Home Explore Blog Models CI



nixpkgs
2nd chunk of `doc/using/configuration.chapter.md`
62c6121308e61c31a979365855d60fe9d51407781784abed0000000100000fc5
The difference between a package being unsupported on some system and being broken is admittedly a bit fuzzy. If a program *ought* to work on a certain platform, but doesn't, the platform should be included in `meta.platforms`, but marked as broken with e.g.  `meta.broken = !hostPlatform.isWindows`. Of course, this begs the question of what "ought" means exactly. That is left to the package maintainer.

## Installing unfree packages {#sec-allow-unfree}

All users of Nixpkgs are free software users, and many users (and developers) of Nixpkgs want to limit and tightly control their exposure to unfree software.
At the same time, many users need (or want) to run some specific pieces of proprietary software.
Nixpkgs includes some expressions for unfree software packages.
By default unfree software cannot be installed and doesn’t show up in searches.

There are several ways to tweak how Nix handles a package which has been marked as unfree.

-   To temporarily allow all unfree packages, you can use an environment variable for a single invocation of the nix tools:

    ```ShellSession
    $ export NIXPKGS_ALLOW_UNFREE=1
    ```

-   It is possible to permanently allow individual unfree packages, while still blocking unfree packages by default using the `allowUnfreePredicate` configuration option in the user configuration file.

    This option is a function which accepts a package as a parameter, and returns a boolean. The following example configuration accepts a package and always returns false:

    ```nix
    { allowUnfreePredicate = (pkg: false); }
    ```

    For a more useful example, try the following. This configuration only allows unfree packages named roon-server and Visual Studio Code:

    ```nix
    {
      allowUnfreePredicate =
        pkg:
        builtins.elem (lib.getName pkg) [
          "roon-server"
          "vscode"
        ];
    }
    ```

-   It is also possible to allow and block licenses that are specifically acceptable or not acceptable, using `allowlistedLicenses` and `blocklistedLicenses`, respectively.

    The following example configuration allowlists the licenses `amd` and `wtfpl`:

    ```nix
    {
      allowlistedLicenses = with lib.licenses; [
        amd
        wtfpl
      ];
    }
    ```

    The following example configuration blocklists the `gpl3Only` and `agpl3Only` licenses:

    ```nix
    {
      blocklistedLicenses = with lib.licenses; [
        agpl3Only
        gpl3Only
      ];
    }
    ```

    Note that `allowlistedLicenses` only applies to unfree licenses unless `allowUnfree` is enabled. It is not a generic allowlist for all types of licenses. `blocklistedLicenses` applies to all licenses.

A complete list of licenses can be found in the file `lib/licenses.nix` of the nixpkgs tree.

## Installing insecure packages {#sec-allow-insecure}

There are several ways to tweak how Nix handles a package which has been marked as insecure.

-   To temporarily allow all insecure packages, you can use an environment variable for a single invocation of the nix tools:

    ```ShellSession
    $ export NIXPKGS_ALLOW_INSECURE=1
    ```

-   It is possible to permanently allow individual insecure packages, while still blocking other insecure packages by default using the `permittedInsecurePackages` configuration option in the user configuration file.

    The following example configuration permits the installation of the hypothetically insecure package `hello`, version `1.2.3`:

    ```nix
    { permittedInsecurePackages = [ "hello-1.2.3" ]; }
    ```

-   It is also possible to create a custom policy around which insecure packages to allow and deny, by overriding the `allowInsecurePredicate` configuration option.

    The `allowInsecurePredicate` option is a function which accepts a package and returns a boolean, much like `allowUnfreePredicate`.

    The following configuration example allows any version of the `ovftool` package:

    ```nix
    { allowInsecurePredicate = pkg: builtins.elem (lib.getName pkg) [ "ovftool" ]; }
Title: Nixpkgs Configuration for Unfree and Insecure Packages
Summary
This document details Nixpkgs configuration for managing unfree and insecure packages, continuing from the discussion on unsupported vs. broken packages. Nixpkgs defaults to blocking both unfree software and insecure packages. To handle unfree packages, users can temporarily allow all with `export NIXPKGS_ALLOW_UNFREE=1`. For permanent configuration, `allowUnfreePredicate` can allow specific packages (by name), or `allowlistedLicenses` (for unfree) and `blocklistedLicenses` (for all) can define acceptable licenses. A complete license list is in `lib/licenses.nix`. For insecure packages, temporary allowance is achieved with `export NIXPKGS_ALLOW_INSECURE=1`. Permanently, users can list specific insecure packages with versions in `permittedInsecurePackages`, or implement a custom policy via `allowInsecurePredicate` (e.g., by package name).