Allow insecure openssl version
marvin-bitterlich opened this issue · comments
Hello,
I am trying out your devshell with ruby 2.7 and am getting this error:
Known issues:
- OpenSSL 1.1 is reaching its end of life on 2023/09/11 and cannot be supported through the NixOS 23.05 release cycle. https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/
Since I'm not running NixOS and don't want to expect every developer to either modify their home folder or run with env variables, is there a way to modify the flake to allow the insecure openssl package? I am using the default template.
I have exactly the same question
You can use an older version of nixpkgs-ruby which refers to an older version of nixpkgs where openssl 1.1 isn't deprecated/removed yet. For instance:
$ nix run 'github:bobvanderlinden/nixpkgs-ruby/853db1f7f6af87322c18042af555194b1306172f#"ruby-2.7"' -- --version
ruby 2.7.7p221 (2022-11-24 revision 168ec2b1e5) [x86_64-linux]
If you really want to use nixpkgs-ruby with an EOL version of Ruby against a new version of nixpkgs, then you'd need to repackage OpenSSL 1.1 or Ruby needs to be patched to be compatible with OpenSSL 3. I tried in the past, but it was too much effort for me to have an EOL version work with a modern OpenSSL.
Since I'm not running NixOS and don't want to expect every developer to either modify their home folder or run with env variables, is there a way to modify the flake to allow the insecure openssl package? I am using the default template.
Just wanted to mention as well, if you're using devenv.sh, you can use the permittedInsecurePackages option in devenv.yaml, like so:
permittedInsecurePackages:
- openssl-1.1.1w
Hi there,
I'm using permittedInsecurePackages, but when I try to use packageFromRubyVersionFile, the insecure packages seems to be out of scope somehow?
outputs = { self, nixpkgs, nixpkgs-ruby, flake-utils }:
flake-utils.lib.eachDefaultSystem (system:
let
pkgs = import nixpkgs {
inherit system;
overlays = [
nixpkgs-ruby.overlays.default
];
# All non-free dependencies are defined here.
config.allowUnfreePredicate = pkg: builtins.elem (nixpkgs.lib.getName pkg) [
];
config.permittedInsecurePackages = [
"openssl-1.1.1w" # Needed by Ruby 2.7.x
];
};
ruby = nixpkgs-ruby.lib.packageFromRubyVersionFile {
file = ./.ruby-version;
inherit system;
};
in
{
packages.default = pkgs.mkShell {
buildInputs = [ ruby ];
}
};
johnhamelink@jh-mbp pkg % nix flake check --show-trace ~/code/pkg
warning: Git tree '/Users/johnhamelink/code/pkg' is dirty
error:
… while checking flake output 'packages'
at /nix/store/p58d2j0ac7zvja5jl14xzbc19fakjxh2-source/lib.nix:39:17:
38| {
39| ${key} = (attrs.${key} or { })
| ^
40| // { ${system} = ret.${key}; };
… while checking the derivation 'packages.aarch64-darwin.default'
at /nix/store/0lhk0h59ylkhc5pggdrk266r60v70kcy-source/flake.nix:39:11:
38| {
39| packages.default = pkgs.mkShell {
| ^
40| buildInputs = [
… while calling the 'derivationStrict' builtin
at /builtin/derivation.nix:9:12: (source not available)
… while evaluating derivation 'nix-shell'
whose name attribute is located at /nix/store/19kjl5p3hx3l51yfnii653a3qzm4l6hf-source/pkgs/stdenv/generic/make-derivation.nix:348:7
… while evaluating attribute 'buildInputs' of derivation 'nix-shell'
at /nix/store/19kjl5p3hx3l51yfnii653a3qzm4l6hf-source/pkgs/stdenv/generic/make-derivation.nix:395:7:
394| depsHostHost = elemAt (elemAt dependencies 1) 0;
395| buildInputs = elemAt (elemAt dependencies 1) 1;
| ^
396| depsTargetTarget = elemAt (elemAt dependencies 2) 0;
… while evaluating derivation 'ruby-2.7.2'
