Allow insecure packages in flake.nix

chnorton · October 26, 2023, 9:53pm

I have been working on some updates to nix-node, which allows installation of multiple versions of nodejs, including older versions that are no longer supported:

This has been working, except that the versions of node that are no longer officially supported are marked as insecure and cannot be installed or built. For example, attempting to build version 16.18.0 returns this error:

error: Package ‘nodejs-16.18.0’ in /nix/store/vkf7qqw2pmpxfhs5axsjmv1sbwdkqzhs-source/flake.nix:305 is marked as insecure, refusing to evaluate.

In trying to update the package to allow these versions to be installed, I have been following these sources:

github.com

nix-community/todomvc-nix/blob/d6062db89e5716e8d326dc1a1dafb3649cf9d639/flake.nix#L32


      
          inputs.miso = { url = "github:dmjio/miso/master"; flake = false; };
          
          outputs = { self, nixpkgs, naersk, mozilla-overlay, flake-utils, devshell, polysemy, http-media, servant, miso, servant-jsaddle }:
            {
              overlay = import ./overlay.nix { inherit polysemy http-media servant miso servant-jsaddle; };
            }
            //
            (
              flake-utils.lib.eachSystem [ "x86_64-linux" ] (system:
                let
                  pkgs = import nixpkgs {
                    inherit system;
                    # Makes the config pure as well. See <nixpkgs>/top-level/impure.nix:
                    config = {
                      allowBroken = true;
                      permittedInsecurePackages = [
                        "openssl-1.0.2u"
                      ];
                    };
                    overlays = [
                      mozilla-overlay.overlay

Unfortunately I’m a bit of a nix noob and cannot work out how to apply these changes to the existing flake.nix:

github.com

fontis/nix-node/blob/1ee6a5be90af235c8af301565af506caa6ccfd04/flake.nix#L9


      
          {
            description = "NodeJS releases for use with nix";
            inputs = {
              flake-utils.url = "github:numtide/flake-utils";
              nixpkgs.url = "github:nixos/nixpkgs";
            };
            outputs = { self, nixpkgs, flake-utils }:
              flake-utils.lib.eachDefaultSystem (system:
                with nixpkgs.legacyPackages.${system}; {
                  packages = let
                    buildNodejs20 =
                      callPackage "${nixpkgs}/pkgs/development/web/nodejs/nodejs.nix" {
                        icu = icu72;
                        python = python3;
                      };
                    buildNodejs18 =
                      callPackage "${nixpkgs}/pkgs/development/web/nodejs/nodejs.nix" {
                        icu = icu72;
                        python = python3;

My naive attempts to slot similar code in have either resulted in syntax errors, or simply don’t work. Would anyone be able to let me know where I should set the permittedInsecurePackages list in the above code?

jtojnar · October 28, 2023, 4:59pm

Just replace

nixpkgs.legacyPackages.${system}

with

(import nixpkgs {
  inherit system;
  config = {
    permittedInsecurePackages = [
      "foo"
    ];
  };
})

That is basically how legacyPackages are defined in Nixpkgs:

github.com

NixOS/nixpkgs/blob/cf830f7890e3fc59d352f0a28775d161c57c0dd6/flake.nix#L56


      
          
          
# The "legacy" in `legacyPackages` doesn't imply that the packages exposed
          # through this attribute are "legacy" packages. Instead, `legacyPackages`
          # is used here as a substitute attribute name for `packages`. The problem
          # with `packages` is that it makes operations like `nix flake show
          # nixpkgs` unusably slow due to the sheer number of packages the Nix CLI
          # needs to evaluate. But when the Nix CLI sees a `legacyPackages`
          # attribute it displays `omitted` instead of evaluating all packages,
          # which keeps `nix flake show` on Nixpkgs reasonably fast, though less
          # information rich.
          legacyPackages = forAllSystems (system: import ./. { inherit system; });
          
          
nixosModules = {
            notDetected = ./nixos/modules/installer/scan/not-detected.nix;
          
          
  /*
              Make the `nixpkgs.*` configuration read-only. Guarantees that `pkgs`
              is the way you initialize it.
          
          
    Example:

Though see the discussion in Using nixpkgs.legacyPackages.${system} vs import for caveats.

chnorton · October 30, 2023, 12:51am

Thank you so much, that was the key that I was missing.

symys · December 16, 2024, 6:24pm

Hello, I’m having essentially the same issue, but with libolm. I tried the solution offered in this thread but it didn’t work in my situation.

