public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
101,841 Commits 1 Branch 0 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Graham Christensen a9c875fc2e
nixpkgs: allow packages to be marked insecure 
If a package's meta has `knownVulnerabilities`, like so:

    stdenv.mkDerivation {
      name = "foobar-1.2.3";

      ...

      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }

and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:

    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.

    Known issues:

     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation

    You can install it anyway by whitelisting this package, using the
    following methods:

    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:

         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }

    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:

         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }

Adding either of these configurations will permit this specific
version to be installed. A third option also exists:

  NIXPKGS_ALLOW_INSECURE=1 nix-build ...

though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-24 07:41:05 -05:00
.github
CONTRIBUTING.md: improve commit message guidelines
2017-02-06 22:26:32 +02:00
doc
nixpkgs: allow packages to be marked insecure
2017-02-24 07:41:05 -05:00
lib
ndpi: init at 1.8
2017-02-22 00:20:10 -08:00
maintainers
Add a script to get failures for hydra eval /cc @globin
2017-01-28 22:29:15 +01:00
nixos
nixpkgs: allow packages to be marked insecure
2017-02-24 07:41:05 -05:00
pkgs
nixpkgs: allow packages to be marked insecure
2017-02-24 07:41:05 -05:00
.editorconfig
Do not trim trailing whitespace in patch files
2017-01-12 23:44:26 +01:00
.gitignore
kde5: consolidate packages into desktops/kde-5
2016-03-01 10:36:00 -06:00
.mention-bot
include me in mention bot for darwin
2016-12-09 21:19:32 +01:00
.travis.yml
travis: also evaluate nixpkgs-unstable
2016-12-15 22:43:14 +01:00
.version
unstable is now 17.03
2016-09-02 08:47:21 +02:00
COPYING
Time passing by
2017-01-01 21:35:52 +01:00
default.nix
Separate fix-point from config importing hacks and other impurities
2016-07-14 14:33:23 -07:00
README.md
README: Update to 16.09
2016-10-04 17:45:24 +02:00

README.md

logo

Build Status Code Triagers Badge

Nixpkgs is a collection of packages for the Nix package manager. It is periodically built and tested by the hydra build daemon as so-called channels. To get channel information via git, add nixpkgs-channels as a remote:

% git remote add channels git://github.com/NixOS/nixpkgs-channels.git

For stability and maximum binary package support, it is recommended to maintain custom changes on top of one of the channels, e.g. nixos-16.09 for the latest release and nixos-unstable for the latest successful build of master:

% git remote update channels
% git rebase channels/nixos-16.09

For pull-requests, please rebase onto nixpkgs master.

NixOS linux distribution source code is located inside nixos/ folder.

Communication:

Description
No description provided
Readme 1.5 GiB
Languages
Nix 96.3%
Shell 1.8%
Python 0.7%
Perl 0.4%
C 0.3%
Other 0.1%