With its 2023.12.0 release the home-assistant package started to more widely depend on its matter integration in through various other components.
Unfortunately, the matter integration is currently only available as binary wheel, and since it is built in an Ubuntu 20.04 container it depends on the OpenSSL version available in that distro release, which is 1.1. We provide openssl_1_1 through autopatchElfHook here.
While nixpkgs still has openssl_1_1 available, we decided a long time ago to set meta.knownVulnerabilities due to its end of life in early September 2023.
The result is that home-assistant will now transitively be flagged insecure for relying on openssl_1_1. To continue using it, a snippet like the following is most likely required:
To my knowledge, we still cache packages depending on openssl_1_1, so there will be no further impact for the time being, but time is surely running out.
In the meantime I’m trying to communicate this problem upstream.
It broke somewhere between v6.3.12..v6.4.0 and our kernel maintainers are trying to bisect it further, but it is a costly process, and it is not guaranteed, that it will yield results.
To unbreak the channel we therefore decided to remove nfs3 from the tested set, and replace it with the newer nfs4.
With the next nixos-unstable evaluation home-assistant will not require allowing openssl-1.1.1w in permittedInsecurePackages any longer. The matter integration that was previously using it was migrated to boringssl (thanks to Matt Leon), which will also benefit Home Assistant upstream, which is awesome!
Please make sure to remove the previously mentioned config snippet, so you’ll become aware again, when you use packages relying on openssl_1_1.
A symlinkJoin wrapper is left at the old path for compatibility which includes most of the toolchain and common libraries, but not e.g. nsight-systems. Use the split packages instead: NixOS Search.
At this time, the dynamic configuration is only implemented for Nvidia (it contains a CDI generator.) It has replaced the virtualisation.containers.cdi.dynamic.enable option with hardware.nvidia-container-toolkit.enable.
It has further features that are not implemented in current unstable, like the ability to add user defined mounts to containers, or the ability to choose whether the user wants to mount nvidia-docker-1 directories or the Nvidia executables inside containers.
An attempt was made to cover all appimageTools.wrapAppImage usages in Nixpkgs but at over 100 packages, it’s likely some were missed or done improperly. If an AppImage breaks the coming week, this may be the culprit, so please point people to the PR.