Allow insecure packages in flake.nix

chnorton · October 26, 2023, 9:53pm

I have been working on some updates to nix-node, which allows installation of multiple versions of nodejs, including older versions that are no longer supported:

This has been working, except that the versions of node that are no longer officially supported are marked as insecure and cannot be installed or built. For example, attempting to build version 16.18.0 returns this error:

error: Package ‘nodejs-16.18.0’ in /nix/store/vkf7qqw2pmpxfhs5axsjmv1sbwdkqzhs-source/flake.nix:305 is marked as insecure, refusing to evaluate.

In trying to update the package to allow these versions to be installed, I have been following these sources:

github.com

nix-community/todomvc-nix/blob/d6062db89e5716e8d326dc1a1dafb3649cf9d639/flake.nix#L32


      
          inputs.miso = { url = "github:dmjio/miso/master"; flake = false; };
          
          
outputs = { self, nixpkgs, naersk, mozilla-overlay, flake-utils, devshell, polysemy, http-media, servant, miso, servant-jsaddle }:
            {
              overlay = import ./overlay.nix { inherit polysemy http-media servant miso servant-jsaddle; };
            }
            //
            (
              flake-utils.lib.eachSystem [ "x86_64-linux" ] (system:
                let
                  pkgs = import nixpkgs {
                    inherit system;
                    # Makes the config pure as well. See <nixpkgs>/top-level/impure.nix:
                    config = {
                      allowBroken = true;
                      permittedInsecurePackages = [
                        "openssl-1.0.2u"
                      ];
                    };
                    overlays = [
                      mozilla-overlay.overlay

Unfortunately I’m a bit of a nix noob and cannot work out how to apply these changes to the existing flake.nix:

github.com

fontis/nix-node/blob/1ee6a5be90af235c8af301565af506caa6ccfd04/flake.nix#L9


      
          {
            description = "NodeJS releases for use with nix";
            inputs = {
              flake-utils.url = "github:numtide/flake-utils";
              nixpkgs.url = "github:nixos/nixpkgs";
            };
            outputs = { self, nixpkgs, flake-utils }:
              flake-utils.lib.eachDefaultSystem (system:
                with nixpkgs.legacyPackages.${system}; {
                  packages = let
                    buildNodejs20 =
                      callPackage "${nixpkgs}/pkgs/development/web/nodejs/nodejs.nix" {
                        icu = icu72;
                        python = python3;
                      };
                    buildNodejs18 =
                      callPackage "${nixpkgs}/pkgs/development/web/nodejs/nodejs.nix" {
                        icu = icu72;
                        python = python3;

My naive attempts to slot similar code in have either resulted in syntax errors, or simply don’t work. Would anyone be able to let me know where I should set the permittedInsecurePackages list in the above code?

jtojnar · October 28, 2023, 4:59pm

Just replace

nixpkgs.legacyPackages.${system}

with

(import nixpkgs {
  inherit system;
  config = {
    permittedInsecurePackages = [
      "foo"
    ];
  };
})

That is basically how legacyPackages are defined in Nixpkgs:

github.com

NixOS/nixpkgs/blob/cf830f7890e3fc59d352f0a28775d161c57c0dd6/flake.nix#L56


      
          
          
# The "legacy" in `legacyPackages` doesn't imply that the packages exposed
          # through this attribute are "legacy" packages. Instead, `legacyPackages`
          # is used here as a substitute attribute name for `packages`. The problem
          # with `packages` is that it makes operations like `nix flake show
          # nixpkgs` unusably slow due to the sheer number of packages the Nix CLI
          # needs to evaluate. But when the Nix CLI sees a `legacyPackages`
          # attribute it displays `omitted` instead of evaluating all packages,
          # which keeps `nix flake show` on Nixpkgs reasonably fast, though less
          # information rich.
          legacyPackages = forAllSystems (system: import ./. { inherit system; });
          
          
nixosModules = {
            notDetected = ./nixos/modules/installer/scan/not-detected.nix;
          
          
  /*
              Make the `nixpkgs.*` configuration read-only. Guarantees that `pkgs`
              is the way you initialize it.
          
          
    Example:

Though see the discussion in Using nixpkgs.legacyPackages.${system} vs import for caveats.

chnorton · October 30, 2023, 12:51am

Thank you so much, that was the key that I was missing.