2014-02-04 16:18:38 +00:00
|
|
|
|
let lib = import ../../../lib; in lib.makeOverridable (
|
|
|
|
|
|
2017-05-22 02:37:16 +01:00
|
|
|
|
{ name ? "stdenv", preHook ? "", initialPath, cc, shell
|
2016-12-19 16:10:47 +00:00
|
|
|
|
, allowedRequisites ? null, extraAttrs ? {}, overrides ? (self: super: {}), config
|
2009-02-02 15:03:38 +00:00
|
|
|
|
|
|
|
|
|
, # The `fetchurl' to use for downloading curl and its dependencies
|
|
|
|
|
# (see all-packages.nix).
|
|
|
|
|
fetchurlBoot
|
2014-02-04 16:18:38 +00:00
|
|
|
|
|
|
|
|
|
, setupScript ? ./setup.sh
|
|
|
|
|
|
|
|
|
|
, extraBuildInputs ? []
|
2015-06-12 01:58:26 +01:00
|
|
|
|
, __stdenvImpureHostDeps ? []
|
|
|
|
|
, __extraImpureHostDeps ? []
|
2015-11-21 20:06:41 +00:00
|
|
|
|
, stdenvSandboxProfile ? ""
|
|
|
|
|
, extraSandboxProfile ? ""
|
2017-05-22 02:37:16 +01:00
|
|
|
|
|
|
|
|
|
, # The platforms here do *not* correspond to the stage the stdenv is
|
|
|
|
|
# used in, but rather the previous one, in which it was built. We
|
|
|
|
|
# use the latter two platforms, like a cross compiler, because the
|
|
|
|
|
# stand environment is a build tool if you squint at it, and because
|
|
|
|
|
# neither of these are used when building stdenv so we know the
|
|
|
|
|
# build platform is irrelevant.
|
|
|
|
|
hostPlatform, targetPlatform
|
2004-07-02 11:05:53 +01:00
|
|
|
|
}:
|
|
|
|
|
|
2009-04-25 15:08:29 +01:00
|
|
|
|
let
|
2017-05-22 02:37:16 +01:00
|
|
|
|
inherit (targetPlatform) system;
|
2009-04-25 15:08:29 +01:00
|
|
|
|
|
2017-05-01 18:51:12 +01:00
|
|
|
|
# See discussion at https://github.com/NixOS/nixpkgs/pull/25304#issuecomment-298385426
|
|
|
|
|
# for why this defaults to false, but I (@copumpkin) want to default it to true soon.
|
|
|
|
|
shouldCheckMeta = config.checkMeta or false;
|
2017-04-28 23:01:52 +01:00
|
|
|
|
|
2014-04-08 23:12:48 +01:00
|
|
|
|
allowUnfree = config.allowUnfree or false || builtins.getEnv "NIXPKGS_ALLOW_UNFREE" == "1";
|
2012-08-22 20:21:10 +01:00
|
|
|
|
|
2015-01-29 09:38:33 +00:00
|
|
|
|
whitelist = config.whitelistedLicenses or [];
|
|
|
|
|
blacklist = config.blacklistedLicenses or [];
|
|
|
|
|
|
2015-06-18 18:03:32 +01:00
|
|
|
|
ifDarwin = attrs: if system == "x86_64-darwin" then attrs else {};
|
|
|
|
|
|
2015-01-29 09:38:33 +00:00
|
|
|
|
onlyLicenses = list:
|
|
|
|
|
lib.lists.all (license:
|
|
|
|
|
let l = lib.licenses.${license.shortName or "BROKEN"} or false; in
|
|
|
|
|
if license == l then true else
|
2015-08-27 11:10:56 +01:00
|
|
|
|
throw ''‘${showLicense license}’ is not an attribute of lib.licenses''
|
2015-01-29 09:38:33 +00:00
|
|
|
|
) list;
|
|
|
|
|
|
|
|
|
|
mutuallyExclusive = a: b:
|
|
|
|
|
(builtins.length a) == 0 ||
|
|
|
|
|
(!(builtins.elem (builtins.head a) b) &&
|
|
|
|
|
mutuallyExclusive (builtins.tail a) b);
|
|
|
|
|
|
|
|
|
|
areLicenseListsValid =
|
|
|
|
|
if mutuallyExclusive whitelist blacklist then
|
|
|
|
|
assert onlyLicenses whitelist; assert onlyLicenses blacklist; true
|
|
|
|
|
else
|
|
|
|
|
throw "whitelistedLicenses and blacklistedLicenses are not mutually exclusive.";
