search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.31k stars 13.55k forks source link

openssl_1_1 mark as insecure/remove before 23.05 branchoff #210452

Closed ajs124 closed 1 year ago

ajs124 commented 1 year ago

OpenSSL 1.1.1 (we call it openssl_1_1) will reach end of life on 11 Sep 2023.

This means we should either mark it insecure or ideally completely remove it before the 23.11 release.

The default was already switched in #150093, so most thing should use openssl_3 now. For applications that support the OpenSSL 3 API, but need old and broken cryptography, there's also openssl_legacy, which will be supported, because it's just openssl_3 but with the legacy crypto provider enabled.

This is a tracking issue to reference and coordinate this work.

cc @NickCao

ajs124 commented 1 year ago
NickCao commented 1 year ago

Rust (https://github.com/NixOS/nixpkgs/pull/210458)

Rust (outdated openssl-sys)

ajs124 commented 1 year ago

Apparently this https://github.com/loqs/PACKAGES-OSSL3 exists, which might come in handy

NickCao commented 1 year ago
NickCao commented 1 year ago
mdarocha commented 1 year ago

Related: https://github.com/NixOS/nixpkgs/pull/214843, which is blocked by removal of .NET 3.1 (https://github.com/NixOS/nixpkgs/issues/202572)

cyntheticfox commented 1 year ago

Not sure if I'm just doing this wrong, but openssl_legacy, as-written in top-level, performs an override on openssl to apply the patch. As such setting for ~/.config/nixpkgs/config.nix,

{
  packageOverrides = pkgs: rec {
    openssl = pkgs.openssl_legacy;
  };
}

fails due to infinite recursion. Should we instead have openssl_legacy as a package definition output to enable this use case, or am I approaching this in the wrong manner (should I be trying to overlay, define my own, write some kind of legacyOpenSSL option into the Nixpkgs config system)?

ajs124 commented 1 year ago

This should work with an overlay, I think. Are you sure you want to enable the legacy provider for everything that you're building though?

cyntheticfox commented 1 year ago

This should work with an overlay, I think.

An overlay should work, yes, but I'd think so should packageOverrides... else why have the option and not requiring only overlays?

Are you sure you want to enable the legacy provider for everything that you're building though?

I mean, I think so? The only time I've run into this is due to SSL Decryption via MitM certificates, such as those used in corporate firewalls to inspect all encrypted traffic.

I'm assuming "Legacy renegotiation" probably covers more use cases than that, but AFAIK, there isn't a more granular way to configure this in OpenSSL for how these MitM proxies are implemented...

Do I want to do this? No. Do I need to? Probably...

mweinelt commented 1 year ago

Heads up! We are planning to mark openssl_1_1 as EOL before the 23.05 branch-off. This affects the following packages. Feel free to ping this issue for an expedited review/merge process.

mweinelt commented 1 year ago
mweinelt commented 1 year ago
mweinelt commented 1 year ago

And the following maintainerless packages, mostly about ruby_3_0.

