2015-01-24 19:40:40 +00:00
<chapter xmlns= "http://docbook.org/ns/docbook"
2015-12-07 19:41:18 +00:00
xmlns:xlink="http://www.w3.org/1999/xlink"
xml:id="chap-packageconfig">
2018-05-01 23:54:21 +00:00
<title > Global configuration</title>
<para >
2019-09-18 20:12:54 +00:00
Nix comes with certain defaults about what packages can and cannot be installed, based on a package's metadata. By default, Nix will prevent installation if any of the following criteria are true:
2018-05-01 23:54:21 +00:00
</para>
<itemizedlist >
<listitem >
<para >
2019-09-18 20:12:54 +00:00
The package is thought to be broken, and has had its <literal > meta.broken</literal> set to <literal > true</literal> .
2018-05-01 23:54:21 +00:00
</para>
</listitem>
<listitem >
<para >
2019-09-18 20:12:54 +00:00
The package isn't intended to run on the given system, as none of its <literal > meta.platforms</literal> match the given system.
2018-05-01 23:54:21 +00:00
</para>
</listitem>
<listitem >
<para >
2019-09-18 20:12:54 +00:00
The package's <literal > meta.license</literal> is set to a license which is considered to be unfree.
2018-05-01 23:54:21 +00:00
</para>
</listitem>
<listitem >
<para >
2019-09-18 20:12:54 +00:00
The package has known security vulnerabilities but has not or can not be updated for some reason, and a list of issues has been entered in to the package's <literal > meta.knownVulnerabilities</literal> .
2018-05-01 23:54:21 +00:00
</para>
</listitem>
</itemizedlist>
<para >
2019-09-18 20:12:54 +00:00
Note that all this is checked during evaluation already, and the check includes any package that is evaluated. In particular, all build-time dependencies are checked. <literal > nix-env -qa</literal> will (attempt to) hide any packages that would be refused.
2018-05-01 23:54:21 +00:00
</para>
<para >
Each of these criteria can be altered in the nixpkgs configuration.
</para>
<para >
2019-09-18 20:12:54 +00:00
The nixpkgs configuration for a NixOS system is set in the <literal > configuration.nix</literal> , as in the following example:
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
<programlisting >
{
nixpkgs.config = {
allowUnfree = true;
};
}
</programlisting>
2019-09-18 20:12:54 +00:00
However, this does not allow unfree software for individual users. Their configurations are managed separately.
2018-05-01 23:54:21 +00:00
</para>
<para >
2019-10-15 13:52:31 +00:00
A user's nixpkgs configuration is stored in a user-specific configuration file located at <filename > ~/.config/nixpkgs/config.nix</filename> . For example:
2015-12-07 19:41:18 +00:00
<programlisting >
{
2015-02-15 17:29:52 +00:00
allowUnfree = true;
2015-12-07 19:41:18 +00:00
}
</programlisting>
2018-05-01 23:54:21 +00:00
</para>
<para >
2019-09-18 20:12:54 +00:00
Note that we are not able to test or build unfree software on Hydra due to policy. Most unfree licenses prohibit us from either executing or distributing the software.
2018-05-01 23:54:21 +00:00
</para>
<section xml:id= "sec-allow-broken" >
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
<title > Installing broken packages</title>
2015-12-07 19:41:18 +00:00
2018-05-01 23:54:21 +00:00
<para >
2019-09-18 20:12:54 +00:00
There are two ways to try compiling a package which has been marked as broken.