|
|
|
|
|
|
|
|
|
|
hasLicense = attrs:
|
2016-10-22 01:10:38 +01:00
|
|
|
|
attrs ? meta.license;
|
2015-01-29 09:38:33 +00:00
|
|
|
|
|
|
|
|
|
hasWhitelistedLicense = assert areLicenseListsValid; attrs:
|
|
|
|
|
hasLicense attrs && builtins.elem attrs.meta.license whitelist;
|
2015-01-21 20:41:34 +00:00
|
|
|
|
|
2015-01-29 09:38:33 +00:00
|
|
|
|
hasBlacklistedLicense = assert areLicenseListsValid; attrs:
|
|
|
|
|
hasLicense attrs && builtins.elem attrs.meta.license blacklist;
|
|
|
|
|
|
|
|
|
|
allowBroken = config.allowBroken or false || builtins.getEnv "NIXPKGS_ALLOW_BROKEN" == "1";
|
|
|
|
|
|
|
|
|
|
isUnfree = licenses: lib.lists.any (l:
|
|
|
|
|
!l.free or true || l == "unfree" || l == "unfree-redistributable") licenses;
|
2015-01-21 20:41:34 +00:00
|
|
|
|
|
2014-06-14 10:01:12 +01:00
|
|
|
|
# Alow granular checks to allow only some unfree packages
|
|
|
|
|
# Example:
|
|
|
|
|
# {pkgs, ...}:
|
|
|
|
|
# {
|
|
|
|
|
# allowUnfree = false;
|
2014-06-25 15:51:18 +01:00
|
|
|
|
# allowUnfreePredicate = (x: pkgs.lib.hasPrefix "flashplayer-" x.name);
|
2014-06-14 10:01:12 +01:00
|
|
|
|
# }
|
|
|
|
|
allowUnfreePredicate = config.allowUnfreePredicate or (x: false);
|
|
|
|
|
|
2015-01-29 09:38:33 +00:00
|
|
|
|
# Check whether unfree packages are allowed and if not, whether the
|
|
|
|
|
# package has an unfree license and is not explicitely allowed by the
|
|
|
|
|
# `allowUNfreePredicate` function.
|
|
|
|
|
hasDeniedUnfreeLicense = attrs:
|
|
|
|
|
!allowUnfree &&
|
|
|
|
|
hasLicense attrs &&
|
|
|
|
|
isUnfree (lib.lists.toList attrs.meta.license) &&
|
|
|
|
|
!allowUnfreePredicate attrs;
|
2014-04-30 22:41:16 +01:00
|
|
|
|
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
|
|
|
|
allowInsecureDefaultPredicate = x: builtins.elem x.name (config.permittedInsecurePackages or []);
|
|
|
|
|
allowInsecurePredicate = x: (config.allowUnfreePredicate or allowInsecureDefaultPredicate) x;
|
|
|
|
|
|
|
|
|
|
hasAllowedInsecure = attrs:
|
|
|
|
|
(attrs.meta.knownVulnerabilities or []) == [] ||
|
|
|
|
|
allowInsecurePredicate attrs ||
|
|
|
|
|
builtins.getEnv "NIXPKGS_ALLOW_INSECURE" == "1";
|
|
|
|
|
|
2015-08-27 11:10:56 +01:00
|
|
|
|
showLicense = license: license.shortName or "unknown";
|
|
|
|
|
|
2014-11-06 11:10:28 +00:00
|
|
|
|
defaultNativeBuildInputs = extraBuildInputs ++
|
2014-07-08 13:26:35 +01:00
|
|
|
|
[ ../../build-support/setup-hooks/move-docs.sh
|
|
|
|
|
../../build-support/setup-hooks/compress-man-pages.sh
|
2014-06-27 12:33:05 +01:00
|
|
|
|
../../build-support/setup-hooks/strip.sh
|
|
|
|
|
../../build-support/setup-hooks/patch-shebangs.sh
|
2014-08-30 07:27:43 +01:00
|
|
|
|
../../build-support/setup-hooks/multiple-outputs.sh
|
2014-10-07 13:43:56 +01:00
|
|
|
|
../../build-support/setup-hooks/move-sbin.sh
|
2014-10-07 14:04:13 +01:00
|
|
|
|
../../build-support/setup-hooks/move-lib64.sh
|
2016-01-05 14:32:59 +00:00
|
|
|
|
../../build-support/setup-hooks/set-source-date-epoch-to-latest.sh
|
2014-12-17 18:11:30 +00:00
|
|
|
|
cc
|
2014-06-27 12:33:05 +01:00
|
|
|
|
];
