.optionalString (reason != "blacklisted") ''
+ remediation = {
+ unfree = remediate_whitelist "Unfree";
+ broken = remediate_whitelist "Broken";
+ blacklisted = x: "";
+ insecure = remediate_insecure;
+ };
+ remediate_whitelist = allow_attr: attrs:
+ ''
a) For `nixos-rebuild` you can set
- { nixpkgs.config.allow${up reason} = true; }
+ { nixpkgs.config.allow${allow_attr} = true; }
in configuration.nix to override this.
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
- { allow${up reason} = true; }
+ { allow${allow_attr} = true; }
to ~/.config/nixpkgs/config.nix.
- ''));
+ '';
+
+ remediate_insecure = attrs:
+ ''
+
+ Known issues:
+
+ '' + (lib.fold (issue: default: "${default} - ${issue}\n") "" attrs.meta.knownVulnerabilities) + ''
+
+ You can install it anyway by whitelisting this package, using the
+ following methods:
+
+ a) for `nixos-rebuild` you can add ‘${attrs.name or "«name-missing»"}’ to
+ `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
+ like so:
+
+ {
+ nixpkgs.config.permittedInsecurePackages = [
+ "${attrs.name or "«name-missing»"}"
+ ];
+ }
+
+ b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
+ ‘${attrs.name or "«name-missing»"}’ to `permittedInsecurePackages` in
+ ~/.config/nixpkgs/config.nix, like so:
+
+ {
+ permittedInsecurePackages = [
+ "${attrs.name or "«name-missing»"}"
+ ];
+ }
+
+ '';
+
+
+ throwEvalHelp = { reason , errormsg ? "" }:
+ throw (''
+ Package ‘${attrs.name or "«name-missing»"}’ in ${pos''} ${errormsg}, refusing to evaluate.
+
+ '' + ((builtins.getAttr reason remediation) attrs));
# Check if a derivation is valid, that is whether it passes checks for
# e.g brokenness or license.
@@ -171,6 +217,8 @@ let
{ valid = false; reason = "broken"; errormsg = "is marked as broken"; }
else if !allowBroken && attrs.meta.platforms or null != null && !lib.lists.elem result.system attrs.meta.platforms then
{ valid = false; reason = "broken"; errormsg = "is not supported on ‘${result.system}’"; }
+ else if !(hasAllowedInsecure attrs) then
+ { valid = false; reason = "insecure"; errormsg = "is marked as insecure"; }
else { valid = true; };
outputs' =