2018-05-01 23:54:21 +00:00
</para>
2015-12-07 19:41:18 +00:00
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
<itemizedlist >
2018-05-01 23:54:21 +00:00
<listitem >
<para >
2019-09-18 20:12:54 +00:00
For allowing the build of a broken package once, you can use an environment variable for a single invocation of the nix tools:
2020-09-22 22:38:04 +00:00
<screen > <prompt > $ </prompt> export NIXPKGS_ALLOW_BROKEN=1</screen>
2018-05-01 23:54:21 +00:00
</para>
</listitem>
<listitem >
<para >
2019-09-18 20:12:54 +00:00
For permanently allowing broken packages to be built, you may add <literal > allowBroken = true;</literal> to your user's configuration file, like this:
2017-02-26 09:31:55 +00:00
<programlisting >
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
{
allowBroken = true;
2017-02-26 09:31:55 +00:00
}
</programlisting>
2018-05-01 23:54:21 +00:00
</para>
</listitem>
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
</itemizedlist>
2018-05-01 23:54:21 +00:00
</section>
<section xml:id= "sec-allow-unsupported-system" >
2018-04-17 20:08:21 +00:00
<title > Installing packages on unsupported systems</title>
<para >
2020-07-01 15:54:22 +00:00
There are also two ways to try compiling a package which has been marked as unsupported for the given system.
2018-04-17 20:08:21 +00:00
</para>
<itemizedlist >
2018-05-01 23:54:21 +00:00
<listitem >
<para >
2020-07-01 15:54:22 +00:00
For allowing the build of an unsupported package once, you can use an environment variable for a single invocation of the nix tools:
2020-09-22 22:38:04 +00:00
<screen > <prompt > $ </prompt> export NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1</screen>
2018-05-01 23:54:21 +00:00
</para>
</listitem>
<listitem >
<para >
2020-07-01 15:54:22 +00:00
For permanently allowing unsupported packages to be built, you may add <literal > allowUnsupportedSystem = true;</literal> to your user's configuration file, like this:
2018-04-17 20:08:21 +00:00
<programlisting >
{
allowUnsupportedSystem = true;
}
</programlisting>
2018-05-01 23:54:21 +00:00
</para>
</listitem>
2018-04-17 20:08:21 +00:00
</itemizedlist>
<para >
2019-09-18 20:12:54 +00:00
The difference between a package being unsupported on some system and being broken is admittedly a bit fuzzy. If a program <emphasis > ought</emphasis> to work on a certain platform, but doesn't, the platform should be included in <literal > meta.platforms</literal> , but marked as broken with e.g. <literal > meta.broken = !hostPlatform.isWindows</literal> . Of course, this begs the question of what "ought" means exactly. That is left to the package maintainer.
2018-04-17 20:08:21 +00:00
</para>
2018-05-01 23:54:21 +00:00
</section>
<section xml:id= "sec-allow-unfree" >
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
<title > Installing unfree packages</title>
2015-12-07 19:41:18 +00:00
2018-05-01 23:54:21 +00:00
<para >
2019-09-18 20:12:54 +00:00
There are several ways to tweak how Nix handles a package which has been marked as unfree.
2018-05-01 23:54:21 +00:00
</para>
2015-12-07 19:41:18 +00:00
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
<itemizedlist >
2018-05-01 23:54:21 +00:00
<listitem >
<para >
2019-09-18 20:12:54 +00:00
To temporarily allow all unfree packages, you can use an environment variable for a single invocation of the nix tools:
2020-09-22 22:38:04 +00:00
<screen > <prompt > $ </prompt> export NIXPKGS_ALLOW_UNFREE=1</screen>
2018-05-01 23:54:21 +00:00
</para>
</listitem>
<listitem >
<para >
2019-09-18 20:12:54 +00:00
It is possible to permanently allow individual unfree packages, while still blocking unfree packages by default using the <literal > allowUnfreePredicate</literal> configuration option in the user configuration file.
2018-05-01 23:54:21 +00:00
</para>
<para >
2019-09-18 20:12:54 +00:00
This option is a function which accepts a package as a parameter, and returns a boolean. The following example configuration accepts a package and always returns false:
2015-12-07 19:41:18 +00:00
<programlisting >
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
{
allowUnfreePredicate = (pkg: false);
}
2015-12-07 19:41:18 +00:00
</programlisting>
2018-05-01 23:54:21 +00:00
</para>
<para >
2021-02-07 22:04:03 +00:00
For a more useful example, try the following. This configuration only allows unfree packages named roon-server and visual studio code:
2015-12-07 19:41:18 +00:00
<programlisting >
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
{
2019-11-24 17:22:28 +00:00
allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
2021-02-07 22:04:03 +00:00
"roon-server"
2019-11-24 17:22:28 +00:00
"vscode"
];
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
}
2015-12-07 19:41:18 +00:00
</programlisting>
2018-05-01 23:54:21 +00:00
</para>
</listitem>
<listitem >
<para >
2019-09-18 20:12:54 +00:00
It is also possible to whitelist and blacklist licenses that are specifically acceptable or not acceptable, using <literal > whitelistedLicenses</literal> and <literal > blacklistedLicenses</literal> , respectively.