|
|
|
|
|
|
2016-09-18 10:20:53 +01:00
|
|
|
|
# `mkDerivation` wraps the builtin `derivation` function to
|
|
|
|
|
# produce derivations that use this stdenv and its shell.
|
|
|
|
|
#
|
|
|
|
|
# See also:
|
|
|
|
|
#
|
|
|
|
|
# * https://nixos.org/nixpkgs/manual/#sec-using-stdenv
|
|
|
|
|
# Details on how to use this mkDerivation function
|
|
|
|
|
#
|
|
|
|
|
# * https://nixos.org/nix/manual/#ssec-derivation
|
|
|
|
|
# Explanation about derivations in general
|
2015-03-06 15:42:06 +00:00
|
|
|
|
mkDerivation =
|
|
|
|
|
{ buildInputs ? []
|
|
|
|
|
, nativeBuildInputs ? []
|
|
|
|
|
, propagatedBuildInputs ? []
|
|
|
|
|
, propagatedNativeBuildInputs ? []
|
|
|
|
|
, crossConfig ? null
|
|
|
|
|
, meta ? {}
|
|
|
|
|
, passthru ? {}
|
2015-03-27 15:11:18 +00:00
|
|
|
|
, pos ? null # position used in error messages and for meta.position
|
2015-09-17 14:24:32 +01:00
|
|
|
|
, separateDebugInfo ? false
|
|
|
|
|
, outputs ? [ "out" ]
|
|
|
|
|
, __impureHostDeps ? []
|
|
|
|
|
, __propagatedImpureHostDeps ? []
|
2015-11-21 20:06:41 +00:00
|
|
|
|
, sandboxProfile ? ""
|
|
|
|
|
, propagatedSandboxProfile ? ""
|
2015-03-06 15:42:06 +00:00
|
|
|
|
, ... } @ attrs:
|
top-level: Introduce `buildPackages` for resolving build-time deps
[N.B., this package also applies to the commits that follow it in the same
PR.]
In most cases, buildPackages = pkgs so things work just as before. For
cross compiling, however, buildPackages is resolved as the previous
bootstrapping stage. This allows us to avoid the mkDerivation hacks cross
compiling currently uses today.
To avoid a massive refactor, callPackage will splice together both package
sets. Again to avoid churn, it uses the old `nativeDrv` vs `crossDrv` to do
so. So now, whether cross compiling or not, packages with get a `nativeDrv`
and `crossDrv`---in the non-cross-compiling case they are simply the same
derivation. This is good because it reduces the divergence between the
cross and non-cross dataflow. See `pkgs/top-level/splice.nix` for a comment
along the lines of the preceding paragraph, and the code that does this
splicing.
Also, `forceNativeDrv` is replaced with `forceNativePackages`. The latter
resolves `pkgs` unless the host platform is different from the build
platform, in which case it resolves to `buildPackages`. Note that the
target platform is not important here---it will not prevent
`forcedNativePackages` from resolving to `pkgs`.
--------
Temporarily, we make preserve some dubious decisions in the name of preserving
hashes:
Most importantly, we don't distinguish between "host" and "target" in the
autoconf sense. This leads to the proliferation of *Cross derivations
currently used. What we ought to is resolve native deps of the cross "build
packages" (build = host != target) package set against the "vanilla
packages" (build = host = target) package set. Instead, "build packages"
uses itself, with (informally) target != build in all cases.
This is wrong because it violates the "sliding window" principle of
bootstrapping stages that shifting the platform triple of one stage to the
left coincides with the next stage's platform triple. Only because we don't
explicitly distinguish between "host" and "target" does it appear that the
"sliding window" principle is preserved--indeed it is over the reductionary
"platform double" of just "build" and "host/target".
Additionally, we build libc, libgcc, etc in the same stage as the compilers
themselves, which is wrong because they are used at runtime, not build
time. Fixing this is somewhat subtle, and the solution and problem will be
better explained in the commit that does fix it.
Commits after this will solve both these issues, at the expense of breaking
cross hashes. Native hashes won't be broken, thankfully.
--------
Did the temporary ugliness pan out? Of the packages that currently build in
`release-cross.nix`, the only ones that have their hash changed are
`*.gcc.crossDrv` and `bootstrapTools.*.coreutilsMinimal`. In both cases I
think it doesn't matter.
1. GCC when doing a `build = host = target = foreign` build (maximally
cross), still defines environment variables like `CPATH`[1] with
packages. This seems assuredly wrong because whether gcc dynamically
links those, or the programs built by gcc dynamically link those---I
have no idea which case is reality---they should be foreign. Therefore,
in all likelihood, I just made the gcc less broken.
