2015-01-24 19:40:40 +00:00
|
|
|
<chapter xmlns="http://docbook.org/ns/docbook"
|
2015-12-07 19:41:18 +00:00
|
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
|
|
xml:id="chap-packageconfig">
|
2018-05-01 23:54:21 +00:00
|
|
|
<title>Global configuration</title>
|
|
|
|
<para>
|
|
|
|
Nix comes with certain defaults about what packages can and cannot be
|
|
|
|
installed, based on a package's metadata. By default, Nix will prevent
|
|
|
|
installation if any of the following criteria are true:
|
|
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
The package is thought to be broken, and has had its
|
|
|
|
<literal>meta.broken</literal> set to <literal>true</literal>.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
The package isn't intended to run on the given system, as none of its
|
|
|
|
<literal>meta.platforms</literal> match the given system.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
The package's <literal>meta.license</literal> is set to a license which is
|
|
|
|
considered to be unfree.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
The package has known security vulnerabilities but has not or can not be
|
|
|
|
updated for some reason, and a list of issues has been entered in to the
|
|
|
|
package's <literal>meta.knownVulnerabilities</literal>.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
<para>
|
|
|
|
Note that all this is checked during evaluation already, and the check
|
|
|
|
includes any package that is evaluated. In particular, all build-time
|
|
|
|
dependencies are checked. <literal>nix-env -qa</literal> will (attempt to)
|
|
|
|
hide any packages that would be refused.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
Each of these criteria can be altered in the nixpkgs configuration.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
The nixpkgs configuration for a NixOS system is set in the
|
|
|
|
<literal>configuration.nix</literal>, as in the following example:
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
|
|
|
<programlisting>
|
|
|
|
{
|
|
|
|
nixpkgs.config = {
|
|
|
|
allowUnfree = true;
|
|
|
|
};
|
|
|
|
}
|
|
|
|
</programlisting>
|
2018-05-01 23:54:21 +00:00
|
|
|
However, this does not allow unfree software for individual users. Their
|
|
|
|
configurations are managed separately.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
A user's of nixpkgs configuration is stored in a user-specific configuration
|
|
|
|
file located at <filename>~/.config/nixpkgs/config.nix</filename>. For
|
|
|
|
example:
|
2015-12-07 19:41:18 +00:00
|
|
|
<programlisting>
|
|
|
|
{
|
2015-02-15 17:29:52 +00:00
|
|
|
allowUnfree = true;
|
2015-12-07 19:41:18 +00:00
|
|
|
}
|
|
|
|
</programlisting>
|
2018-05-01 23:54:21 +00:00
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
Note that we are not able to test or build unfree software on Hydra due to
|
|
|
|
policy. Most unfree licenses prohibit us from either executing or
|
|
|
|
distributing the software.
|
|
|
|
</para>
|
|
|
|
<section xml:id="sec-allow-broken">
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
|
|
|
<title>Installing broken packages</title>
|
2015-12-07 19:41:18 +00:00
|
|
|
|
2018-05-01 23:54:21 +00:00
|
|
|
<para>
|
|
|
|
There are two ways to try compiling a package which has been marked as
|
|
|
|
broken.
|
|
|
|
</para>
|
2015-12-07 19:41:18 +00:00
|
|
|
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
|
|
|
<itemizedlist>
|
2018-05-01 23:54:21 +00:00
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
For allowing the build of a broken package once, you can use an
|
|
|
|
environment variable for a single invocation of the nix tools:
|
|
|
|
<programlisting>$ export NIXPKGS_ALLOW_BROKEN=1</programlisting>
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
For permanently allowing broken packages to be built, you may add
|
|
|
|
<literal>allowBroken = true;</literal> to your user's configuration file,
|
|
|
|
like this:
|
2017-02-26 09:31:55 +00:00
|
|
|
<programlisting>
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
|
|
|
{
|
|
|
|
allowBroken = true;
|
2017-02-26 09:31:55 +00:00
|
|
|
}
|
|
|
|
</programlisting>
|
2018-05-01 23:54:21 +00:00
|
|
|
</para>
|
|
|
|
</listitem>
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
|
|
|
</itemizedlist>
|
2018-05-01 23:54:21 +00:00
|
|
|
</section>
|
|
|
|
<section xml:id="sec-allow-unsupported-system">
|
2018-04-17 20:08:21 +00:00
|
|
|
<title>Installing packages on unsupported systems</title>
|
|
|
|
|
|
|
|
<para>
|
2018-05-01 23:54:21 +00:00
|
|
|
There are also two ways to try compiling a package which has been marked as
|
|
|
|
unsuported for the given system.
