I just updated my nixpkgs input and now thenodejs-20.20.2 package (prolly used by another package and idk why) is flagged as insecure, no big deal i just gotta add it to nixpkgs.config.permittedInsecurePackages, which I do:
nixpkgs.config.permittedInsecurePackages = [
"nodejs-20.20.2"
"electron-38.8.4"
];
Execpt that it STILL doesn’t rebuild and tells me the same error message as when I didn’t have added it to the permitted insecure packages
error: Refusing to evaluate package 'nodejs-20.20.2' in /nix/store/1hb1glkkpl6vjjpfrwzmvjyvhcyqfxfk-source/pkgs/development/web/nodejs/nodejs.nix:689 because it is marked as insecure
Known issues:
- This NodeJS release has reached its end of life. See https://nodejs.org/en/about/releases/.
You can install it anyway by allowing this package, using the
following methods:
a) To temporarily allow all insecure packages, you can use an environment
variable for a single invocation of the nix tools:
$ export NIXPKGS_ALLOW_INSECURE=1
Note: When using `nix shell`, `nix build`, `nix develop`, etc with a flake,
then pass `--impure` in order to allow use of environment variables.
b) for `nixos-rebuild` you can add ‘nodejs-20.20.2’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"nodejs-20.20.2"
];
}
c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘nodejs-20.20.2’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"nodejs-20.20.2"
];
}
not sure what to do when the option to allow insecure packages does not allow insecure packages, weirdly enough tho it works just fine with
not 100% sure but I think the permittedimsecurepackage option takes effect after the rebuild. Doing the first rebuild with the env-override and --impure should work, and then it should work without for the next ones.
i think imma go with that, tho i’d prefer if i could have my config stay pure i’ll have to troubleshoot more
I’m not sure this is the case here, but I once had it that an insecure package was a dependency of a package outside nixpkgs, in that case you need to allow the insecure package where the other package was defined. Your package whitelist only applies to your nixpkgs insurance, a non-nixpkgs package will use its own instance
Several things come to mind. First, I think that you followed the instructions correctly; it doesn’t look like you did anything wrong, and I’m guessing that this previously worked for Electron. Second, I would consider hunting down the insecure packages and fixing them; my main tool for this would be nix-tree. Try
nix run nixpkgs, using the ‘/’ key to find “nodejs” packages. Third, if you have one insecure network-facing package than you might as well consider marking the entire system as temporarily insecure and exportingNIXPKGS_ALLOW_INSECUREto the environment; this is overkill but it will tell you whether there are other extistential issues with your configuration.Yea I’m pretty sure I’ve also did this correctly since it in fact worked just fine with this electron package I’ve had in here for a little while now. Looking in nix-tree and searching for
nodejsbut the only nodejs versions I’m finding are24.14.1and no sign of the insecure version. Tried exporting the env and rebuilding my config but it didn’t work either
We probably need more info. Exact commands and ideally the content of what you’re evaluating (a flake I’m assuming based on what you said about inputs).
It’s hard to tell if what you’ve done will actually apply to the evaluation of nixpkgs in your flake, and nixpkgs may be evaluated multiple times.
yea I’m in fact evalutating a flake, u can find it here, but I usually override my inputs’ nixpkgs input with mine. I’m using nh to rebuild my config, running
nh os switch -H nixosThe input doesn’t really matter, it’s how the input is actually used in the flake. In fact it might be the overriding that is causing the issue in the first place when the flake you’re evaluating uses an older nixpkgs where the offensive package isn’t marked insecure yet and hence isn’t explicitly permitted, and then it fails because you’re overriding it with a nixpkgs where it is marked insecure.
so overriding this potential flake’s nixpkgs input won’t apply my permitted insecure package ? dam i thought it would, ig i gotta hunt for that flake now
It’s a bit of a silly situation, I ran into it before when I created a flake for an unfree application. You can’t allow that unfree application in your nixpkgs system instantiation because the evaluation fails in the application flake; however, allowing that package there allows it on any system that uses the flake, even if they disallow unfree in their nixpkgs.
that kinda sucks, i tried to un-override all flakes ik could use nodejs so they can use their verson of nixpkgs (which should allow nodejs 20) but nope still broken
Welp sorry for pushing you in the wrong direction
it’s okay that was a good guess
