nixpkgs/nixos/doc/manual
Graham Christensen a9c875fc2e
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:

    stdenv.mkDerivation {
      name = "foobar-1.2.3";

      ...

      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }

and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:

    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.

    Known issues:

     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation

    You can install it anyway by whitelisting this package, using the
    following methods:

    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:

         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }

    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:

         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }

Adding either of these configurations will permit this specific
version to be installed. A third option also exists:

  NIXPKGS_ALLOW_INSECURE=1 nix-build ...

though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-24 07:41:05 -05:00
..
administration NixOS Manual: Container Networking with NM 2016-11-20 17:25:33 +01:00
configuration Merge pull request #23046 from Zimmi48/patch-2 2017-02-22 01:40:50 +01:00
development nixos manual: correct reference to sddm 2017-02-10 22:52:08 -05:00
installation manual: Add link to config section (#22994) 2017-02-20 14:32:49 +01:00
release-notes nixpkgs: allow packages to be marked insecure 2017-02-24 07:41:05 -05:00
default.nix NixOS: Use runCommand instead of mkDerivation in a few places 2016-09-29 13:05:28 +02:00
man-configuration.xml
man-nixos-build-vms.xml
man-nixos-generate-config.xml
man-nixos-install.xml nixos-install: add options --closure, --no-channel-copy, --no-root-passwd, and --no-bootloader 2016-08-04 16:22:25 +01:00
man-nixos-option.xml
man-nixos-rebuild.xml doc: correct typo (#21176) 2016-12-15 17:13:44 +01:00
man-nixos-version.xml
man-pages.xml
manual.xml
options-to-docbook.xsl
README
style.css

To build the manual, you need Nix installed on your system (no need
for NixOS). To install Nix, follow the instructions at

    https://nixos.org/nix/download.html

When you have Nix on your system, in the root directory of the project
(i.e., `nixpkgs`), run:

    nix-build nixos/release.nix -A manual.x86_64-linux

When this command successfully finishes, it will tell you where the
manual got generated.