|
2018-04-17 20:08:21 +00:00
|
|
|
</para>
|
|
|
|
|
|
|
|
<itemizedlist>
|
2018-05-01 23:54:21 +00:00
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
For allowing the build of a broken package once, you can use an
|
|
|
|
environment variable for a single invocation of the nix tools:
|
|
|
|
<programlisting>$ export NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1</programlisting>
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
For permanently allowing broken packages to be built, you may add
|
|
|
|
<literal>allowUnsupportedSystem = true;</literal> to your user's
|
|
|
|
configuration file, like this:
|
2018-04-17 20:08:21 +00:00
|
|
|
<programlisting>
|
|
|
|
{
|
|
|
|
allowUnsupportedSystem = true;
|
|
|
|
}
|
|
|
|
</programlisting>
|
2018-05-01 23:54:21 +00:00
|
|
|
</para>
|
|
|
|
</listitem>
|
2018-04-17 20:08:21 +00:00
|
|
|
</itemizedlist>
|
|
|
|
|
|
|
|
<para>
|
2018-11-19 05:10:39 +00:00
|
|
|
The difference between a package being unsupported on some system and
|
2018-05-01 23:54:21 +00:00
|
|
|
being broken is admittedly a bit fuzzy. If a program
|
|
|
|
<emphasis>ought</emphasis> to work on a certain platform, but doesn't, the
|
|
|
|
platform should be included in <literal>meta.platforms</literal>, but marked
|
|
|
|
as broken with e.g. <literal>meta.broken =
|
|
|
|
!hostPlatform.isWindows</literal>. Of course, this begs the question of what
|
|
|
|
"ought" means exactly. That is left to the package maintainer.
|
2018-04-17 20:08:21 +00:00
|
|
|
</para>
|
2018-05-01 23:54:21 +00:00
|
|
|
</section>
|
|
|
|
<section xml:id="sec-allow-unfree">
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
|
|
|
<title>Installing unfree packages</title>
|
2015-12-07 19:41:18 +00:00
|
|
|
|
2018-05-01 23:54:21 +00:00
|
|
|
<para>
|
|
|
|
There are several ways to tweak how Nix handles a package which has been
|
|
|
|
marked as unfree.
|
|
|
|
</para>
|
2015-12-07 19:41:18 +00:00
|
|
|
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
|
|
|
<itemizedlist>
|
2018-05-01 23:54:21 +00:00
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
To temporarily allow all unfree packages, you can use an environment
|
|
|
|
variable for a single invocation of the nix tools:
|
|
|
|
<programlisting>$ export NIXPKGS_ALLOW_UNFREE=1</programlisting>
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
It is possible to permanently allow individual unfree packages, while
|
|
|
|
still blocking unfree packages by default using the
|
|
|
|
<literal>allowUnfreePredicate</literal> configuration option in the user
|
|
|
|
configuration file.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
This option is a function which accepts a package as a parameter, and
|
|
|
|
returns a boolean. The following example configuration accepts a package
|
|
|
|
and always returns false:
|
2015-12-07 19:41:18 +00:00
|
|
|
<programlisting>
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
|
|
|
{
|
|
|
|
allowUnfreePredicate = (pkg: false);
|
|
|
|
}
|
2015-12-07 19:41:18 +00:00
|
|
|
</programlisting>
|
2018-05-01 23:54:21 +00:00
|
|
|
</para>
|
|
|
|
<para>
|
2018-11-19 05:10:39 +00:00
|
|
|
For a more useful example, try the following. This configuration
|
|
|
|
only allows unfree packages named flash player and visual studio
|
|
|
|
code:
|
2015-12-07 19:41:18 +00:00
|
|
|
<programlisting>
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
|
|
|
{
|
2018-11-19 05:10:39 +00:00
|
|
|
allowUnfreePredicate = (pkg: builtins.elem (builtins.parseDrvName pkg.name).name [ "flashplayer" "vscode" ]);
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
|
|
|
}
|
2015-12-07 19:41:18 +00:00
|
|
|
</programlisting>
|
2018-05-01 23:54:21 +00:00
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
It is also possible to whitelist and blacklist licenses that are
|
|
|
|
specifically acceptable or not acceptable, using
|
|
|
|
<literal>whitelistedLicenses</literal> and
|
|
|
|
<literal>blacklistedLicenses</literal>, respectively.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
The following example configuration whitelists the licenses
|
|
|
|
<literal>amd</literal> and <literal>wtfpl</literal>:
|
2015-12-07 19:41:18 +00:00
|
|
|
<programlisting>
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
|
|
|
{
|
|
|
|
whitelistedLicenses = with stdenv.lib.licenses; [ amd wtfpl ];
|
|
|
|
}
|
2015-12-07 19:41:18 +00:00
|
|
|
</programlisting>
|
2018-05-01 23:54:21 +00:00
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
The following example configuration blacklists the <literal>gpl3</literal>
|
|
|
|
and <literal>agpl3</literal> licenses:
|
2015-12-07 19:41:18 +00:00
|
|
|
<programlisting>
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
|
|
|
{
|
|
|
|
blacklistedLicenses = with stdenv.lib.licenses; [ agpl3 gpl3 ];
|
|
|
|
}
|
2015-12-07 19:41:18 +00:00
|
|
|
</programlisting>
|
2018-05-01 23:54:21 +00:00
|
|
|
</para>
|
|
|
|
</listitem>
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
|
|
|
</itemizedlist>
|
|
|
|
|
2018-05-01 23:54:21 +00:00
|
|
|
<para>
|
|
|
|
A complete list of licenses can be found in the file
|
|
|
|
<filename>lib/licenses.nix</filename> of the nixpkgs tree.
