nixops icon indicating copy to clipboard operation
nixops copied to clipboard
verified publisher icon NixOS

Insecure packages cause NixOps not to build on unstable

Open WhittlesJr opened this issue 3 years ago • 4 comments 

Package ‘python2.7-pyjwt-1.7.1’ in /nix/store/53m4sx16hpgdmr8k8ksb6vm0kdrbw11r-nixos-22.05.714.e5556c75ac0/nixos/pkgs/development/tools/poetry2nix/poetry2nix/mk-poetry-dep.nix:107 is marked as insecure, refusing to evaluate.


Known issues:
 - CVE-2022-29217

WhittlesJr avatar Jun 10 '22 20:06 WhittlesJr 

rror: Package ‘python3.9-poetry-1.1.12’ in /nix/store/r5bc1js48ifclv14ldlsi8al9nsdc31k-nixos-21.11.337877.27dffce7eaa/nixos/pkgs/development/tools/poetry2nix/poetry2nix/pkgs/poetry/default.nix:18 is marked as insecure, refusing to evaluate.


Known issues:
 - CVE-2021-33503

You can install it anyway by allowing this package, using the
following methods:

a) To temporarily allow all insecure packages, you can use an environment
   variable for a single invocation of the nix tools:

     $ export NIXPKGS_ALLOW_INSECURE=1

 Note: For `nix shell`, `nix build`, `nix develop` or any other Nix 2.4+
 (Flake) command, `--impure` must be passed in order to read this
 environment variable.

b) for `nixos-rebuild` you can add ‘python3.9-poetry-1.1.12’ to
   `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
   like so:

     {
       nixpkgs.config.permittedInsecurePackages = [
         "python3.9-poetry-1.1.12"
       ];
     }

c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
   ‘python3.9-poetry-1.1.12’ to `permittedInsecurePackages` in
   ~/.config/nixpkgs/config.nix, like so:

     {
       permittedInsecurePackages = [
         "python3.9-poetry-1.1.12"
       ];
     }


(use '--show-trace' to show detailed location information)

nix-tree output: image

sadjow avatar Jun 20 '22 23:06 sadjow

For NixOPS 1.7 this are the two packages that needs upgrades.

nixpkgs.config.permittedInsecurePackages = [
    "python2.7-urllib3-1.26.2"
    "python2.7-PyJWT-1.7.1"
  ];

sadjow avatar Jun 20 '22 23:06 sadjow

On latest master:

> nix-shell -p nixopsUnstable
error: Package ‘python3.10-poetry-1.2.2’ in /nix/store/ld8avsg9615hvch7lb2g3fdpa1dbg1m2-nixos-22.11/nixos/pkgs/development/tools/poetry2nix/poetry2nix/pkgs/poetry/default.nix:50 is marked as insecure, refusing to evaluate.


       Known issues:
        - CVE-2022-42966

WhittlesJr avatar Dec 13 '22 19:12 WhittlesJr

nix-shell -p nixops goes perfectly fine, just now!

"nixpkgs": {
      "locked": {
        "lastModified": 1688322751,
        "narHash": "sha256-eW62dC5f33oKZL7VWlomttbUnOTHrAbte9yNUNW8rbk=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "0fbe93c5a7cac99f90b60bdf5f149383daaa615f",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },

(had a nix flake update earlier tonight)

quinn-dougherty avatar Aug 08 '23 05:08 quinn-dougherty