search

NixOS / nixops

NixOps is a tool for deploying to NixOS machines in a network or cloud.
https://nixos.org/nixops
GNU Lesser General Public License v3.0
1.86k stars 365 forks source link

Insecure packages cause NixOps not to build on unstable #1521

Open WhittlesJr opened 2 years ago

WhittlesJr commented 2 years ago 
Package ‘python2.7-pyjwt-1.7.1’ in /nix/store/53m4sx16hpgdmr8k8ksb6vm0kdrbw11r-nixos-22.05.714.e5556c75ac0/nixos/pkgs/development/tools/poetry2nix/poetry2nix/mk-poetry-dep.nix:107 is marked as insecure, refusing to evaluate.

Known issues:
 - CVE-2022-29217
sadjow commented 2 years ago 
rror: Package ‘python3.9-poetry-1.1.12’ in /nix/store/r5bc1js48ifclv14ldlsi8al9nsdc31k-nixos-21.11.337877.27dffce7eaa/nixos/pkgs/development/tools/poetry2nix/poetry2nix/pkgs/poetry/default.nix:18 is marked as insecure, refusing to evaluate.

Known issues:
 - CVE-2021-33503

You can install it anyway by allowing this package, using the
following methods:

a) To temporarily allow all insecure packages, you can use an environment
   variable for a single invocation of the nix tools:

     $ export NIXPKGS_ALLOW_INSECURE=1

 Note: For `nix shell`, `nix build`, `nix develop` or any other Nix 2.4+
 (Flake) command, `--impure` must be passed in order to read this
 environment variable.

b) for `nixos-rebuild` you can add ‘python3.9-poetry-1.1.12’ to
   `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
   like so:

     {
       nixpkgs.config.permittedInsecurePackages = [
         "python3.9-poetry-1.1.12"
       ];
     }

c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
   ‘python3.9-poetry-1.1.12’ to `permittedInsecurePackages` in
   ~/.config/nixpkgs/config.nix, like so:

     {
       permittedInsecurePackages = [
         "python3.9-poetry-1.1.12"
       ];
     }

(use '--show-trace' to show detailed location information)

nix-tree output:

image
sadjow commented 2 years ago

For NixOPS 1.7 this are the two packages that needs upgrades. 

nixpkgs.config.permittedInsecurePackages = [
    "python2.7-urllib3-1.26.2"
    "python2.7-PyJWT-1.7.1"
  ];
WhittlesJr commented 1 year ago

On latest master:

> nix-shell -p nixopsUnstable
error: Package ‘python3.10-poetry-1.2.2’ in /nix/store/ld8avsg9615hvch7lb2g3fdpa1dbg1m2-nixos-22.11/nixos/pkgs/development/tools/poetry2nix/poetry2nix/pkgs/poetry/default.nix:50 is marked as insecure, refusing to evaluate.

       Known issues:
        - CVE-2022-42966
quinn-dougherty commented 1 year ago

nix-shell -p nixops goes perfectly fine, just now! 

"nixpkgs": {
      "locked": {
        "lastModified": 1688322751,
        "narHash": "sha256-eW62dC5f33oKZL7VWlomttbUnOTHrAbte9yNUNW8rbk=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "0fbe93c5a7cac99f90b60bdf5f149383daaa615f",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },

(had a nix flake update earlier tonight)