2. Coreutils (ab)used the old cross-compiling infrastructure to depend on
a native version of itself. When coreutils was overwritten to be built
with fewer features, the native version it used would also be
overwritten because the binding was tight. Now it uses the much looser
`BuildPackages.coreutils` which is just fine as a richer build dep
doesn't cause any problems and avoids a rebuild.
So, in conclusion I'd say the conservatism payed off. Onward to actually
raking the muck in the next PR!
[1]: https://gcc.gnu.org/onlinedocs/gcc/Environment-Variables.html
2016-12-18 07:51:18 +00:00
|
|
|
|
let # Rename argumemnts to avoid cycles
|
|
|
|
|
buildInputs__ = buildInputs;
|
|
|
|
|
nativeBuildInputs__ = nativeBuildInputs;
|
|
|
|
|
propagatedBuildInputs__ = propagatedBuildInputs;
|
|
|
|
|
propagatedNativeBuildInputs__ = propagatedNativeBuildInputs;
|
|
|
|
|
in let
|
|
|
|
|
getNativeDrv = drv: drv.nativeDrv or drv;
|
|
|
|
|
getCrossDrv = drv: drv.crossDrv or drv;
|
|
|
|
|
nativeBuildInputs = map getNativeDrv nativeBuildInputs__;
|
|
|
|
|
buildInputs = map getCrossDrv buildInputs__;
|
|
|
|
|
propagatedBuildInputs = map getCrossDrv propagatedBuildInputs__;
|
|
|
|
|
propagatedNativeBuildInputs = map getNativeDrv propagatedNativeBuildInputs__;
|
|
|
|
|
in let
|
2015-03-27 15:11:18 +00:00
|
|
|
|
pos' =
|
|
|
|
|
if pos != null then
|
|
|
|
|
pos
|
|
|
|
|
else if attrs.meta.description or null != null then
|
|
|
|
|
builtins.unsafeGetAttrPos "description" attrs.meta
|
2014-07-01 15:43:52 +01:00
|
|
|
|
else
|
2015-03-27 15:11:18 +00:00
|
|
|
|
builtins.unsafeGetAttrPos "name" attrs;
|
|
|
|
|
pos'' = if pos' != null then "‘" + pos'.file + ":" + toString pos'.line + "’" else "«unknown-file»";
|
2015-01-07 16:27:29 +00:00
|
|
|
|
|
2015-01-29 09:38:33 +00:00
|
|
|
|
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
|
|
|
|
remediation = {
|
|
|
|
|
unfree = remediate_whitelist "Unfree";
|
|
|
|
|
broken = remediate_whitelist "Broken";
|
|
|
|
|
blacklisted = x: "";
|
|
|
|
|
insecure = remediate_insecure;
|
2017-04-28 23:01:52 +01:00
|
|
|
|
unknown-meta = x: "";
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
|
|
|
|
};
|
|
|
|
|
remediate_whitelist = allow_attr: attrs:
|
|
|
|
|
''
|
2015-12-09 16:00:33 +00:00
|
|
|
|
a) For `nixos-rebuild` you can set
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
|
|
|
|
{ nixpkgs.config.allow${allow_attr} = true; }
|
2015-01-07 17:31:32 +00:00
|
|
|
|
in configuration.nix to override this.
|
2015-12-09 16:00:33 +00:00
|
|
|
|
|
2016-11-16 14:14:08 +00:00
|
|
|
|
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
|
|
|
|
{ allow${allow_attr} = true; }
|
2017-02-01 15:03:42 +00:00
|
|
|
|
to ~/.config/nixpkgs/config.nix.
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
remediate_insecure = attrs:
|
|
|
|
|
''
|
|
|
|
|
|
|
|
|
|
Known issues:
|
|
|
|
|
|
|
|
|
|
'' + (lib.fold (issue: default: "${default} - ${issue}\n") "" attrs.meta.knownVulnerabilities) + ''
|
|
|
|
|
|
|
|
|
|
You can install it anyway by whitelisting this package, using the
|
|
|
|
|
following methods:
|
|
|
|
|
|
|
|
|
|
a) for `nixos-rebuild` you can add ‘${attrs.name or "«name-missing»"}’ to
|
|
|
|
|
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
|
|
|
|
|
like so:
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
nixpkgs.config.permittedInsecurePackages = [
|
|
|
|
|
"${attrs.name or "«name-missing»"}"
|
|
|
|
|
];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
|
|
|
|
|
‘${attrs.name or "«name-missing»"}’ to `permittedInsecurePackages` in
|
|
|
|
|
~/.config/nixpkgs/config.nix, like so:
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
permittedInsecurePackages = [
|
|
|
|
|
"${attrs.name or "«name-missing»"}"
|
|
|
|
|
];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
throwEvalHelp = { reason , errormsg ? "" }:
|
|
|
|
|
throw (''
|
|
|
|
|
Package ‘${attrs.name or "«name-missing»"}’ in ${pos''} ${errormsg}, refusing to evaluate.