Here is my complete flake:

{
  description = "Matrix bot to post daily ASL definitions to encourage continued learning.";

  inputs = {
    nixpkgs = { url = "github:NixOS/nixpkgs/nixos-unstable"; };

    flake-utils.url = "github:numtide/flake-utils";
  };

  outputs = {
    self,
    nixpkgs,
    flake-utils,
  }: let
    nixosModule = {
      config,
      lib,
      pkgs,
      ...
    }: {
      options.services.signasl = {
        enable = lib.mkEnableOption "Matrix bot that posts ASL vocabulary to a specified room.";

        systemd.services.signasl = {
          description = "Matrix bot that posts ASL vocabulary to a specified room.";
          wantedBy = ["multi-user.target"];
          after = ["network.target"];
          serviceConfig = {
            ExecStart = "${self.packages.${pkgs.system}.default}/bin/signasl";
            Restart = "always";
            Type = "simple";
            DynamicUser = "yes";
          };
        };
      };
    };
  in
    (flake-utils.lib.eachDefaultSystem (system: 
      with (import nixpkgs {
        inherit system;
        config = {
          permittedInsecurePackages = [
            "olm-3.2.16"
          ];
        };
      }); {
  
        packages.default = nixpkgs.legacyPackages.${system}.buildGoModule {
          pname = "signasl";
          version = "0.1.0";
          src = ./.;
          vendorHash = null;
          buildInputs = [ nixpkgs.legacyPackages.${system}.olm ];
        };

      apps.default = {
        type = "app";
        program = "${self.packages.${system}.default}/bin/signasl";
      };

      nixosModules.default = nixosModule;
    }));
}

What should I do to allow the olm package?

waffle8946 · December 16, 2024, 7:53pm

What command, what error?

symys · December 16, 2024, 9:40pm

What I ran:

nix flake update , also tried nix build

The error:

error:
       … while checking flake output 'packages'
         at /nix/store/01x5k4nlxcpyd85nnr0b9gm89rm8ff4x-source/lib.nix:43:9:
           42|       // {
           43|         ${key} = (attrs.${key} or { }) // {
             |         ^
           44|           ${system} = ret.${key};

       … while checking the derivation 'packages.x86_64-linux.default'
         at /nix/store/xkfk5j5f3kf2pw6y3mxific86r4cg789-source/flake.nix:48:9:
           47|
           48|         packages.default = nixpkgs.legacyPackages.${system}.buildGoModule {
             |         ^
           49|           pname = "signasl";

       (stack trace truncated; use '--show-trace' to show the full, detailed trace)

       error: Package ‘olm-3.2.16’ in /nix/store/22r7q7s9552gn1vpjigkbhfgcvhsrz68-source/pkgs/by-name/ol/olm/package.nix:31 is marked as insecure, refusing to evaluate.

…plus a bunch of informational output that I didn’t include.

waffle8946 · December 16, 2024, 9:49pm

That’s because you used nixpkgs.legacyPackages.<system> which is unconfigured. You configured a nixpkgs instance, now use it.

  packages.default = buildGoModule {
          pname = "signasl";
          version = "0.1.0";
          src = ./.;
          vendorHash = null;
          buildInputs = [ olm ];
        };

Also fix the src, see Working with local files — nix.dev documentation

And get rid of apps entirely, it’s redundant.

symys · December 16, 2024, 9:59pm

That did the trick, and makes sense now. Thank you for the help, I appreciate it!

estrange · December 17, 2025, 9:56pm

I’m having the same issue. I’m trying to disable the security check for the python ecdsa package that’s insecure in a flake I’m working on. I don’t want to enable for the whole system because it’s actually a security hole, but not the way it’s used by the program I want to work with.

The flake I’m using is here: flake.nix · b64991affbd19e23ab08af04d9cce41a438d2eb7 · Strange Crew / Experiments / nix / trezor-agent-test · GitLab

{
  description = "simple shell environment to verify trezor-agent package";

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
    flake-utils.url = "github:numtide/flake-utils";
  };

  outputs = {self, nixpkgs, flake-utils}:
    flake-utils.lib.eachDefaultSystem (system:
    let
      pkgs = import nixpkgs {
        inherit system;
        config = {
          permittedInsecurePackages = ["python-3.13-ecdsa-0.19.1"];
        };
      };
    in
    {
      devShell = pkgs.mkShell {
        packages = with pkgs; [
          trezor-agent
        ];
      };
    });
}

Am I applying the suggested fix incorrectly?

I can attempt to use the flake anyway if I add NIXPKGS_ALLOW_INSECURE=1 to the environment, but that’s what I’m trying to avoid. It then promptly fails because nix pulls the wrong click for it but I’ll be posting a ticket about that after I mess about a bit more.

I’m in the wheel group and I’ve made it a trusted user.

I did also try with –impure when NOT setting the environment variable and expecting the config in this flake to solve it.

leoperegrino · December 21, 2025, 11:04pm

I tried nix develop -vL . with that flake and got the same result, strangely. Unaware why, though, would appreciate a solution.