trezor-agent
trezor-agent copied to clipboard
Nix refusing to evaluate due to CVE-2024-23342
What I am trying to do: nix build github:nixos/nixpkgs/nixos-25.05#trezor-agent
What I get instead:
error:
… while evaluating the attribute 'drvPath'
at /nix/store/6dvf3k09y1gs9h4sisybvyqdxcyri8xb-source/lib/customisation.nix:418:7:
417| // {
418| drvPath =
| ^
419| assert condition;
… while calling the 'derivationStrict' builtin
at <nix/derivation-internal.nix>:37:12:
36|
37| strict = derivationStrict drvAttrs;
| ^
38|
(stack trace truncated; use '--show-trace' to show the full, detailed trace)
error: Package ‘python3.12-ecdsa-0.19.1’ in /nix/store/6dvf3k09y1gs9h4sisybvyqdxcyri8xb-source/pkgs/development/python-modules/ecdsa/default.nix:43 is marked as insecure, refusing to evaluate.
Known issues:
- CVE-2024-23342
You can install it anyway by allowing this package, using the
following methods:
a) To temporarily allow all insecure packages, you can use an environment
variable for a single invocation of the nix tools:
$ export NIXPKGS_ALLOW_INSECURE=1
Note: When using `nix shell`, `nix build`, `nix develop`, etc with a flake,
then pass `--impure` in order to allow use of environment variables.
b) for `nixos-rebuild` you can add ‘python3.12-ecdsa-0.19.1’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"python3.12-ecdsa-0.19.1"
];
}
c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘python3.12-ecdsa-0.19.1’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"python3.12-ecdsa-0.19.1"
];
}
Also see: https://github.com/NixOS/nixpkgs/pull/454346 And: https://github.com/tlsfuzzer/python-ecdsa/issues/330
Wondering whether you are planning on migrating the library or should I permit the package?
Should be resolved by https://github.com/trezor/trezor-firmware/pull/6070 and by the upcoming 0.20 trezorlib release.
Related: NixOS/nixpkgs#455630
libagent also needs a fix: https://github.com/trezor/trezor-firmware/pull/6070#issuecomment-3626557029