Package list 
- _3llo 
- bip 
- haskellPackages.hzk 
- libmysqlconnectorcpp 
- libp11 
- mumble_overlay 
- mysql-workbench 
- pakcs 
- quake3demo 
- rubyPackages_3_0.actioncable 
- rubyPackages_3_0.actionmailbox 
- rubyPackages_3_0.actionmailer 
- rubyPackages_3_0.actionpack 
- rubyPackages_3_0.actiontext 
- rubyPackages_3_0.actionview 
- rubyPackages_3_0.activejob 
- rubyPackages_3_0.activemodel 
- rubyPackages_3_0.activerecord 
- rubyPackages_3_0.activestorage 
- rubyPackages_3_0.activesupport 
- rubyPackages_3_0.addressable 
- rubyPackages_3_0.algoliasearch 
- rubyPackages_3_0.ansi 
- rubyPackages_3_0.ast 
- rubyPackages_3_0.atk 
- rubyPackages_3_0.atomos 
- rubyPackages_3_0.awesome_print 
- rubyPackages_3_0.backport 
- rubyPackages_3_0.bacon 
- rubyPackages_3_0.benchmark 
- rubyPackages_3_0.builder 
- rubyPackages_3_0.byebug 
- rubyPackages_3_0.cairo 
- rubyPackages_3_0.cairo-gobject 
- rubyPackages_3_0.camping 
- rubyPackages_3_0.certified 
- rubyPackages_3_0.CFPropertyList 
- rubyPackages_3_0.charlock_holmes 
- rubyPackages_3_0.claide 
- rubyPackages_3_0.clamp 
- rubyPackages_3_0.cld3 
- rubyPackages_3_0.cocoapods 
- rubyPackages_3_0.cocoapods-acknowledgements 
- rubyPackages_3_0.cocoapods-art 
- rubyPackages_3_0.cocoapods-browser 
- rubyPackages_3_0.cocoapods-clean 
- rubyPackages_3_0.cocoapods-clean_build_phases_scripts 
- rubyPackages_3_0.cocoapods-core 
- rubyPackages_3_0.cocoapods-coverage 
- rubyPackages_3_0.cocoapods-deintegrate 
- rubyPackages_3_0.cocoapods-dependencies 
- rubyPackages_3_0.cocoapods-deploy 
- rubyPackages_3_0.cocoapods-disable-podfile-validations 
- rubyPackages_3_0.cocoapods-downloader 
- rubyPackages_3_0.cocoapods-expert-difficulty 
- rubyPackages_3_0.cocoapods-fix-react-native 
- rubyPackages_3_0.cocoapods-generate 
- rubyPackages_3_0.cocoapods-git_url_rewriter 
- rubyPackages_3_0.cocoapods-keys 
- rubyPackages_3_0.cocoapods-open 
- rubyPackages_3_0.cocoapods-plugins 
- rubyPackages_3_0.cocoapods-search 
- rubyPackages_3_0.cocoapods-testing 
- rubyPackages_3_0.cocoapods-trunk 
- rubyPackages_3_0.cocoapods-try 
- rubyPackages_3_0.cocoapods-try-release-fix 
- rubyPackages_3_0.cocoapods-update-if-you-dare 
- rubyPackages_3_0.cocoapods-whitelist 
- rubyPackages_3_0.cocoapods-wholemodule 
- rubyPackages_3_0.coderay 
- rubyPackages_3_0.coffee-script 
- rubyPackages_3_0.coffee-script-source 
- rubyPackages_3_0.colorator 
- rubyPackages_3_0.colored2 
- rubyPackages_3_0.commonmarker 
- rubyPackages_3_0.concurrent-ruby 
- rubyPackages_3_0.connection_pool 
- rubyPackages_3_0.crass 
- rubyPackages_3_0.curb 
- rubyPackages_3_0.curses 
- rubyPackages_3_0.daemons 
- rubyPackages_3_0.data_objects 
- rubyPackages_3_0.date 
- rubyPackages_3_0.dep-selector-libgecode 
- rubyPackages_3_0.diff-lcs 
- rubyPackages_3_0.digest-sha3 
- rubyPackages_3_0.dip 
- rubyPackages_3_0.dnsruby 
- rubyPackages_3_0.docile 
- rubyPackages_3_0.domain_name 