2018-05-01 23:54:21 +00:00
</para>
<para >
2019-09-18 20:12:54 +00:00
The following example configuration whitelists the licenses <literal > amd</literal> and <literal > wtfpl</literal> :
2015-12-07 19:41:18 +00:00
<programlisting >
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
{
2021-01-10 21:30:22 +00:00
whitelistedLicenses = with lib.licenses; [ amd wtfpl ];
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
}
2015-12-07 19:41:18 +00:00
</programlisting>
2018-05-01 23:54:21 +00:00
</para>
<para >
2020-07-05 15:51:30 +00:00
The following example configuration blacklists the <literal > gpl3Only</literal> and <literal > agpl3Only</literal> licenses:
2015-12-07 19:41:18 +00:00
<programlisting >
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
{
2021-01-10 21:30:22 +00:00
blacklistedLicenses = with lib.licenses; [ agpl3Only gpl3Only ];
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
}
2015-12-07 19:41:18 +00:00
</programlisting>
2018-05-01 23:54:21 +00:00
</para>
2020-11-28 09:25:13 +00:00
<para >
Note that <literal > whitelistedLicenses</literal> only applies to unfree licenses unless <literal > allowUnfree</literal> is enabled. It is not a generic whitelist for all types of licenses. <literal > blacklistedLicenses</literal> applies to all licenses.
</para>
2018-05-01 23:54:21 +00:00
</listitem>
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
</itemizedlist>
2018-05-01 23:54:21 +00:00
<para >
2019-09-18 20:12:54 +00:00
A complete list of licenses can be found in the file <filename > lib/licenses.nix</filename> of the nixpkgs tree.
2018-05-01 23:54:21 +00:00
</para>
</section>
<section xml:id= "sec-allow-insecure" >
<title > Installing insecure packages</title>
2015-12-07 19:41:18 +00:00
2018-05-01 23:54:21 +00:00
<para >
2019-09-18 20:12:54 +00:00
There are several ways to tweak how Nix handles a package which has been marked as insecure.
2018-05-01 23:54:21 +00:00
</para>
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
<itemizedlist >
2018-05-01 23:54:21 +00:00
<listitem >
<para >
2019-09-18 20:12:54 +00:00
To temporarily allow all insecure packages, you can use an environment variable for a single invocation of the nix tools:
2020-09-22 22:38:04 +00:00
<screen > <prompt > $ </prompt> export NIXPKGS_ALLOW_INSECURE=1</screen>
2018-05-01 23:54:21 +00:00
</para>
</listitem>
<listitem >
<para >
2019-09-18 20:12:54 +00:00
It is possible to permanently allow individual insecure packages, while still blocking other insecure packages by default using the <literal > permittedInsecurePackages</literal> configuration option in the user configuration file.
2018-05-01 23:54:21 +00:00
</para>
<para >
2019-09-18 20:12:54 +00:00
The following example configuration permits the installation of the hypothetically insecure package <literal > hello</literal> , version <literal > 1.2.3</literal> :
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
<programlisting >
{
permittedInsecurePackages = [
"hello-1.2.3"
];
}
</programlisting>
2018-05-01 23:54:21 +00:00
</para>
</listitem>
<listitem >
<para >
2019-09-18 20:12:54 +00:00
It is also possible to create a custom policy around which insecure packages to allow and deny, by overriding the <literal > allowInsecurePredicate</literal> configuration option.