|
|
|
|
|
|
|
|
|
|
'' + ((builtins.getAttr reason remediation) attrs));
|
2015-01-29 09:38:33 +00:00
|
|
|
|
|
2017-04-29 04:02:37 +01:00
|
|
|
|
metaTypes = with lib.types; rec {
|
2017-04-28 23:01:52 +01:00
|
|
|
|
# These keys are documented
|
|
|
|
|
description = str;
|
|
|
|
|
longDescription = str;
|
|
|
|
|
branch = str;
|
|
|
|
|
homepage = str;
|
|
|
|
|
downloadPage = str;
|
2017-04-29 04:02:37 +01:00
|
|
|
|
license = either (listOf lib.types.attrs) (either lib.types.attrs str);
|
2017-04-28 23:01:52 +01:00
|
|
|
|
maintainers = listOf str;
|
|
|
|
|
priority = int;
|
|
|
|
|
platforms = listOf str;
|
|
|
|
|
hydraPlatforms = listOf str;
|
|
|
|
|
broken = bool;
|
|
|
|
|
|
|
|
|
|
# Weirder stuff that doesn't appear in the documentation?
|
|
|
|
|
version = str;
|
2017-04-29 05:24:34 +01:00
|
|
|
|
tag = str;
|
2017-04-28 23:01:52 +01:00
|
|
|
|
updateWalker = bool;
|
|
|
|
|
executables = listOf str;
|
2017-04-29 04:02:37 +01:00
|
|
|
|
outputsToInstall = listOf str;
|
|
|
|
|
position = str;
|
|
|
|
|
repositories = attrsOf str;
|
|
|
|
|
isBuildPythonPackage = platforms;
|
2017-04-29 05:24:34 +01:00
|
|
|
|
schedulingPriority = str;
|
|
|
|
|
downloadURLRegexp = str;
|
2017-04-29 09:07:01 +01:00
|
|
|
|
isFcitxEngine = bool;
|
|
|
|
|
isIbusEngine = bool;
|
2017-04-28 23:01:52 +01:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
checkMetaAttr = k: v:
|
|
|
|
|
if metaTypes?${k} then
|
2017-05-02 06:45:30 +01:00
|
|
|
|
if metaTypes.${k}.check v then null else "key '${k}' has a value ${v} of an invalid type ${builtins.typeOf v}; expected ${metaTypes.${k}.description}"
|
2017-04-28 23:01:52 +01:00
|
|
|
|
else "key '${k}' is unrecognized; expected one of: \n\t [${lib.concatMapStringsSep ", " (x: "'${x}'") (lib.attrNames metaTypes)}]";
|
|
|
|
|
checkMeta = meta: if shouldCheckMeta then lib.remove null (lib.mapAttrsToList checkMetaAttr meta) else [];
