NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
18.41k stars 14.36k forks source link

Build failure: sonarr #360592

Open aanderse opened 4 days ago

aanderse commented 4 days ago

Steps To Reproduce

Steps to reproduce the behavior:

  1. attempt to upgrade your server to nixos 24.11
  2. build sonarr package
  3. see error that dotnet package is insecure

Build log

requires an old version of dotnet (6.x) which has security vulnerabilities against it in nixpkgs so it won't build without permitting those vunerabilities

Additional context

can we upgrade to dotnet 8 which is LTS?

Notify maintainers


Note for maintainers: Please tag this issue in your PR.

@fadenb @purcell @tie

and maybe @corngood, if my memory serves me correctly?


Add a :+1: reaction to issues you find important.

bobberb commented 4 days ago

https://github.com/NixOS/nixpkgs/blob/nixos-24.11/pkgs/by-name/so/sonarr/package.nix

dotnet-sdk = dotnetCorePackages.sdk_6_0; dotnet-runtime = dotnetCorePackages.aspnetcore_6_0;

Are the offending values

aanderse commented 4 days ago

yeah, i tried just replacing them with 8.x but it seems that build scripts expect 6.x

looking in upstream i am under the impression this can build with 8.x but maybe some sort of build time config switch is required

i didn't investigate further than that

gepbird commented 4 days ago

Upstream hasn't updated to .NET 8, but some attempt was made: https://github.com/Sonarr/Sonarr/issues/6597 (from here you can check the linked PRs) Projects from the same maintainers have PRs for .NET 8: https://github.com/Radarr/Radarr/pull/10258 https://github.com/Prowlarr/Prowlarr/pull/2195

It takes a lot of effort for them to properly update to .NET 8, but for us applying some bare minimum patches (perhaps from https://github.com/Sonarr/Sonarr/pull/6983) could work.

bakerboy448 commented 2 days ago

Stumbling here from the Starrs / Sonarr - so apologies for the slight off topic

It takes a lot of effort for them to properly update to .NET 8

https://github.com/Sonarr/Sonarr/pull/7443

correct they'll be done in due time. It's not just the apps themselves, but the build servers and associated dependencies

Sonarr has ~2 developers working on the project + upstream metadata

prowlarr, radarr, lidarr have ~1 ish

readarr, whisparr have ~noneish

last heard was keeping bsd support - requiring custom build - and older systems support being dropped with net8.0 were the blockers being worked through

corngood commented 2 days ago

why is Sonarr being built rather than using the pre-compiled binaries like Radarr, Prowlarr, etc?

We should always prefer source builds IMO, but someone could add sonarr-bin if it's useful.

Also, anyone can still build this package with NIXPKGS_ALLOW_INSECURE.

aanderse commented 1 day ago

i'll include this snippet here as well, citing discourse:

  nixpkgs.config.permittedInsecurePackages = [
    "aspnetcore-runtime-6.0.36"
    "aspnetcore-runtime-wrapped-6.0.36"
    "dotnet-sdk-6.0.428"
    "dotnet-sdk-wrapped-6.0.428"
  ];
purcell commented 1 day ago

Yeah, we used to package the upstream binaries for Sonarr and friends, in fact, but that's not at all the preferred Nixpkgs approach, so we switched to building from source.