Open aanderse opened 4 days ago
https://github.com/NixOS/nixpkgs/blob/nixos-24.11/pkgs/by-name/so/sonarr/package.nix
dotnet-sdk = dotnetCorePackages.sdk_6_0; dotnet-runtime = dotnetCorePackages.aspnetcore_6_0;
Are the offending values
yeah, i tried just replacing them with 8.x
but it seems that build scripts expect 6.x
looking in upstream i am under the impression this can build with 8.x
but maybe some sort of build time config switch is required
i didn't investigate further than that
Upstream hasn't updated to .NET 8, but some attempt was made: https://github.com/Sonarr/Sonarr/issues/6597 (from here you can check the linked PRs) Projects from the same maintainers have PRs for .NET 8: https://github.com/Radarr/Radarr/pull/10258 https://github.com/Prowlarr/Prowlarr/pull/2195
It takes a lot of effort for them to properly update to .NET 8, but for us applying some bare minimum patches (perhaps from https://github.com/Sonarr/Sonarr/pull/6983) could work.
Stumbling here from the Starrs / Sonarr - so apologies for the slight off topic
It takes a lot of effort for them to properly update to .NET 8
https://github.com/Sonarr/Sonarr/pull/7443
correct they'll be done in due time. It's not just the apps themselves, but the build servers and associated dependencies
Sonarr has ~2 developers working on the project + upstream metadata
prowlarr, radarr, lidarr have ~1 ish
readarr, whisparr have ~noneish
last heard was keeping bsd support - requiring custom build - and older systems support being dropped with net8.0 were the blockers being worked through
why is Sonarr being built rather than using the pre-compiled binaries like Radarr, Prowlarr, etc?
We should always prefer source builds IMO, but someone could add sonarr-bin
if it's useful.
Also, anyone can still build this package with NIXPKGS_ALLOW_INSECURE
.
i'll include this snippet here as well, citing discourse:
nixpkgs.config.permittedInsecurePackages = [
"aspnetcore-runtime-6.0.36"
"aspnetcore-runtime-wrapped-6.0.36"
"dotnet-sdk-6.0.428"
"dotnet-sdk-wrapped-6.0.428"
];
Yeah, we used to package the upstream binaries for Sonarr and friends, in fact, but that's not at all the preferred Nixpkgs approach, so we switched to building from source.
Steps To Reproduce
Steps to reproduce the behavior:
sonarr
packageBuild log
requires an old version of dotnet (
6.x
) which has security vulnerabilities against it in nixpkgs so it won't build without permitting those vunerabilitiesAdditional context
can we upgrade to dotnet
8
which is LTS?Notify maintainers
Note for maintainers: Please tag this issue in your PR.
@fadenb @purcell @tie
and maybe @corngood, if my memory serves me correctly?
Add a :+1: reaction to issues you find important.