- rubyPackages_3_0.do_sqlite3 
- rubyPackages_3_0.dotenv 
- rubyPackages_3_0.e2mmap 
- rubyPackages_3_0.em-websocket 
- rubyPackages_3_0.erubi 
- rubyPackages_3_0.escape 
- rubyPackages_3_0.ethon 
- rubyPackages_3_0.eventmachine 
- rubyPackages_3_0.excon 
- rubyPackages_3_0.execjs 
- rubyPackages_3_0.faraday 
- rubyPackages_3_0.faraday-net_http 
- rubyPackages_3_0.ffi 
- rubyPackages_3_0.ffi-compiler 
- rubyPackages_3_0.ffi-rzmq-core 
- rubyPackages_3_0.fiddle 
- rubyPackages_3_0.fog-core 
- rubyPackages_3_0.fog-dnsimple 
- rubyPackages_3_0.fog-json 
- rubyPackages_3_0.formatador 
- rubyPackages_3_0.forwardable-extended 
- rubyPackages_3_0.fourflusher 
- rubyPackages_3_0.fuzzy_match 
- rubyPackages_3_0.gdk_pixbuf2 
- rubyPackages_3_0.gemoji 
- rubyPackages_3_0.gh_inspector 
- rubyPackages_3_0.gio2 
- rubyPackages_3_0.git 
- rubyPackages_3_0.github-pages 
- rubyPackages_3_0.github-pages-health-check 
- rubyPackages_3_0.gitlab-markup 
- rubyPackages_3_0.glib2 
- rubyPackages_3_0.globalid 
- rubyPackages_3_0.gobject-introspection 
- rubyPackages_3_0.gpgme 
- rubyPackages_3_0.gtk2 
- rubyPackages_3_0.haml 
- rubyPackages_3_0.hashie 
- rubyPackages_3_0.highline 
- rubyPackages_3_0.hike 
- rubyPackages_3_0.hitimes 
- rubyPackages_3_0.hpricot 
- rubyPackages_3_0.htmlbeautifier 
- rubyPackages_3_0.html-pipeline 
- rubyPackages_3_0.http 
- rubyPackages_3_0.http-accept 
- rubyPackages_3_0.httpclient 
- rubyPackages_3_0.http-cookie 
- rubyPackages_3_0.http-form_data 
- rubyPackages_3_0.i18n 
- rubyPackages_3_0.iconv 
- rubyPackages_3_0.idn-ruby 
- rubyPackages_3_0.indieweb-endpoints 
- rubyPackages_3_0.jaro_winkler 
- rubyPackages_3_0.jbuilder 
- rubyPackages_3_0.jekyll 
- rubyPackages_3_0.jekyll-archives 
- rubyPackages_3_0.jekyll-avatar 
- rubyPackages_3_0.jekyll-coffeescript 
- rubyPackages_3_0.jekyll-commonmark 
- rubyPackages_3_0.jekyll-commonmark-ghpages 
- rubyPackages_3_0.jekyll-default-layout 
- rubyPackages_3_0.jekyll-favicon 
- rubyPackages_3_0.jekyll-feed 
- rubyPackages_3_0.jekyll-gist 
- rubyPackages_3_0.jekyll-github-metadata 
- rubyPackages_3_0.jekyll-include-cache 
- rubyPackages_3_0.jekyll-mentions 
- rubyPackages_3_0.jekyll-optional-front-matter 
- rubyPackages_3_0.jekyll-paginate 
- rubyPackages_3_0.jekyll-readme-index 
- rubyPackages_3_0.jekyll-redirect-from 
- rubyPackages_3_0.jekyll-relative-links 
- rubyPackages_3_0.jekyll-remote-theme 
- rubyPackages_3_0.jekyll-sass-converter 
- rubyPackages_3_0.jekyll-seo-tag 
- rubyPackages_3_0.jekyll-sitemap 
- rubyPackages_3_0.jekyll-spaceship 
- rubyPackages_3_0.jekyll-swiss 
- rubyPackages_3_0.jekyll-theme-architect 
- rubyPackages_3_0.jekyll-theme-cayman 
- rubyPackages_3_0.jekyll-theme-dinky 
- rubyPackages_3_0.jekyll-theme-hacker 
- rubyPackages_3_0.jekyll-theme-leap-day 
- rubyPackages_3_0.jekyll-theme-merlot 
- rubyPackages_3_0.jekyll-theme-midnight 
