Revert "nixpkgs: allow packages to be marked insecure"
This commit is contained in:
parent
274994785d
commit
59d61ef34a
2 changed files with 12 additions and 67 deletions
|
@ -28,12 +28,5 @@ in stdenv.mkDerivation rec {
|
|||
homepage = http://github.com/JonathanBeck/libplist;
|
||||
platforms = stdenv.lib.platforms.all;
|
||||
maintainers = [ stdenv.lib.maintainers.urkud ];
|
||||
knownVulnerabilities = [
|
||||
"CVE-2017-5209: base64decode function in base64.c allows attackers to obtain sensitive information from process memory or cause a denial of service"
|
||||
"CVE-2017-5545: attackers to obtain sensitive information from process memory or cause a denial of service"
|
||||
"CVE-2017-5834: A heap-buffer overflow in parse_dict_node"
|
||||
"CVE-2017-5835: A memory allocation error leading to DoS"
|
||||
"CVE-2017-5836: A type inconsistency in bplist.c"
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -75,14 +75,6 @@ let
|
|||
isUnfree (lib.lists.toList attrs.meta.license) &&
|
||||
!allowUnfreePredicate attrs;
|
||||
|
||||
allowInsecureDefaultPredicate = x: builtins.elem x.name (config.permittedInsecurePackages or []);
|
||||
allowInsecurePredicate = x: (config.allowUnfreePredicate or allowInsecureDefaultPredicate) x;
|
||||
|
||||
hasAllowedInsecure = attrs:
|
||||
(attrs.meta.knownVulnerabilities or []) == [] ||
|
||||
allowInsecurePredicate attrs ||
|
||||
builtins.getEnv "NIXPKGS_ALLOW_INSECURE" == "1";
|
||||
|
||||
showLicense = license: license.shortName or "unknown";
|
||||
|
||||
defaultNativeBuildInputs = extraBuildInputs ++
|
||||
|
@ -145,62 +137,24 @@ let
|
|||
builtins.unsafeGetAttrPos "name" attrs;
|
||||
pos'' = if pos' != null then "‘" + pos'.file + ":" + toString pos'.line + "’" else "«unknown-file»";
|
||||
|
||||
throwEvalHelp = { reason, errormsg }:
|
||||
# uppercase the first character of string s
|
||||
let up = s: with lib;
|
||||
(toUpper (substring 0 1 s)) + (substring 1 (stringLength s) s);
|
||||
in
|
||||
assert builtins.elem reason ["unfree" "broken" "blacklisted"];
|
||||
|
||||
throw ("Package ‘${attrs.name or "«name-missing»"}’ in ${pos''} ${errormsg}, refusing to evaluate."
|
||||
+ (lib.strings.optionalString (reason != "blacklisted") ''
|
||||
|
||||
remediation = {
|
||||
unfree = remediate_whitelist "Unfree";
|
||||
broken = remediate_whitelist "Broken";
|
||||
blacklisted = x: "";
|
||||
insecure = remediate_insecure;
|
||||
};
|
||||
remediate_whitelist = allow_attr: attrs:
|
||||
''
|
||||
a) For `nixos-rebuild` you can set
|
||||
{ nixpkgs.config.allow${allow_attr} = true; }
|
||||
{ nixpkgs.config.allow${up reason} = true; }
|
||||
in configuration.nix to override this.
|
||||
|
||||
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
|
||||
{ allow${allow_attr} = true; }
|
||||
{ allow${up reason} = true; }
|
||||
to ~/.config/nixpkgs/config.nix.
|
||||
'';
|
||||
|
||||
remediate_insecure = attrs:
|
||||
''
|
||||
|
||||
Known issues:
|
||||
|
||||
'' + (lib.fold (issue: default: "${default} - ${issue}\n") "" attrs.meta.knownVulnerabilities) + ''
|
||||
|
||||
You can install it anyway by whitelisting this package, using the
|
||||
following methods:
|
||||
|
||||
a) for `nixos-rebuild` you can add ‘${attrs.name or "«name-missing»"}’ to
|
||||
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
|
||||
like so:
|
||||
|
||||
{
|
||||
nixpkgs.config.permittedInsecurePackages = [
|
||||
"${attrs.name or "«name-missing»"}"
|
||||
];
|
||||
}
|
||||
|
||||
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
|
||||
‘${attrs.name or "«name-missing»"}’ to `permittedInsecurePackages` in
|
||||
~/.config/nixpkgs/config.nix, like so:
|
||||
|
||||
{
|
||||
permittedInsecurePackages = [
|
||||
"${attrs.name or "«name-missing»"}"
|
||||
];
|
||||
}
|
||||
|
||||
'';
|
||||
|
||||
|
||||
throwEvalHelp = { reason , errormsg ? "" }:
|
||||
throw (''
|
||||
Package ‘${attrs.name or "«name-missing»"}’ in ${pos''} ${errormsg}, refusing to evaluate.
|
||||
|
||||
'' + ((builtins.getAttr reason remediation) attrs));
|
||||
''));
|
||||
|
||||
# Check if a derivation is valid, that is whether it passes checks for
|
||||
# e.g brokenness or license.
|
||||
|
@ -217,8 +171,6 @@ let
|
|||
{ valid = false; reason = "broken"; errormsg = "is marked as broken"; }
|
||||
else if !allowBroken && attrs.meta.platforms or null != null && !lib.lists.elem result.system attrs.meta.platforms then
|
||||
{ valid = false; reason = "broken"; errormsg = "is not supported on ‘${result.system}’"; }
|
||||
else if !(hasAllowedInsecure attrs) then
|
||||
{ valid = false; reason = "insecure"; errormsg = "is marked as insecure"; }
|
||||
else { valid = true; };
|
||||
|
||||
outputs' =
|
||||
|
|
Loading…
Reference in a new issue