|
|
|
|
</para>
|
|
|
|
</section>
|
|
|
|
<section xml:id="sec-allow-insecure">
|
|
|
|
<title>Installing insecure packages</title>
|
2015-12-07 19:41:18 +00:00
|
|
|
|
2018-05-01 23:54:21 +00:00
|
|
|
<para>
|
|
|
|
There are several ways to tweak how Nix handles a package which has been
|
|
|
|
marked as insecure.
|
|
|
|
</para>
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
|
|
|
|
|
|
|
<itemizedlist>
|
2018-05-01 23:54:21 +00:00
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
To temporarily allow all insecure packages, you can use an environment
|
|
|
|
variable for a single invocation of the nix tools:
|
|
|
|
<programlisting>$ export NIXPKGS_ALLOW_INSECURE=1</programlisting>
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
It is possible to permanently allow individual insecure packages, while
|
|
|
|
still blocking other insecure packages by default using the
|
|
|
|
<literal>permittedInsecurePackages</literal> configuration option in the
|
|
|
|
user configuration file.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
The following example configuration permits the installation of the
|
|
|
|
hypothetically insecure package <literal>hello</literal>, version
|
|
|
|
<literal>1.2.3</literal>:
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
|
|
|
<programlisting>
|
|
|
|
{
|
|
|
|
permittedInsecurePackages = [
|
|
|
|
"hello-1.2.3"
|
|
|
|
];
|
|
|
|
}
|
|
|
|
</programlisting>
|
2018-05-01 23:54:21 +00:00
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
It is also possible to create a custom policy around which insecure
|
|
|
|
packages to allow and deny, by overriding the
|
|
|
|
<literal>allowInsecurePredicate</literal> configuration option.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
The <literal>allowInsecurePredicate</literal> option is a function which
|
|
|
|
accepts a package and returns a boolean, much like
|
|
|
|
<literal>allowUnfreePredicate</literal>.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
The following configuration example only allows insecure packages with
|
|
|
|
very short names:
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
|
|
|
<programlisting>
|
|
|
|
{
|
|
|
|
allowInsecurePredicate = (pkg: (builtins.stringLength (builtins.parseDrvName pkg.name).name) <= 5);
|
|
|
|
}
|
|
|
|
</programlisting>
|
2018-05-01 23:54:21 +00:00
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
Note that <literal>permittedInsecurePackages</literal> is only checked if
|
|
|
|
<literal>allowInsecurePredicate</literal> is not specified.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
|
|
|
</itemizedlist>
|
2018-05-01 23:54:21 +00:00
|
|
|
</section>
|
2015-12-07 19:41:18 +00:00
|
|
|
<!--============================================================-->
|
2018-05-01 23:54:21 +00:00
|
|
|
<section xml:id="sec-modify-via-packageOverrides">
|
|
|
|
<title>Modify packages via <literal>packageOverrides</literal></title>
|
2015-04-20 15:54:39 +00:00
|
|
|
|
2018-05-01 23:54:21 +00:00
|
|
|
<para>
|
|
|
|
You can define a function called <varname>packageOverrides</varname> in your
|
2018-11-19 05:10:39 +00:00
|
|
|
local <filename>~/.config/nixpkgs/config.nix</filename> to override Nix
|
|
|
|
packages. It must be a function that takes pkgs as an argument and returns a
|
2018-05-01 23:54:21 +00:00
|
|
|
modified set of packages.
