Branch: refs/heads/master
Home: https://github.com/NixOS/nixpkgs
Commit: a9c875fc2e65e80324ce1e624abd2a765ae815f8
https://github.com/NixOS/nixpkgs/commit/a9c875fc2e65e80324ce1e624abd2a765ae815f8
Author: Graham Christensen <[email protected]>
Date: 2017-02-24 (Fri, 24 Feb 2017)
Changed paths:
M doc/configuration.xml
M nixos/doc/manual/release-notes/rl-1703.xml
M pkgs/stdenv/generic/default.nix
Log Message:
-----------
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure,
refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can
add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
Commit: 30cea5f02245a20022ea93f8eec2f4fe053ad97a
https://github.com/NixOS/nixpkgs/commit/30cea5f02245a20022ea93f8eec2f4fe053ad97a
Author: Graham Christensen <[email protected]>
Date: 2017-02-24 (Fri, 24 Feb 2017)
Changed paths:
M pkgs/development/libraries/libplist/default.nix
Log Message:
-----------
libplist: mark as insecure
Patches currently available don't seem to apply.
Commit: 8f60b43d9c46ac59722262d545025f23bfb8bb68
https://github.com/NixOS/nixpkgs/commit/8f60b43d9c46ac59722262d545025f23bfb8bb68
Author: Robin Gloster <[email protected]>
Date: 2017-02-24 (Fri, 24 Feb 2017)
Changed paths:
M doc/configuration.xml
M nixos/doc/manual/release-notes/rl-1703.xml
M pkgs/development/libraries/libplist/default.nix
M pkgs/stdenv/generic/default.nix
Log Message:
-----------
Merge pull request #23130 from grahamc/insecure-packages-with-docs
nixpkgs: allow packages to be marked insecure (this time with docs)
Compare: https://github.com/NixOS/nixpkgs/compare/8e1fa01f3a72...8f60b43d9c46_______________________________________________
nix-commits mailing list
[email protected]
http://lists.science.uu.nl/mailman/listinfo/nix-commits