- rubyPackages_3_0.jekyll-theme-minimal 
- rubyPackages_3_0.jekyll-theme-modernist 
- rubyPackages_3_0.jekyll-theme-primer 
- rubyPackages_3_0.jekyll-theme-slate 
- rubyPackages_3_0.jekyll-theme-tactile 
- rubyPackages_3_0.jekyll-theme-time-machine 
- rubyPackages_3_0.jekyll-titles-from-headings 
- rubyPackages_3_0.jekyll-watch 
- rubyPackages_3_0.jekyll-webmention_io 
- rubyPackages_3_0.jemoji 
- rubyPackages_3_0.jmespath 
- rubyPackages_3_0.json 
- rubyPackages_3_0.json_pure 
- rubyPackages_3_0.jwt 
- rubyPackages_3_0.kramdown 
- rubyPackages_3_0.kramdown-parser-gfm 
- rubyPackages_3_0.kramdown-rfc2629 
- rubyPackages_3_0.libxml-ruby 
- rubyPackages_3_0.link-header-parser 
- rubyPackages_3_0.liquid 
- rubyPackages_3_0.listen 
- rubyPackages_3_0.llhttp-ffi 
- rubyPackages_3_0.loofah 
- rubyPackages_3_0.mab 
- rubyPackages_3_0.magic 
- rubyPackages_3_0.mail 
- rubyPackages_3_0.marcel 
- rubyPackages_3_0.markaby 
- rubyPackages_3_0.matrix 
- rubyPackages_3_0.mercenary 
- rubyPackages_3_0.method_source 
- rubyPackages_3_0.mime-types 
- rubyPackages_3_0.mime-types-data 
- rubyPackages_3_0.minima 
- rubyPackages_3_0.mini_magick 
- rubyPackages_3_0.mini_mime 
- rubyPackages_3_0.mini_portile2 
- rubyPackages_3_0.minitest 
- rubyPackages_3_0.molinillo 
- rubyPackages_3_0.msgpack 
- rubyPackages_3_0.multi_json 
- rubyPackages_3_0.mustermann 
- rubyPackages_3_0.mysql2 
- rubyPackages_3_0.nanaimo 
- rubyPackages_3_0.nap 
- rubyPackages_3_0.native-package-installer 
- rubyPackages_3_0.ncursesw 
- rubyPackages_3_0.net-imap 
- rubyPackages_3_0.net-pop 
- rubyPackages_3_0.net-protocol 
- rubyPackages_3_0.netrc 
- rubyPackages_3_0.net-scp 
- rubyPackages_3_0.net-smtp 
- rubyPackages_3_0.net-ssh 
- rubyPackages_3_0.nio4r 
- rubyPackages_3_0.nokogiri 
- rubyPackages_3_0.octokit 
- rubyPackages_3_0.og-corefoundation 
- rubyPackages_3_0.openssl 
- rubyPackages_3_0.optimist 
- rubyPackages_3_0.opus-ruby 
- rubyPackages_3_0.ovirt-engine-sdk 
- rubyPackages_3_0.pandocomatic 
- rubyPackages_3_0.pango 
- rubyPackages_3_0.parallel 
- rubyPackages_3_0.parser 
- rubyPackages_3_0.paru 
- rubyPackages_3_0.pastel 
- rubyPackages_3_0.pathutil 
- rubyPackages_3_0.patron 
- rubyPackages_3_0.pcaprub 
- rubyPackages_3_0.pg 
- rubyPackages_3_0.pkg-config 
- rubyPackages_3_0.polyglot 
- rubyPackages_3_0.prettier 
- rubyPackages_3_0.prettier_print 
- rubyPackages_3_0.pry 
- rubyPackages_3_0.pry-byebug 
- rubyPackages_3_0.pry-doc 
- rubyPackages_3_0.public_suffix 
- rubyPackages_3_0.puma 
- rubyPackages_3_0.racc 
- rubyPackages_3_0.rack 
- rubyPackages_3_0.rack-protection 
- rubyPackages_3_0.rack-test 
- rubyPackages_3_0.rails 
- rubyPackages_3_0.rails-dom-testing 
- rubyPackages_3_0.rails-html-sanitizer 
- rubyPackages_3_0.railties 
- rubyPackages_3_0.rainbow 
- rubyPackages_3_0.rake 
- rubyPackages_3_0.rb-fsevent 
- rubyPackages_3_0.rb-inotify 
- rubyPackages_3_0.rbnacl 
- rubyPackages_3_0.rb-readline 