whose name attribute is located at /nix/store/19kjl5p3hx3l51yfnii653a3qzm4l6hf-source/pkgs/stdenv/generic/make-derivation.nix:348:7
… while evaluating attribute 'buildInputs' of derivation 'ruby-2.7.2'
at /nix/store/19kjl5p3hx3l51yfnii653a3qzm4l6hf-source/pkgs/stdenv/generic/make-derivation.nix:395:7:
394| depsHostHost = elemAt (elemAt dependencies 1) 0;
395| buildInputs = elemAt (elemAt dependencies 1) 1;
| ^
396| depsTargetTarget = elemAt (elemAt dependencies 2) 0;
… from call site
at /nix/store/19kjl5p3hx3l51yfnii653a3qzm4l6hf-source/pkgs/stdenv/generic/check-meta.nix:448:16:
447| {
448| no = handleEvalIssue { inherit meta attrs; } { inherit (validity) reason errormsg; };
| ^
449| warn = handleEvalWarning { inherit meta attrs; } { inherit (validity) reason errormsg; };
… while calling 'handleEvalIssue'
at /nix/store/19kjl5p3hx3l51yfnii653a3qzm4l6hf-source/pkgs/stdenv/generic/check-meta.nix:225:38:
224|
225| handleEvalIssue = { meta, attrs }: { reason , errormsg ? "" }:
| ^
226| let
error: Package ‘openssl-1.1.1w’ in /nix/store/19kjl5p3hx3l51yfnii653a3qzm4l6hf-source/pkgs/development/libraries/openssl/default.nix:223 is marked as insecure, refusing to evaluate.
Known issues:
- OpenSSL 1.1 is reaching its end of life on 2023/09/11 and cannot be supported through the NixOS 23.05 release cycle. https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/
You can install it anyway by allowing this package, using the
following methods:
a) To temporarily allow all insecure packages, you can use an environment
variable for a single invocation of the nix tools:
$ export NIXPKGS_ALLOW_INSECURE=1
Note: When using `nix shell`, `nix build`, `nix develop`, etc with a flake,
then pass `--impure` in order to allow use of environment variables.
b) for `nixos-rebuild` you can add ‘openssl-1.1.1w’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"openssl-1.1.1w"
];
}
c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘openssl-1.1.1w’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"openssl-1.1.1w"
];
}
johnhamelink@jh-mbp pkg %
Ah right, nixpkgs-ruby must then also follow nixpkgs of devenv:
inputs:
nixpkgs-ruby:
url: github:bobvanderlinden/nixpkgs-ruby
inputs:
nixpkgs:
follows: nixpkgs
permittedInsecurePackages:
- openssl-1.1.1w
inputs:
nixpkgs-ruby:
url: github:bobvanderlinden/nixpkgs-ruby
inputs:
nixpkgs:
follows: nixpkgs
permittedInsecurePackages:
- openssl-1.1.1w
I cannot get that to work as expected, my only source of success has been to run: export NIXPKGS_ALLOW_INSECURE=1 before running devenv shell
Using devenv in a flake, I was able to get this to work on an up-to-date version of nixpkgs by overriding the vulnerabilities associated with openssl_1_1.
flake.nix
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
devenv.url = "github:cachix/devenv";
nixpkgs-ruby.url = "github:bobvanderlinden/nixpkgs-ruby";
};
nixConfig = {
extra-trusted-public-keys = "devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw=";
extra-substituters = "https://devenv.cachix.org";
};
outputs = { self, nixpkgs, devenv, nixpkgs-ruby, ... } @ inputs:
let
pkgs = import nixpkgs { system = "aarch64-darwin"; };
in
{
devShell.aarch64-darwin = devenv.lib.mkShell {
inherit inputs pkgs;
modules = [
({ pkgs, config, system, ... }:
let
openssl_1_1_insecure = pkgs.openssl_1_1.overrideAttrs (
finalAttrs: previousAttrs: {
meta = previousAttrs.meta // { knownVulnerabilities = [ ]; };
}
);
ruby = nixpkgs-ruby.lib.packageFromRubyVersionFile {
system = "aarch64-darwin";
file = ./.ruby-version;
};
ruby_insecure = ruby.override {
openssl = openssl_1_1_insecure;
};
in
{
languages.ruby = {
enable = true;
package = ruby_insecure;
};
})
];
};
};
}.ruby-version
2.7.4