Branch: refs/heads/master
Home: https://github.com/NixOS/nixpkgs
Commit: 38771badd3bd4e6a46495577506a3eacb299726c
https://github.com/NixOS/nixpkgs/commit/38771badd3bd4e6a46495577506a3eacb299726c
Author: Graham Christensen <gra...@grahamc.com>
Date: 2017-02-17 (Fri, 17 Feb 2017)
Changed paths:
M pkgs/stdenv/generic/default.nix
Log Message:
-----------
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure,
refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can
add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
Commit: c8859b7264ec8b3dc8c5e9750cf461ac20615e52
https://github.com/NixOS/nixpkgs/commit/c8859b7264ec8b3dc8c5e9750cf461ac20615e52
Author: Graham Christensen <gra...@grahamc.com>
Date: 2017-02-22 (Wed, 22 Feb 2017)
Changed paths:
M pkgs/development/libraries/libplist/default.nix
Log Message:
-----------
libplist: mark as insecure
Patches currently available don't seem to apply.
Commit: 037c489b107dd5af163ded65202d48ade6f83ccd
https://github.com/NixOS/nixpkgs/commit/037c489b107dd5af163ded65202d48ade6f83ccd
Author: Graham Christensen <gra...@grahamc.com>
Date: 2017-02-23 (Thu, 23 Feb 2017)
Changed paths:
M pkgs/development/libraries/libplist/default.nix
M pkgs/stdenv/generic/default.nix
Log Message:
-----------
Merge pull request #22890 from grahamc/mark-as-insecure
nixpkgs: allow packages to be marked insecure
Compare: https://github.com/NixOS/nixpkgs/compare/0c50a629122c...037c489b107d
_______________________________________________
nix-commits mailing list
nix-comm...@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-commits