- rubyPackages_3_0.rbs 
- rubyPackages_3_0.rchardet 
- rubyPackages_3_0.re2 
- rubyPackages_3_0.redcarpet 
- rubyPackages_3_0.red-colors 
- rubyPackages_3_0.redis 
- rubyPackages_3_0.redis-client 
- rubyPackages_3_0.redis-rack 
- rubyPackages_3_0.redis-store 
- rubyPackages_3_0.regexp_parser 
- rubyPackages_3_0.rest-client 
- rubyPackages_3_0.reverse_markdown 
- rubyPackages_3_0.rexml 
- rubyPackages_3_0.rmagick 
- rubyPackages_3_0.rouge 
- rubyPackages_3_0.rpam2 
- rubyPackages_3_0.rspec 
- rubyPackages_3_0.rspec-core 
- rubyPackages_3_0.rspec-expectations 
- rubyPackages_3_0.rspec-mocks 
- rubyPackages_3_0.rspec-support 
- rubyPackages_3_0.rubocop 
- rubyPackages_3_0.rubocop-ast 
- rubyPackages_3_0.rubocop-performance 
- rubyPackages_3_0.ruby2_keywords 
- rubyPackages_3_0.ruby-graphviz 
- rubyPackages_3_0.ruby-keychain 
- rubyPackages_3_0.ruby-libvirt 
- rubyPackages_3_0.ruby-lxc 
- rubyPackages_3_0.ruby-macho 
- rubyPackages_3_0.ruby-progressbar 
- rubyPackages_3_0.ruby-terminfo 
- rubyPackages_3_0.ruby-vips 
- rubyPackages_3_0.rubyzip 
- rubyPackages_3_0.rugged 
- rubyPackages_3_0.safe_yaml 
- rubyPackages_3_0.sass 
- rubyPackages_3_0.sassc 
- rubyPackages_3_0.sass-listen 
- rubyPackages_3_0.sawyer 
- rubyPackages_3_0.scrypt 
- rubyPackages_3_0.semian 
- rubyPackages_3_0.sequel 
- rubyPackages_3_0.sequel_pg 
- rubyPackages_3_0.simplecov 
- rubyPackages_3_0.simplecov-html 
- rubyPackages_3_0.simplecov_json_formatter 
- rubyPackages_3_0.simpleidn 
- rubyPackages_3_0.sinatra 
- rubyPackages_3_0.slather 
- rubyPackages_3_0.slop 
- rubyPackages_3_0.snappy 
- rubyPackages_3_0.snmp 
- rubyPackages_3_0.solargraph 
- rubyPackages_3_0.sqlite3 
- rubyPackages_3_0.string_inflection 
- rubyPackages_3_0.syntax_tree 
- rubyPackages_3_0.syntax_tree-haml 
- rubyPackages_3_0.syntax_tree-rbs 
- rubyPackages_3_0.taglib-ruby 
- rubyPackages_3_0.temple 
- rubyPackages_3_0.terminal-table 
- rubyPackages_3_0.thor 
- rubyPackages_3_0.thrift 
- rubyPackages_3_0.tilt 
- rubyPackages_3_0.timeout 
- rubyPackages_3_0.tiny_tds 
- rubyPackages_3_0.treetop 
- rubyPackages_3_0.tty-color 
- rubyPackages_3_0.tty-command 
- rubyPackages_3_0.tty-option 
- rubyPackages_3_0.typhoeus 
- rubyPackages_3_0.tzinfo 
- rubyPackages_3_0.uglifier 
- rubyPackages_3_0.unf 
- rubyPackages_3_0.unf_ext 
- rubyPackages_3_0.unicode-display_width 
- rubyPackages_3_0.uuid4r 
- rubyPackages_3_0.webmention 
- rubyPackages_3_0.websocket-driver 
- rubyPackages_3_0.websocket-extensions 
- rubyPackages_3_0.whois 
- rubyPackages_3_0.xcodeproj 
- rubyPackages_3_0.xctasks 
- rubyPackages_3_0.yard 
- rubyPackages_3_0.zeitwerk 
- rubyPackages_3_0.zookeeper 
- rubyPackages_3_1.jekyll-webmention_io 
- rubyPackages_3_1.openssl 
- rubyPackages_3_2.jekyll-webmention_io 
- rubyPackages_3_2.openssl 
- rubyPackages.jekyll-webmention_io 
- rubyPackages.openssl 
- taizen
ilya-fedin commented 1 year ago

