nixpkgs-suyu/pkgs
Graham Christensen 38771badd3
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:

    stdenv.mkDerivation {
      name = "foobar-1.2.3";

      ...

      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }

and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:

    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.

    Known issues:

     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation

    You can install it anyway by whitelisting this package, using the
    following methods:

    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:

         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }

    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:

         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }

Adding either of these configurations will permit this specific
version to be installed. A third option also exists:

  NIXPKGS_ALLOW_INSECURE=1 nix-build ...

though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 20:49:49 -05:00
..
applications compton: 0.1_beta2 -> 0.1_beta2.5 2017-02-16 17:50:58 +03:00
build-support nix-prefetch-zip: Remove 2017-02-16 11:28:23 +01:00
data hackage: update snapshot to 2017-02-12T15:49:03Z 2017-02-16 11:48:10 +01:00
desktops lxappearance: 0.6.2 -> 0.6.3 (#22865) 2017-02-16 13:31:42 +00:00
development SDL2: fix creation of libSDL2main.a 2017-02-16 22:24:40 +01:00
games trigger: update to 0.6.5 2017-02-16 22:25:23 +01:00
misc ghostscript: fix installed library name on darwin 2017-02-16 13:32:39 -05:00
os-specific grsecurity: 4.9.8-201702071801 -> 4.9.10-201702152052 2017-02-16 14:51:25 +01:00
servers redis: 3.2.5 -> 3.2.7 for two vulnerabilities 2017-02-15 19:46:46 -05:00
shells
stdenv nixpkgs: allow packages to be marked insecure 2017-02-17 20:49:49 -05:00
test
tools Merge pull request #22754 from mbrgm/update-keepalived 2017-02-16 23:08:22 +01:00
top-level tex4ht: fixup evaluation errors in the broken package 2017-02-16 20:24:56 +01:00