|
|
|
|
|
|
2015-11-27 19:49:26 +00:00
|
|
|
|
# Check if a derivation is valid, that is whether it passes checks for
|
|
|
|
|
# e.g brokenness or license.
|
|
|
|
|
#
|
|
|
|
|
# Return { valid: Bool } and additionally
|
|
|
|
|
# { reason: String; errormsg: String } if it is not valid, where
|
|
|
|
|
# reason is one of "unfree", "blacklisted" or "broken".
|
|
|
|
|
checkValidity = attrs:
|
2015-01-29 09:38:33 +00:00
|
|
|
|
if hasDeniedUnfreeLicense attrs && !(hasWhitelistedLicense attrs) then
|
2015-11-27 19:49:26 +00:00
|
|
|
|
{ valid = false; reason = "unfree"; errormsg = "has an unfree license (‘${showLicense attrs.meta.license}’)"; }
|
2015-01-29 09:38:33 +00:00
|
|
|
|
else if hasBlacklistedLicense attrs then
|
2015-11-27 19:49:26 +00:00
|
|
|
|
{ valid = false; reason = "blacklisted"; errormsg = "has a blacklisted license (‘${showLicense attrs.meta.license}’)"; }
|
2015-01-29 09:38:33 +00:00
|
|
|
|
else if !allowBroken && attrs.meta.broken or false then
|
2015-11-27 19:49:26 +00:00
|
|
|
|
{ valid = false; reason = "broken"; errormsg = "is marked as broken"; }
|
2015-01-29 09:46:35 +00:00
|
|
|
|
else if !allowBroken && attrs.meta.platforms or null != null && !lib.lists.elem result.system attrs.meta.platforms then
|
2015-11-27 19:49:26 +00:00
|
|
|
|
{ valid = false; reason = "broken"; errormsg = "is not supported on ‘${result.system}’"; }
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
|
|
|
|
else if !(hasAllowedInsecure attrs) then
|
|
|
|
|
{ valid = false; reason = "insecure"; errormsg = "is marked as insecure"; }
|
2017-04-28 23:01:52 +01:00
|
|
|
|
else let res = checkMeta (attrs.meta or {}); in if res != [] then
|
|
|
|
|
{ valid = false; reason = "unknown-meta"; errormsg = "has an invalid meta attrset:${lib.concatMapStrings (x: "\n\t - " + x) res}"; }
|
2015-11-27 19:49:26 +00:00
|
|
|
|
else { valid = true; };
|
2015-01-21 20:41:34 +00:00
|
|
|
|
|
2015-09-17 14:24:32 +01:00
|
|
|
|
outputs' =
|
|
|
|
|
outputs ++
|
2017-05-22 02:37:16 +01:00
|
|
|
|
(if separateDebugInfo then assert targetPlatform.isLinux; [ "debug" ] else []);
|
2015-09-17 14:24:32 +01:00
|
|
|
|
|
2016-01-23 22:18:38 +00:00
|
|
|
|
buildInputs' = lib.chooseDevOutputs buildInputs ++
|
2015-09-17 14:24:32 +01:00
|
|
|
|
(if separateDebugInfo then [ ../../build-support/setup-hooks/separate-debug-info.sh ] else []);
|
|
|
|
|
|
2016-01-23 22:18:38 +00:00
|
|
|
|
nativeBuildInputs' = lib.chooseDevOutputs nativeBuildInputs;
|
|
|
|
|
propagatedBuildInputs' = lib.chooseDevOutputs propagatedBuildInputs;
|
|
|
|
|
propagatedNativeBuildInputs' = lib.chooseDevOutputs propagatedNativeBuildInputs;
|
|
|
|
|
|
2014-07-01 15:43:52 +01:00
|
|
|
|
in
|
2015-11-27 19:49:26 +00:00
|
|
|
|
|
|
|
|
|
# Throw an error if trying to evaluate an non-valid derivation
|
|
|
|
|
assert let v = checkValidity attrs;
|
|
|
|
|
in if !v.valid
|
|
|
|
|
then throwEvalHelp (removeAttrs v ["valid"])
|
|
|
|
|
else true;
|
2015-01-29 09:38:33 +00:00
|
|
|
|
|
2014-07-01 15:43:52 +01:00
|
|
|
|
lib.addPassthru (derivation (
|
2015-06-18 18:03:32 +01:00
|
|
|
|
(removeAttrs attrs
|
|
|
|
|
["meta" "passthru" "crossAttrs" "pos"
|
2015-11-07 01:44:02 +00:00
|
|
|
|
"__impureHostDeps" "__propagatedImpureHostDeps"
|
2015-11-21 20:06:41 +00:00
|
|
|
|
"sandboxProfile" "propagatedSandboxProfile"])
|
2015-06-12 01:58:26 +01:00
|
|
|
|
// (let
|
2015-11-07 01:44:02 +00:00
|
|
|
|
computedSandboxProfile =
|
2016-01-23 22:18:38 +00:00
|
|
|
|
lib.concatMap (input: input.__propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs' ++ nativeBuildInputs');
|
2015-11-07 01:44:02 +00:00
|
|
|
|
computedPropagatedSandboxProfile =
|
2016-01-23 22:18:38 +00:00
|
|
|
|
lib.concatMap (input: input.__propagatedSandboxProfile or []) (propagatedBuildInputs' ++ propagatedNativeBuildInputs');
|
2015-09-17 14:24:32 +01:00
|
|
|
|
computedImpureHostDeps =
|
2016-01-23 22:18:38 +00:00
|
|
|
|
lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (extraBuildInputs ++ buildInputs' ++ nativeBuildInputs'));
|
2015-09-17 14:24:32 +01:00
|
|
|
|
computedPropagatedImpureHostDeps =
|
2016-01-23 22:18:38 +00:00
|
|
|
|
lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (propagatedBuildInputs' ++ propagatedNativeBuildInputs'));
|
2015-06-12 01:58:26 +01:00
|
|
|
|
in
|
2014-07-01 15:43:52 +01:00
|
|
|
|
{
|
|
|
|
|
builder = attrs.realBuilder or shell;
|
|
|
|
|
args = attrs.args or ["-e" (attrs.builder or ./default-builder.sh)];
|
|
|
|
|
stdenv = result;
|
|
|
|
|
system = result.system;
|
|
|
|
|
userHook = config.stdenv.userHook or null;