|
2015-12-07 19:41:18 +00:00
|
|
|
<programlisting>
|
|
|
|
{
|
2015-04-20 21:09:45 +00:00
|
|
|
packageOverrides = pkgs: rec {
|
|
|
|
foo = pkgs.foo.override { ... };
|
|
|
|
};
|
2015-12-07 19:41:18 +00:00
|
|
|
}
|
|
|
|
</programlisting>
|
2018-05-01 23:54:21 +00:00
|
|
|
</para>
|
|
|
|
</section>
|
|
|
|
<section xml:id="sec-declarative-package-management">
|
2017-05-21 03:25:05 +00:00
|
|
|
<title>Declarative Package Management</title>
|
|
|
|
|
|
|
|
<section xml:id="sec-building-environment">
|
2018-05-01 23:54:21 +00:00
|
|
|
<title>Build an environment</title>
|
|
|
|
|
|
|
|
<para>
|
|
|
|
Using <literal>packageOverrides</literal>, it is possible to manage
|
|
|
|
packages declaratively. This means that we can list all of our desired
|
|
|
|
packages within a declarative Nix expression. For example, to have
|
|
|
|
<literal>aspell</literal>, <literal>bc</literal>,
|
|
|
|
<literal>ffmpeg</literal>, <literal>coreutils</literal>,
|
|
|
|
<literal>gdb</literal>, <literal>nixUnstable</literal>,
|
|
|
|
<literal>emscripten</literal>, <literal>jq</literal>,
|
|
|
|
<literal>nox</literal>, and <literal>silver-searcher</literal>, we could
|
|
|
|
use the following in <filename>~/.config/nixpkgs/config.nix</filename>:
|
|
|
|
</para>
|
|
|
|
|
|
|
|
<screen>
|
2017-05-21 03:25:05 +00:00
|
|
|
{
|
|
|
|
packageOverrides = pkgs: with pkgs; {
|
|
|
|
myPackages = pkgs.buildEnv {
|
|
|
|
name = "my-packages";
|
|
|
|
paths = [ aspell bc coreutils gdb ffmpeg nixUnstable emscripten jq nox silver-searcher ];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|
2018-09-03 15:13:02 +00:00
|
|
|
</screen>
|
2017-05-21 03:25:05 +00:00
|
|
|
|
2018-05-01 23:54:21 +00:00
|
|
|
<para>
|
|
|
|
To install it into our environment, you can just run <literal>nix-env -iA
|
|
|
|
nixpkgs.myPackages</literal>. If you want to load the packages to be built
|
|
|
|
from a working copy of <literal>nixpkgs</literal> you just run
|
|
|
|
<literal>nix-env -f. -iA myPackages</literal>. To explore what's been
|
|
|
|
installed, just look through <filename>~/.nix-profile/</filename>. You can
|
|
|
|
see that a lot of stuff has been installed. Some of this stuff is useful
|
|
|
|
some of it isn't. Let's tell Nixpkgs to only link the stuff that we want:
|
|
|
|
</para>
|
|
|
|
|
|
|
|
<screen>
|
2017-05-21 03:25:05 +00:00
|
|
|
{
|
|
|
|
packageOverrides = pkgs: with pkgs; {
|
|
|
|
myPackages = pkgs.buildEnv {
|
|
|
|
name = "my-packages";
|
|
|
|
paths = [ aspell bc coreutils gdb ffmpeg nixUnstable emscripten jq nox silver-searcher ];
|
|
|
|
pathsToLink = [ "/share" "/bin" ];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|
2018-09-03 15:13:02 +00:00
|
|
|
</screen>
|
2017-05-21 03:25:05 +00:00
|
|
|
|
2018-05-01 23:54:21 +00:00
|
|
|
<para>
|
|
|
|
<literal>pathsToLink</literal> tells Nixpkgs to only link the paths listed
|
|
|
|
which gets rid of the extra stuff in the profile. <filename>/bin</filename>
|
|
|
|
and <filename>/share</filename> are good defaults for a user environment,
|
|
|
|
getting rid of the clutter. If you are running on Nix on MacOS, you may
|
|
|
|
want to add another path as well, <filename>/Applications</filename>, that
|
|
|
|
makes GUI apps available.