2018-05-01 23:54:21 +00:00
</para>
<para >
2019-09-18 20:12:54 +00:00
The <literal > allowInsecurePredicate</literal> option is a function which accepts a package and returns a boolean, much like <literal > allowUnfreePredicate</literal> .
2018-05-01 23:54:21 +00:00
</para>
<para >
2019-09-18 20:12:54 +00:00
The following configuration example only allows insecure packages with very short names:
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
<programlisting >
{
2019-11-24 17:36:17 +00:00
allowInsecurePredicate = pkg: builtins.stringLength (lib.getName pkg) < = 5;
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
}
</programlisting>
2018-05-01 23:54:21 +00:00
</para>
<para >
2019-09-18 20:12:54 +00:00
Note that <literal > permittedInsecurePackages</literal> is only checked if <literal > allowInsecurePredicate</literal> is not specified.
2018-05-01 23:54:21 +00:00
</para>
</listitem>
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
</itemizedlist>
2018-05-01 23:54:21 +00:00
</section>
2015-12-07 19:41:18 +00:00
<!-- ============================================================ -->
2018-05-01 23:54:21 +00:00
<section xml:id= "sec-modify-via-packageOverrides" >
<title > Modify packages via <literal > packageOverrides</literal> </title>
2015-04-20 15:54:39 +00:00
2018-05-01 23:54:21 +00:00
<para >
2019-09-18 20:12:54 +00:00
You can define a function called <varname > packageOverrides</varname> in your local <filename > ~/.config/nixpkgs/config.nix</filename> to override Nix packages. It must be a function that takes pkgs as an argument and returns a modified set of packages.
2015-12-07 19:41:18 +00:00
<programlisting >
{
2015-04-20 21:09:45 +00:00
packageOverrides = pkgs: rec {
foo = pkgs.foo.override { ... };
};
2015-12-07 19:41:18 +00:00
}
</programlisting>
2018-05-01 23:54:21 +00:00
</para>
</section>
<section xml:id= "sec-declarative-package-management" >
2017-05-21 03:25:05 +00:00
<title > Declarative Package Management</title>
<section xml:id= "sec-building-environment" >
2018-05-01 23:54:21 +00:00
<title > Build an environment</title>
<para >
2019-09-18 20:12:54 +00:00
Using <literal > packageOverrides</literal> , it is possible to manage packages declaratively. This means that we can list all of our desired packages within a declarative Nix expression. For example, to have <literal > aspell</literal> , <literal > bc</literal> , <literal > ffmpeg</literal> , <literal > coreutils</literal> , <literal > gdb</literal> , <literal > nixUnstable</literal> , <literal > emscripten</literal> , <literal > jq</literal> , <literal > nox</literal> , and <literal > silver-searcher</literal> , we could use the following in <filename > ~/.config/nixpkgs/config.nix</filename> :
2018-05-01 23:54:21 +00:00
</para>
<screen >
2017-05-21 03:25:05 +00:00
{
packageOverrides = pkgs: with pkgs; {
myPackages = pkgs.buildEnv {
name = "my-packages";
2019-01-08 09:02:44 +00:00
paths = [
aspell
bc
coreutils
gdb
ffmpeg
nixUnstable
emscripten
jq
nox
silver-searcher
];
2017-05-21 03:25:05 +00:00
};
};
}
2018-09-03 15:13:02 +00:00
</screen>
2017-05-21 03:25:05 +00:00
2018-05-01 23:54:21 +00:00
<para >
2019-09-18 20:12:54 +00:00
To install it into our environment, you can just run <literal > nix-env -iA nixpkgs.myPackages</literal> . If you want to load the packages to be built from a working copy of <literal > nixpkgs</literal> you just run <literal > nix-env -f. -iA myPackages</literal> . To explore what's been installed, just look through <filename > ~/.nix-profile/</filename> . You can see that a lot of stuff has been installed. Some of this stuff is useful some of it isn't. Let's tell Nixpkgs to only link the stuff that we want:
2018-05-01 23:54:21 +00:00
</para>
<screen >
2017-05-21 03:25:05 +00:00
{
packageOverrides = pkgs: with pkgs; {
myPackages = pkgs.buildEnv {
name = "my-packages";
2019-01-08 09:02:44 +00:00
paths = [
aspell
bc
coreutils
gdb
ffmpeg
nixUnstable
emscripten
jq
nox
silver-searcher
];
2017-05-21 03:25:05 +00:00
pathsToLink = [ "/share" "/bin" ];
};
};
}
2018-09-03 15:13:02 +00:00
</screen>
2017-05-21 03:25:05 +00:00
2018-05-01 23:54:21 +00:00
<para >
2019-09-18 20:12:54 +00:00
<literal > pathsToLink</literal> tells Nixpkgs to only link the paths listed which gets rid of the extra stuff in the profile. <filename > /bin</filename> and <filename > /share</filename> are good defaults for a user environment, getting rid of the clutter. If you are running on Nix on MacOS, you may want to add another path as well, <filename > /Applications</filename> , that makes GUI apps available.