|
|
|
|
|
__ignoreNulls = true;
|
|
|
|
|
|
|
|
|
|
# Inputs built by the cross compiler.
|
2017-03-01 14:09:18 +00:00
|
|
|
|
buildInputs = buildInputs';
|
|
|
|
|
propagatedBuildInputs = propagatedBuildInputs';
|
2014-07-01 15:43:52 +01:00
|
|
|
|
# Inputs built by the usual native compiler.
|
2016-01-23 22:18:38 +00:00
|
|
|
|
nativeBuildInputs = nativeBuildInputs'
|
2016-02-10 20:18:34 +00:00
|
|
|
|
++ lib.optional
|
2017-05-22 02:37:16 +01:00
|
|
|
|
(hostPlatform.isCygwin
|
2016-02-10 20:18:34 +00:00
|
|
|
|
|| (crossConfig != null && lib.hasSuffix "mingw32" crossConfig))
|
|
|
|
|
../../build-support/setup-hooks/win-dll-link.sh
|
|
|
|
|
;
|
2017-03-01 14:09:18 +00:00
|
|
|
|
propagatedNativeBuildInputs = propagatedNativeBuildInputs';
|
2015-06-18 18:03:32 +01:00
|
|
|
|
} // ifDarwin {
|
2015-11-13 02:59:17 +00:00
|
|
|
|
# TODO: remove lib.unique once nix has a list canonicalization primitive
|
2015-11-21 20:06:41 +00:00
|
|
|
|
__sandboxProfile =
|
|
|
|
|
let profiles = [ extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile sandboxProfile ];
|
2015-11-13 02:59:17 +00:00
|
|
|
|
final = lib.concatStringsSep "\n" (lib.filter (x: x != "") (lib.unique profiles));
|
|
|
|
|
in final;
|
2015-11-21 20:06:41 +00:00
|
|
|
|
__propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile ]);
|
2015-06-18 05:54:29 +01:00
|
|
|
|
__impureHostDeps = computedImpureHostDeps ++ computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps ++ __impureHostDeps ++ __extraImpureHostDeps ++ [
|
2015-06-12 01:58:26 +01:00
|
|
|
|
"/dev/zero"
|
|
|
|
|
"/dev/random"
|
|
|
|
|
"/dev/urandom"
|
|
|
|
|
"/bin/sh"
|
2015-06-18 05:54:29 +01:00
|
|
|
|
];
|
2015-06-18 18:03:32 +01:00
|
|
|
|
__propagatedImpureHostDeps = computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps;
|
2015-09-17 14:24:32 +01:00
|
|
|
|
} // (if outputs' != [ "out" ] then {
|
|
|
|
|
outputs = outputs';
|
|
|
|
|
} else { })))) (
|
2014-07-01 15:43:52 +01:00
|
|
|
|
{
|
2016-08-20 03:21:32 +01:00
|
|
|
|
overrideAttrs = f: mkDerivation (attrs // (f attrs));
|
2014-07-01 15:43:52 +01:00
|
|
|
|
# The meta attribute is passed in the resulting attribute set,
|
|
|
|
|
# but it's not part of the actual derivation, i.e., it's not
|
|
|
|
|
# passed to the builder and is not a dependency. But since we
|
2016-03-14 10:56:03 +00:00
|
|
|
|
# include it in the result, it *is* available to nix-env for queries.
|
|
|
|
|
meta = { }
|
|
|
|
|
# If the packager hasn't specified `outputsToInstall`, choose a default,
|
2016-04-18 15:06:15 +01:00
|
|
|
|
# which is the name of `p.bin or p.out or p`;
|
2016-03-14 10:56:03 +00:00
|
|
|
|
# if he has specified it, it will be overridden below in `// meta`.
|
2016-03-14 11:15:58 +00:00
|
|
|
|
# Note: This default probably shouldn't be globally configurable.
|
|
|
|
|
# Services and users should specify outputs explicitly,
|
|
|
|
|
# unless they are comfortable with this default.
|
2016-03-14 10:56:03 +00:00
|
|
|
|
// { outputsToInstall =
|
|
|
|
|
let
|
|
|
|
|
outs = outputs'; # the value passed to derivation primitive
|
|
|
|
|
hasOutput = out: builtins.elem out outs;
|
|
|
|
|
in [( lib.findFirst hasOutput null (["bin" "out"] ++ outs) )];
