<cag1v4pdmutrs3kkovujrs8ntkvye6ky9q2wszvyoebw9tbb...@mail.gmail.com>) Mime-Version: 1.0 Content-type: text/plain; charset="UTF-8"
>Another solution would be having a black/white list. If a package should >be added to DBUS but is contained in neither list tell the user to do >so. This way users have a choice but won't miss to make the decision. > >Eg: > > systemPackages = [ pkgProvidingDbusConfig pkg2ProvidingDbusConfig > pkg3ProvidingDbusConfig ]; > > dbus.whitelist= [pkgProvidingDbusConfig]; > dbus.blacklist= [pkg2ProvidingDbusConfig]; > >Now nixos-rebuild will fail because pkg3ProvidingDbusConfig is not >contained in either list. > >This is yet another take on it which would satisfy security to some >extend and make things work because users won't forget to whitelist some >packages. Thinking about it I'd prefer this one. Eg we could add >additional info then: > >meta / passthru = { > providesDbusConfig = { > why = "Without this XY won't work - however security risk might be > ..."; > } >} > >Is complexity a bigger issue than the value this solution provides? >Don't know. It would minimize questions and debugging. That's why its >my favorite. The only downside is that users have to make a choice which >also is a feature. The real downside is that one can end up having _multiple_ large white/blacklists. My system-path derivation lists more than 600 paths... I like this way of managing package installation; your proposal would make it somewhat harder... _______________________________________________ nix-dev mailing list nix-dev@cs.uu.nl https://mail.cs.uu.nl/mailman/listinfo/nix-dev