Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possibility to install insecure package ? #1448

Open
PierreBeucher opened this issue May 10, 2024 · 4 comments
Open

Possibility to install insecure package ? #1448

PierreBeucher opened this issue May 10, 2024 · 4 comments
Labels
enhancement Improvement to existing functionality product Tickets relevant to the flox product team and/or functional requirements team-cli Tickets relevant to the flox CLI team

Comments

@PierreBeucher
Copy link

Describe the feature:

I'm trying to install a package marked insecure in nixpkgs but it seems there's no option allowing install of (selected) insecure packages.

$ flox install vault
ERROR: package 'vault' failed to evaluate: Package ‘vault-1.14.10’ in /nix/store/4dj2fbzyykakm4x4d0v855r6n5ss9hf9-source/pkgs/tools/security/vault/default.nix:47 is marked as insecure, refusing to evaluate.
 
 
Known issues:
- CVE-2024-2660
 
You can install it anyway by allowing this package, using the
following methods:
 
a) To temporarily allow all insecure packages, you can use an environment
   variable for a single invocation of the nix tools:
 
     $ export NIXPKGS_ALLOW_INSECURE=1
   Note: When using `nix shell`, `nix build`, `nix develop`, etc with a flake,
         then pass `--impure` in order to allow use of environment variables.
b) for `nixos-rebuild` you can add ‘vault-1.14.10’ to
   `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
   like so:
 
     {
       nixpkgs.config.permittedInsecurePackages = [
         "vault-1.14.10"
       ];
     }
 
c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
   ‘vault-1.14.10’ to `permittedInsecurePackages` in
   ~/.config/nixpkgs/config.nix, like so:
 
     {
       permittedInsecurePackages = [
         "vault-1.14.10"
       ];
     }

I also tried after export NIXPKGS_ALLOW_INSECURE=1 to no avail.

It would be nice to have an option such as:

flox install vault --allow-insecure

Which could be written in TOML such as

vault = { pkg-path = "vault", allow-insecure = true }

Thanks :)
@ghudgins ghudgins added enhancement Improvement to existing functionality team-cli Tickets relevant to the flox CLI team product Tickets relevant to the flox product team and/or functional requirements labels May 10, 2024
@ghudgins
Copy link
Contributor

as a workaround, you should be able to set that variable to install vault...

image

@PierreBeucher
Copy link
Author

Thanks, but as stated (a bit hidden in issue details) it did not seem to be taken into account by flox. We'll try again to make sure we did not miss anything

@ghudgins
Copy link
Contributor

yeah, would be interested in understanding why it's not working (as far as a workaround goes)

@y3lousso
Copy link

  • Arch: AMD64
  • OS: Win 11 on WSL2 - Ubuntu 22.04

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Improvement to existing functionality product Tickets relevant to the flox product team and/or functional requirements team-cli Tickets relevant to the flox CLI team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@PierreBeucher @ghudgins @y3lousso