|
|
|
|
|
}
|
|
|
|
|
// meta
|
|
|
|
|
# Fill `meta.position` to identify the source location of the package.
|
|
|
|
|
// lib.optionalAttrs (pos' != null)
|
|
|
|
|
{ position = pos'.file + ":" + toString pos'.line; }
|
|
|
|
|
;
|
2015-03-06 15:42:06 +00:00
|
|
|
|
inherit passthru;
|
2014-07-01 15:43:52 +01:00
|
|
|
|
} //
|
|
|
|
|
# Pass through extra attributes that are not inputs, but
|
|
|
|
|
# should be made available to Nix expressions using the
|
|
|
|
|
# derivation (e.g., in assertions).
|
2015-03-06 15:42:06 +00:00
|
|
|
|
passthru);
|
2014-07-01 15:43:52 +01:00
|
|
|
|
|
2014-02-04 16:18:38 +00:00
|
|
|
|
# The stdenv that we are producing.
|
|
|
|
|
result =
|
2014-08-29 21:09:01 +01:00
|
|
|
|
derivation (
|
2014-11-06 12:33:08 +00:00
|
|
|
|
(if isNull allowedRequisites then {} else { allowedRequisites = allowedRequisites ++ defaultNativeBuildInputs; }) //
|
2014-08-29 21:09:01 +01:00
|
|
|
|
{
|
2014-02-04 16:18:38 +00:00
|
|
|
|
inherit system name;
|
|
|
|
|
|
|
|
|
|
builder = shell;
|
|
|
|
|
|
|
|
|
|
args = ["-e" ./builder.sh];
|
|
|
|
|
|
|
|
|
|
setup = setupScript;
|
|
|
|
|
|
2014-11-06 11:10:28 +00:00
|
|
|
|
inherit preHook initialPath shell defaultNativeBuildInputs;
|
2015-06-18 18:03:32 +01:00
|
|
|
|
}
|
|
|
|
|
// ifDarwin {
|
2015-11-21 20:06:41 +00:00
|
|
|
|
__sandboxProfile = stdenvSandboxProfile;
|
2015-06-18 18:03:32 +01:00
|
|
|
|
__impureHostDeps = __stdenvImpureHostDeps;
|
2014-08-29 21:09:01 +01:00
|
|
|
|
})
|
2014-02-04 16:18:38 +00:00
|
|
|
|
|
|
|
|
|
// rec {
|
|
|
|
|
|
2016-08-28 15:56:31 +01:00
|
|
|
|
meta = {
|
|
|
|
|
description = "The default build environment for Unix packages in Nixpkgs";
|
|
|
|
|
platforms = lib.platforms.all;
|
|
|
|
|
};
|
2014-02-04 16:18:38 +00:00
|
|
|
|
|
|
|
|
|
# Utility flags to test the type of platform.
|
2017-05-22 02:37:16 +01:00
|
|
|
|
inherit (hostPlatform)
|
|
|
|
|
isDarwin isLinux isSunOS isCygwin isFreeBSD isOpenBSD isi686 isx86_64
|
|
|
|
|
is64bit isMips isBigEndian;
|
|
|
|
|
isArm = hostPlatform.isArm32;
|
|
|
|
|
isAarch64 = hostPlatform.isArm64;
|
|
|
|
|
# Other code instead checks for anything using GNU userland,
|
|
|
|
|
# e.g. GNU/linux. This refers just to GNU Hurd.
|
|
|
|
|
isGNU = system == "i686-gnu";
|
2014-02-04 16:18:38 +00:00
|
|
|
|
|
2014-06-30 13:26:23 +01:00
|
|
|
|
# Whether we should run paxctl to pax-mark binaries.
|
|
|
|
|
needsPax = isLinux;
|
|
|
|
|
|
2014-07-01 15:43:52 +01:00
|
|
|
|
inherit mkDerivation;
|
|
|
|
|
|
2014-02-04 16:18:38 +00:00
|
|
|
|
# For convenience, bring in the library functions in lib/ so
|
|
|
|
|
# packages don't have to do that themselves.
|
|
|
|
|
inherit lib;
|
|
|
|
|
|
|
|
|
|
inherit fetchurlBoot;
|
|
|
|
|
|
|
|
|
|
inherit overrides;
|
2014-07-01 15:17:23 +01:00
|
|
|
|
|
2014-12-17 18:11:30 +00:00
|
|
|
|
inherit cc;
|
2014-02-04 16:18:38 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Propagate any extra attributes. For instance, we use this to
|
|
|
|
|
# "lift" packages like curl from the final stdenv for Linux to
|
|
|
|
|
# all-packages.nix for that platform (meaning that it has a line
|
|
|
|
|
# like curl = if stdenv ? curl then stdenv.curl else ...).
|
|
|
|
|
// extraAttrs;
|
|
|
|
|
|
|
|
|
|
in result)
|