What should I do if the upstream developer of my package has no spare time to add openssl 3 support to his project? I use the package, so I don't want to mark it as broken/remove yet I have no openssl knowledge to help port it to openssl 3.

mweinelt commented 1 year ago

That is certainly a tough spot. We're leaving behind packages every once in a while in the EOL treadmill. For now, you can certainly rely on allowInsecurePredicate. If you can't fix it and the upstream won't, then we'll have to remove the package at some point down the road.

We'll keep openssl_1_1 available throughout the 23.05 release cycle, but we cannot guarantee security support, and will therefore remove it from nixpkgs/master come September.

sersorrel commented 1 year ago

I'm reasonably sure that xivlauncher is only affected by this because steam-run depends on openssl_1_1. It would probably be possible to craft a stripped-down version of the steam-run environment specifically for xivlauncher, but if steam-run is going to be updated to remove the openssl_1_1 dependency then I won't bother trying, so: what's the plan for steam-run?

DianaOlympos commented 1 year ago

For erlang_23 we will not support openssl 3. I think we will accept that state of affair for 23.05, as we will drop erlang 23 during the summer, after 26 is released.

colemickens commented 1 year ago

PR for cfdyndns: https://github.com/NixOS/nixpkgs/pull/231535

illustris commented 1 year ago

Hadoop does not support openssl 3 yet. Skein, dask-yarn and spark are all downstream of that. A quick scan of the jira suggests that openssl 3 support is not being worked on yet either. I've asked for access to the jira to open an issue. There is a good chance it won't get fixed by September.

dylanmtaylor commented 1 year ago

As aws-workspaces is a pre-built binary distributed by Amazon and it is built against Ubuntu 20.04, 'focal', we do not have too much control over what libraries it is built against. OpenSSL 3 might work, but I am skeptical since Ubuntu Focal is still shipping version 1.1. https://packages.ubuntu.com/source/focal/openssl

I imagine that Amazon will release a newer version compiled against Ubuntu 22.04 LTS ('jammy') in the future, which ships with OpenSSL 3. https://launchpad.net/ubuntu/jammy/+source/openssl

Until then, there's not much we can do to switch it without possibly breaking things for users.

Thanks for the EOL notice, I will keep an eye out for a newer release of WorkSpaces and update it if one ships from Amazon to a version built against 22.04.

aveltras commented 1 year ago

Regarding cinny-desktop, I don't think I can do anything on my side. It seems this issue will be met by all Tauri based apps according to https://github.com/tauri-apps/tauri/issues/4470

peperunas commented 1 year ago

I am rebuilding my machine, still on 22.11, and I get the EOL error for OpenSSL 1.1.1t.

