[Nix-commits] [NixOS/nixpkgs] 38771b: nixpkgs: allow packages to be marked insecure

Thu, 23 Feb 2017 04:12:49 -0800 

  Branch: refs/heads/master
  Home:   https://github.com/NixOS/nixpkgs
  Commit: 38771badd3bd4e6a46495577506a3eacb299726c
      
https://github.com/NixOS/nixpkgs/commit/38771badd3bd4e6a46495577506a3eacb299726c
  Author: Graham Christensen <gra...@grahamc.com>
  Date:   2017-02-17 (Fri, 17 Feb 2017)

  Changed paths:
    M pkgs/stdenv/generic/default.nix

  Log Message:
  -----------
  nixpkgs: allow packages to be marked insecure

If a package's meta has `knownVulnerabilities`, like so:

    stdenv.mkDerivation {
      name = "foobar-1.2.3";

      ...

      meta.knownVulnerabilities = [
  "CVE-0000-00000: remote code execution"
  "CVE-0000-00001: local privilege escalation"
      ];
    }

and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:

    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, 
refusing to evaluate.

    Known issues:

     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation

    You can install it anyway by whitelisting this package, using the
    following methods:

    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:
    {
     nixpkgs.config.permittedInsecurePackages = [
       "foobar-1.2.3"
     ];
   }

    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can 
add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:
    {
     permittedInsecurePackages = [
       "foobar-1.2.3"
     ];
   }

Adding either of these configurations will permit this specific
version to be installed. A third option also exists:

  NIXPKGS_ALLOW_INSECURE=1 nix-build ...

though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.


  Commit: c8859b7264ec8b3dc8c5e9750cf461ac20615e52
      
https://github.com/NixOS/nixpkgs/commit/c8859b7264ec8b3dc8c5e9750cf461ac20615e52
  Author: Graham Christensen <gra...@grahamc.com>
  Date:   2017-02-22 (Wed, 22 Feb 2017)

  Changed paths:
    M pkgs/development/libraries/libplist/default.nix

  Log Message:
  -----------
  libplist: mark as insecure

Patches currently available don't seem to apply.


  Commit: 037c489b107dd5af163ded65202d48ade6f83ccd
      
https://github.com/NixOS/nixpkgs/commit/037c489b107dd5af163ded65202d48ade6f83ccd
  Author: Graham Christensen <gra...@grahamc.com>
  Date:   2017-02-23 (Thu, 23 Feb 2017)

  Changed paths:
    M pkgs/development/libraries/libplist/default.nix
    M pkgs/stdenv/generic/default.nix

  Log Message:
  -----------
  Merge pull request #22890 from grahamc/mark-as-insecure

nixpkgs: allow packages to be marked insecure


Compare: https://github.com/NixOS/nixpkgs/compare/0c50a629122c...037c489b107d
_______________________________________________
nix-commits mailing list
nix-comm...@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-commits

Reply via email to