2018-05-01 23:54:21 +00:00
</para>
2017-05-21 03:25:05 +00:00
</section>
<section xml:id= "sec-getting-documentation" >
2018-05-01 23:54:21 +00:00
<title > Getting documentation</title>
<para >
2019-09-18 20:12:54 +00:00
After building that new environment, look through <filename > ~/.nix-profile</filename> to make sure everything is there that we wanted. Discerning readers will note that some files are missing. Look inside <filename > ~/.nix-profile/share/man/man1/</filename> to verify this. There are no man pages for any of the Nix tools! This is because some packages like Nix have multiple outputs for things like documentation (see section 4). Let's make Nix install those as well.
2018-05-01 23:54:21 +00:00
</para>
<screen >
2017-05-21 03:25:05 +00:00
{
packageOverrides = pkgs: with pkgs; {
myPackages = pkgs.buildEnv {
name = "my-packages";
2019-01-08 09:02:44 +00:00
paths = [
aspell
bc
coreutils
ffmpeg
nixUnstable
emscripten
jq
nox
silver-searcher
];
2018-05-11 19:31:56 +00:00
pathsToLink = [ "/share/man" "/share/doc" "/bin" ];
2017-05-21 03:25:05 +00:00
extraOutputsToInstall = [ "man" "doc" ];
};
};
}
2018-09-03 15:13:02 +00:00
</screen>
2017-05-21 03:25:05 +00:00
2018-05-01 23:54:21 +00:00
<para >
2019-09-18 20:12:54 +00:00
This provides us with some useful documentation for using our packages. However, if we actually want those manpages to be detected by man, we need to set up our environment. This can also be managed within Nix expressions.
2018-05-01 23:54:21 +00:00
</para>
2017-05-21 03:25:05 +00:00
2018-05-01 23:54:21 +00:00
<screen >
2017-05-21 03:25:05 +00:00
{
packageOverrides = pkgs: with pkgs; rec {
myProfile = writeText "my-profile" ''
2018-09-03 15:13:02 +00:00
export PATH=$HOME/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/sbin:/bin:/usr/sbin:/usr/bin
export MANPATH=$HOME/.nix-profile/share/man:/nix/var/nix/profiles/default/share/man:/usr/share/man
2017-05-21 03:25:05 +00:00
'';
myPackages = pkgs.buildEnv {
name = "my-packages";
paths = [
(runCommand "profile" {} ''
2018-09-03 15:13:02 +00:00
mkdir -p $out/etc/profile.d
cp ${myProfile} $out/etc/profile.d/my-profile.sh
2017-05-21 03:25:05 +00:00
'')
aspell
bc
coreutils
ffmpeg
man
nixUnstable
emscripten
jq
nox
silver-searcher
];
2018-05-11 19:31:56 +00:00
pathsToLink = [ "/share/man" "/share/doc" "/bin" "/etc" ];
2017-05-21 03:25:05 +00:00
extraOutputsToInstall = [ "man" "doc" ];
};
};
}
2018-09-03 15:13:02 +00:00
</screen>
2017-05-21 03:25:05 +00:00
2018-05-01 23:54:21 +00:00
<para >
2019-09-18 20:12:54 +00:00
For this to work fully, you must also have this script sourced when you are logged in. Try adding something like this to your <filename > ~/.profile</filename> file:
2018-05-01 23:54:21 +00:00
</para>
2017-05-21 03:25:05 +00:00
2018-05-01 23:54:21 +00:00
<screen >
2017-05-21 03:25:05 +00:00
#!/bin/sh
if [ -d $HOME/.nix-profile/etc/profile.d ]; then
for i in $HOME/.nix-profile/etc/profile.d/*.sh; do
if [ -r $i ]; then
. $i
fi
done
fi
2018-09-03 15:13:02 +00:00
</screen>
2017-05-21 03:25:05 +00:00
2018-05-01 23:54:21 +00:00
<para >
2020-06-08 20:34:50 +00:00
Now just run <literal > source $HOME/.profile</literal> and you can starting loading man pages from your environment.