How can I check which package is blocking the rebuild?

mweinelt commented 1 year ago

You could instantiate your system configuration and search for openssl_1_1 in it, e.g. using nix-tree.


cd /etc/nixos
NIXPKGS_ALLOW_INSECURE=1 nix-instantiate --strict "<nixpkgs/nixos>" -A system
nix-tree --derivation <drv path>
RaitoBezarius commented 1 year ago

Another alternative, if you have the nix-command experimental feature is to do which can catch less hits if OpenSSL is manipulated strangely:

cd /etc/nixos
NIXPKGS_ALLOW_INSECURE=1 nix why-depends $(nix-instantiate --strict "<nixpkgs/nixos>" -A system) $(nix-instantiate --strict "<nixpkgs>" -A openssl_1_1)

Example on my "live" system:

nix why-depends /run/current-system /nix/store/i25c5r8p2yij9rznyiwi7jxg6pf95kdz-openssl-1.1.1t.drv                         
warning: The interpretation of store paths arguments ending in `.drv` recently changed. If this command is now failing try again with '/nix/store/i25c5r8p2yij9rznyiwi7jxg6pf95kdz-openssl-1.1.1t.drv!*'
'/nix/store/q3gabkg4a2w4rqd78x4wk75kkp9q859w-nixos-system-Thorkell-23.11pre488518.794a24afefd' does not depend on '/nix/store/i25c5r8p2yij9rznyiwi7jxg6pf95kdz-openssl-1.1.1t.drv'
kwshi commented 1 year ago

(Note: all these comments assume having run export NIXPKGS_ALLOW_INSECURE=1 and running each nix why-depend or nix-build command with the --impure flag.)

What's the equivalent of these commands on a flake-based system? I tried something like (flax is the name of my nixos configuration hostname)

nix why-depends '.#nixosConfigurations.flax.config.system.build.toplevel' 'github:NixOS/nixpkgs/nixos-23.05#openssl_1_1'

but this fails with the error message:

error: argument 'github:NixOS/nixpkgs/nixos-23.05#openssl_1_1' should evaluate to one store path

What's up with that? How do I troubleshoot this?

EDIT: by sheer trial and error, I seem to have narrowed the offending openssl derivation path on my system to be /nix/store/a58v6jcqyfhr9s04q46f5drxbya3zvr1-openssl-1.1.1u/. So the following command seems to work:

nix why-depends '.#nixosConfigurations.flax.config.system.build.toplevel' '/nix/store/a58v6jcqyfhr9s04q46f5drxbya3zvr1-openssl-1.1.1u/'

As well as manually forcing the system to build, via something like

nix build '.#nixosConfigurations.flax.config.system.build.toplevel'
nix why-depends './result' '/nix/store/a58v6jcqyfhr9s04q46f5drxbya3zvr1-openssl-1.1.1u/

or, doing the most unsafe thing, i.e., overriding the deprecation by adding

nixpkgs.config.permittedInsecurePackages = [ "openssl-1.1.1u" ];

to the system configuration, rebuilding (nixos-rebuild switch), and then doing

nix why-depends '/run/current-system' '/nix/store/a58v6jcqyfhr9s04q46f5drxbya3zvr1-openssl-1.1.1u/'

(In fact, this is how I located the relevant openssl path in the first place-- by doing ls -d /nix/store/*openssl-1.1.1u*', then trying thenix why-depends /run/current-system ...` command for each folder I found.

This seems to work, but it's really quite suboptimal, and I have to imagine that there's a more correct/smart/less annoying way to go about figuring this out than brute trial-and-error.

nh2 commented 1 year ago

NIXPKGS_ALLOW_INSECURE=1 nix why-depends $(nix-instantiate --strict "<nixpkgs/nixos>" -A system) $(nix-instantiate --strict "<nixpkgs>" -A openssl_1_1)

This does not work because the environment variable at the front is not passed to $(...) subshells, at least not in my shell (zsh).

Working version should be:

nix --extra-experimental-features nix-command why-depends $(NIXPKGS_ALLOW_INSECURE=1 nix-instantiate --strict "<nixpkgs/nixos>" -A system) $(NIXPKGS_ALLOW_INSECURE=1 nix-instantiate --strict "<nixpkgs>" -A openssl_1_1)

Separately, this still fails for me because why-depends outputs

path '/nix/store/aahb5wzwslmw898bm923nqs4yyhbxq6l-openssl-1.1.1u.drv!bin' does not contain a 'flake.nix', searching up