"Package ... is marked as insecure" messages could be more actionable

NixOS / nixpkgs

Nix Packages collection & NixOS

MIT License

17.86k stars 13.93k forks source link

"Package ... is marked as insecure" messages could be more actionable #209804

Open colemickens opened 1 year ago

colemickens commented 1 year ago

Describe the bug

I update.
I get a message about python2 being unsupported.

I thumbs up my terminal because I can't really do anything with this information. I have no idea what the dependency chain is that leads to python 2 being included in my toplevel derivation.

Furthermore, the attribute name, the path to the derivation source and more is printed, but never the derivation store path which would allow me to investigate further with nix why-depends.

But, I am fairly used to breaking out nix eval --raw --derivation #foo.drvPath and then firing that into nix-store --query --graph ... and then grepping through that, but it feels there should be a better way.

colemickens commented 1 year ago

Oh, except this is an eval-level error, so I can't even actually do that...

jansol commented 1 year ago

In most cases nix should point you towards --show-trace AFAIK

aleeusgr commented 1 year ago

Describe the bug

I update.

I get a message about python2 being unsupported.

I thumbs up my terminal because I can't really do anything with this information. I have no idea what the dependency chain is that leads to python 2 being included in my toplevel derivation.

Furthermore, the attribute name, the path to the derivation source and more is printed, but never the derivation store path which would allow me to investigate further with nix why-depends.

But, I am fairly used to breaking out nix eval --raw --derivation #foo.drvPath and then firing that into nix-store --query --graph ... and then grepping through that, but it feels there should be a better way.

Hi! So I am facing python2 issue on my daily machine, may you expand and point to a doc? How do I research it? Do I understand right that a package in my nixos-config has python2 in the dependency tree and I need to find which one?

Thank you

vtechev commented 1 year ago

I ran into this yesterday, and eventually got to the bottom of it this way: 1) nix path-info -r /run/current-system | grep to find the path for the offending package a) It may be necessary to add the --extra-experimental-features nix-command flag to nix path-info - you'll get an error telling you as much if you do 2) nix-store -q --referrers <path from previous step> to list the packages that depend on the offending package

With python2 there can be a lot in that list since there will probably be python libs installed too. In my case, the root cause turned out to be nixops, which somehow hasn't migrated to python3 yet.

You may have to use some judgment to determine what stuff from the list can be safely filtered out. Also it's conceivable that you would need to repeat this several times before you found your way to an actual package you requested, if there is more of a tree of dependencies.

aleeusgr commented 10 months ago

thanks @vtechev

I get references to home-manager-path

10:57 $ nix-store -q --referrers /nix/store/lzsr6hlbjyqihyz3nfrbpazg1a2mg65x-python-2.7.18.6
/nix/store/lzsr6hlbjyqihyz3nfrbpazg1a2mg65x-python-2.7.18.6
...
/nix/store/ab6lv49nxl8gw4xjijhqla1lqcrg73j5-home-manager-path

which I could trace to

11:00 $ nix-store -q --referrers /nix/store/ab6lv49nxl8gw4xjijhqla1lqcrg73j5-home-manager-path
/nix/store/fkvwjbfdsv5rkh4532nszyn4jiym7qqi-hm_fontconfigconf.d10hmfonts.conf