diff options
author | Robert Hensing <robert@roberthensing.nl> | 2024-03-07 18:02:15 +0100 |
---|---|---|
committer | Robert Hensing <robert@roberthensing.nl> | 2024-03-07 18:06:06 +0100 |
commit | 3c40d850945c4be5b460e8ad013aa291fccdce09 (patch) | |
tree | e0fd219791e497638310c8d9bd51783456d41bda /nixos/modules/services | |
parent | 6487f7384cb6e7f6ba3d3225d8ffbe2827ce577c (diff) |
hercules-ci-agent_assume...: Override largely irrelevant CVE-2024-27297
It is safe to use 2.16 for evaluation and talking to the daemon, which is how it's used when you're using a nix-daemon. Specifically, this means that it is safe on NixOS and on other multi-user installations.
Diffstat (limited to 'nixos/modules/services')
-rw-r--r-- | nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix b/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix index ea9b5ffbf43c6..e2d76fb4ae8ca 100644 --- a/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix +++ b/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix @@ -50,7 +50,11 @@ in Package containing the bin/hercules-ci-agent executable. ''; type = types.package; - default = pkgs.hercules-ci-agent; + default = + # hercules-ci-agent performs its builds through the nix-daemon, so as + # long as nix-daemon used and up to date, we can safely use 2.16 for evaluation. + # (nix-daemon comes from nix.package; default value is safe) + pkgs.hercules-ci-agent_only_safe_with_daemon; defaultText = literalExpression "pkgs.hercules-ci-agent"; }; settings = mkOption { |