hercules-ci-agent_assume...: Override largely irrelevant CVE-2024-27297

It is safe to use 2.16 for evaluation and talking to the daemon, which is how it's used when you're using a nix-daemon. Specifically, this means that it is safe on NixOS and on other multi-user installations.
author: Robert Hensing <robert@roberthensing.nl> 2024-03-07 18:02:15 +0100
committer: Robert Hensing <robert@roberthensing.nl> 2024-03-07 18:06:06 +0100
commit: 3c40d850945c4be5b460e8ad013aa291fccdce09 (patch)
tree: e0fd219791e497638310c8d9bd51783456d41bda /nixos/modules/services
parent: 6487f7384cb6e7f6ba3d3225d8ffbe2827ce577c (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix b/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix
index ea9b5ffbf43c6..e2d76fb4ae8ca 100644
--- a/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix
+++ b/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix
@@ -50,7 +50,11 @@ in
         Package containing the bin/hercules-ci-agent executable.
       '';
       type = types.package;
-      default = pkgs.hercules-ci-agent;
+      default =
+        # hercules-ci-agent performs its builds through the nix-daemon, so as
+        # long as nix-daemon used and up to date, we can safely use 2.16 for evaluation.
+        # (nix-daemon comes from nix.package; default value is safe)
+        pkgs.hercules-ci-agent_only_safe_with_daemon;
       defaultText = literalExpression "pkgs.hercules-ci-agent";
     };
     settings = mkOption {
author	Robert Hensing <robert@roberthensing.nl>	2024-03-07 18:02:15 +0100
committer	Robert Hensing <robert@roberthensing.nl>	2024-03-07 18:06:06 +0100
commit	3c40d850945c4be5b460e8ad013aa291fccdce09 (patch)
tree	e0fd219791e497638310c8d9bd51783456d41bda /nixos/modules/services
parent	6487f7384cb6e7f6ba3d3225d8ffbe2827ce577c (diff)