|
|
|
|
</para>
|
2017-05-21 03:25:05 +00:00
|
|
|
</section>
|
|
|
|
|
|
|
|
<section xml:id="sec-getting-documentation">
|
2018-05-01 23:54:21 +00:00
|
|
|
<title>Getting documentation</title>
|
|
|
|
|
|
|
|
<para>
|
|
|
|
After building that new environment, look through
|
|
|
|
<filename>~/.nix-profile</filename> to make sure everything is there that
|
|
|
|
we wanted. Discerning readers will note that some files are missing. Look
|
|
|
|
inside <filename>~/.nix-profile/share/man/man1/</filename> to verify this.
|
|
|
|
There are no man pages for any of the Nix tools! This is because some
|
|
|
|
packages like Nix have multiple outputs for things like documentation (see
|
|
|
|
section 4). Let's make Nix install those as well.
|
|
|
|
</para>
|
|
|
|
|
|
|
|
<screen>
|
2017-05-21 03:25:05 +00:00
|
|
|
{
|
|
|
|
packageOverrides = pkgs: with pkgs; {
|
|
|
|
myPackages = pkgs.buildEnv {
|
|
|
|
name = "my-packages";
|
|
|
|
paths = [ aspell bc coreutils ffmpeg nixUnstable emscripten jq nox silver-searcher ];
|
2018-05-11 19:31:56 +00:00
|
|
|
pathsToLink = [ "/share/man" "/share/doc" "/bin" ];
|
2017-05-21 03:25:05 +00:00
|
|
|
extraOutputsToInstall = [ "man" "doc" ];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|
2018-09-03 15:13:02 +00:00
|
|
|
</screen>
|
2017-05-21 03:25:05 +00:00
|
|
|
|
2018-05-01 23:54:21 +00:00
|
|
|
<para>
|
|
|
|
This provides us with some useful documentation for using our packages.
|
|
|
|
However, if we actually want those manpages to be detected by man, we need
|
|
|
|
to set up our environment. This can also be managed within Nix expressions.
|
|
|
|
</para>
|
2017-05-21 03:25:05 +00:00
|
|
|
|
2018-05-01 23:54:21 +00:00
|
|
|
<screen>
|
2017-05-21 03:25:05 +00:00
|
|
|
{
|
|
|
|
packageOverrides = pkgs: with pkgs; rec {
|
|
|
|
myProfile = writeText "my-profile" ''
|
2018-09-03 15:13:02 +00:00
|
|
|
export PATH=$HOME/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
|
|
|
export MANPATH=$HOME/.nix-profile/share/man:/nix/var/nix/profiles/default/share/man:/usr/share/man
|
2017-05-21 03:25:05 +00:00
|
|
|
'';
|
|
|
|
myPackages = pkgs.buildEnv {
|
|
|
|
name = "my-packages";
|
|
|
|
paths = [
|
|
|
|
(runCommand "profile" {} ''
|
2018-09-03 15:13:02 +00:00
|
|
|
mkdir -p $out/etc/profile.d
|
|
|
|
cp ${myProfile} $out/etc/profile.d/my-profile.sh
|
2017-05-21 03:25:05 +00:00
|
|
|
'')
|
|
|
|
aspell
|
|
|
|
bc
|
|
|
|
coreutils
|
|
|
|
ffmpeg
|
|
|
|
man
|
|
|
|
nixUnstable
|
|
|
|
emscripten
|
|
|
|
jq
|
|
|
|
nox
|
|
|
|
silver-searcher
|
|
|
|
];
|
2018-05-11 19:31:56 +00:00
|
|
|
pathsToLink = [ "/share/man" "/share/doc" "/bin" "/etc" ];
|
2017-05-21 03:25:05 +00:00
|
|
|
extraOutputsToInstall = [ "man" "doc" ];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|
2018-09-03 15:13:02 +00:00
|
|
|
</screen>
|
2017-05-21 03:25:05 +00:00
|
|
|
|
2018-05-01 23:54:21 +00:00
|
|
|
<para>
|
|
|
|
For this to work fully, you must also have this script sourced when you are
|
|
|
|
logged in. Try adding something like this to your
|
|
|
|
<filename>~/.profile</filename> file:
|
|
|
|
</para>
|
2017-05-21 03:25:05 +00:00
|
|
|
|
2018-05-01 23:54:21 +00:00
|
|
|
<screen>
|
2017-05-21 03:25:05 +00:00
|
|
|
#!/bin/sh
|
|
|
|
if [ -d $HOME/.nix-profile/etc/profile.d ]; then
|
|
|
|
for i in $HOME/.nix-profile/etc/profile.d/*.sh; do
|
|
|
|
if [ -r $i ]; then
|
|
|
|
. $i
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
fi
|
2018-09-03 15:13:02 +00:00
|
|
|
</screen>
|
2017-05-21 03:25:05 +00:00
|
|
|
|
2018-05-01 23:54:21 +00:00
|
|
|
<para>
|
|
|
|
Now just run <literal>source $HOME/.profile</literal> and you can starting
|
|
|
|
loading man pages from your environent.