2018-05-01 23:54:21 +00:00
</para>
2017-05-21 03:25:05 +00:00
</section>
2018-04-17 20:08:21 +00:00
2017-05-21 03:25:05 +00:00
<section xml:id= "sec-gnu-info-setup" >
2018-05-01 23:54:21 +00:00
<title > GNU info setup</title>
2017-05-21 03:25:05 +00:00
2018-05-01 23:54:21 +00:00
<para >
2019-09-18 20:12:54 +00:00
Configuring GNU info is a little bit trickier than man pages. To work correctly, info needs a database to be generated. This can be done with some small modifications to our environment scripts.
2018-05-01 23:54:21 +00:00
</para>
2017-05-21 03:25:05 +00:00
2018-05-01 23:54:21 +00:00
<screen >
2017-05-21 03:25:05 +00:00
{
packageOverrides = pkgs: with pkgs; rec {
myProfile = writeText "my-profile" ''
2018-09-03 15:13:02 +00:00
export PATH=$HOME/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/sbin:/bin:/usr/sbin:/usr/bin
export MANPATH=$HOME/.nix-profile/share/man:/nix/var/nix/profiles/default/share/man:/usr/share/man
export INFOPATH=$HOME/.nix-profile/share/info:/nix/var/nix/profiles/default/share/info:/usr/share/info
2017-05-21 03:25:05 +00:00
'';
myPackages = pkgs.buildEnv {
name = "my-packages";
paths = [
(runCommand "profile" {} ''
2018-09-03 15:13:02 +00:00
mkdir -p $out/etc/profile.d
cp ${myProfile} $out/etc/profile.d/my-profile.sh
2017-05-21 03:25:05 +00:00
'')
aspell
bc
coreutils
ffmpeg
man
nixUnstable
emscripten
jq
nox
silver-searcher
texinfoInteractive
];
pathsToLink = [ "/share/man" "/share/doc" "/share/info" "/bin" "/etc" ];
extraOutputsToInstall = [ "man" "doc" "info" ];
postBuild = ''
2018-09-03 15:13:02 +00:00
if [ -x $out/bin/install-info -a -w $out/share/info ]; then
shopt -s nullglob
for i in $out/share/info/*.info $out/share/info/*.info.gz; do
$out/bin/install-info $i $out/share/info/dir
done
fi
2017-05-21 03:25:05 +00:00
'';
};
};
}
2018-09-03 15:13:02 +00:00
</screen>
2017-05-21 03:25:05 +00:00
2018-05-01 23:54:21 +00:00
<para >
2019-09-18 20:12:54 +00:00
<literal > postBuild</literal> tells Nixpkgs to run a command after building the environment. In this case, <literal > install-info</literal> adds the installed info pages to <literal > dir</literal> which is GNU info's default root node. Note that <literal > texinfoInteractive</literal> is added to the environment to give the <literal > install-info</literal> command.
2018-05-01 23:54:21 +00:00
</para>
2017-05-21 03:25:05 +00:00
</section>
2018-05-01 23:54:21 +00:00
</section>
2015-04-20 15:54:39 +00:00
</chapter>