|
|
|
|
</para>
|
2017-05-21 03:25:05 +00:00
|
|
|
</section>
|
2018-04-17 20:08:21 +00:00
|
|
|
|
2017-05-21 03:25:05 +00:00
|
|
|
<section xml:id="sec-gnu-info-setup">
|
2018-05-01 23:54:21 +00:00
|
|
|
<title>GNU info setup</title>
|
2017-05-21 03:25:05 +00:00
|
|
|
|
2018-05-01 23:54:21 +00:00
|
|
|
<para>
|
|
|
|
Configuring GNU info is a little bit trickier than man pages. To work
|
|
|
|
correctly, info needs a database to be generated. This can be done with
|
|
|
|
some small modifications to our environment scripts.
|
|
|
|
</para>
|
2017-05-21 03:25:05 +00:00
|
|
|
|
2018-05-01 23:54:21 +00:00
|
|
|
<screen>
|
2017-05-21 03:25:05 +00:00
|
|
|
{
|
|
|
|
packageOverrides = pkgs: with pkgs; rec {
|
|
|
|
myProfile = writeText "my-profile" ''
|
2018-09-03 15:13:02 +00:00
|
|
|
export PATH=$HOME/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
|
|
|
export MANPATH=$HOME/.nix-profile/share/man:/nix/var/nix/profiles/default/share/man:/usr/share/man
|
|
|
|
export INFOPATH=$HOME/.nix-profile/share/info:/nix/var/nix/profiles/default/share/info:/usr/share/info
|
2017-05-21 03:25:05 +00:00
|
|
|
'';
|
|
|
|
myPackages = pkgs.buildEnv {
|
|
|
|
name = "my-packages";
|
|
|
|
paths = [
|
|
|
|
(runCommand "profile" {} ''
|
2018-09-03 15:13:02 +00:00
|
|
|
mkdir -p $out/etc/profile.d
|
|
|
|
cp ${myProfile} $out/etc/profile.d/my-profile.sh
|
2017-05-21 03:25:05 +00:00
|
|
|
'')
|
|
|
|
aspell
|
|
|
|
bc
|
|
|
|
coreutils
|
|
|
|
ffmpeg
|
|
|
|
man
|
|
|
|
nixUnstable
|
|
|
|
emscripten
|
|
|
|
jq
|
|
|
|
nox
|
|
|
|
silver-searcher
|
|
|
|
texinfoInteractive
|
|
|
|
];
|
|
|
|
pathsToLink = [ "/share/man" "/share/doc" "/share/info" "/bin" "/etc" ];
|
|
|
|
extraOutputsToInstall = [ "man" "doc" "info" ];
|
|
|
|
postBuild = ''
|
2018-09-03 15:13:02 +00:00
|
|
|
if [ -x $out/bin/install-info -a -w $out/share/info ]; then
|
|
|
|
shopt -s nullglob
|
|
|
|
for i in $out/share/info/*.info $out/share/info/*.info.gz; do
|
|
|
|
$out/bin/install-info $i $out/share/info/dir
|
|
|
|
done
|
|
|
|
fi
|
2017-05-21 03:25:05 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|
2018-09-03 15:13:02 +00:00
|
|
|
</screen>
|
2017-05-21 03:25:05 +00:00
|
|
|
|
2018-05-01 23:54:21 +00:00
|
|
|
<para>
|
|
|
|
<literal>postBuild</literal> tells Nixpkgs to run a command after building
|
|
|
|
the environment. In this case, <literal>install-info</literal> adds the
|
|
|
|
installed info pages to <literal>dir</literal> which is GNU info's default
|
|
|
|
root node. Note that <literal>texinfoInteractive</literal> is added to the
|
|
|
|
environment to give the <literal>install-info</literal> command.
|
|
|
|
</para>
|
2017-05-21 03:25:05 +00:00
|
|
|
</section>
|
2018-05-01 23:54:21 +00:00
|
|
|
</section>
|
2015-04-20 15:54:39 +00:00
|
|
|
</chapter>
|