Building Python with asdf in a nix-shell madness

I’m relatiely new to nix, so I’m trying to slog through what I can. But I’ve hit a point where I’m a bit lost.

What I’m trying to do, generally, is to create a shell.nix that I can take with me across machines to have a single, unified, consistent terminal environment as much as possible. First question: is that actually reasonable?

The main question, regardless of whether that’s a good idea or not, is that I’ve installed asdf-vm in the main shell and I want to use that to install particular versions of Python. I need a specific version of Python for a work project that’s pinned. When I run asdf install python 3.9.5, I keep running into various errors. Here are two that I can’t get past, and I feel like I’m missing something fundamental here.

First is the SSL module, complaining that libssl is missing.

Could not build the ssl module!
Python requires an OpenSSL 1.0.2 or 1.1 compatible libssl with X509_VERIFY_PARAM_set1_host().

The second is that it can’t build zlib.

I have both openssl and zlib included in buildInputs, but I see that they both have ‘dev’ outputs. I looked at Nixpkgs 23.11 manual | Nix & NixOS but I’m confused as to what I actually need to do with this information. I feel like if I understand what I’m missing here, I could probably fix most everything else.

The sample nix shell I’m playing with is pasted below:

  nixpkgs = fetchTarball "";
  pkgs = import nixpkgs { config = {}; overlays = []; };

pkgs.mkShell {
  buildInputs = with pkgs; [
    # note: also tried, same issue

  packages = with pkgs; [


  shellHook = ''
    source ${pkgs.asdf-vm}/etc/profile.d/
    source ~/.bashrc

Then I run:

nix-shell sample.nix --pure
asdf plugin add python
asdf install python 3.9.5

I’d appreciate any links to any relevant info or any ideas here. I’ve been searching for a while and I’ve hit some deadends.

Not nix answers but googling gave these descriptions.

My guess that the asdf python needs a more uptodate ssl library.

In this case you have to work out where asdf is looking for the ssl library.

I suspect using nix instead of asdf might be easier :slight_smile:

openssl in nixpkgs is openssl 3. See NixOS Search

openssl 1.1 is also available. See NixOS Search

However, openssl 1.1 is EOL and in nixpkgs it is marked as such. You’ll need to explicitly specify that you’ll allow this package. Inside config = {} you’ll have to set permittedInsecurePackages = ["openssl-1.1.x"] so that Nix doesn’t complain about the package being insecure.

Apparently asdf only includes a precompiled version of python that depends on openssl 1.1. You could also consider using GitHub - cachix/nixpkgs-python: All Python versions, kept up-to-date on hourly basis using Nix., which also holds most python versions, like asdf, but built using Nix. From what I could tell these packages use openssl 3.

1 Like

Thank you! I had briefly noticed the version but my brain had marked it up as “3 > 1.1 so not an issue”, but in hindsight that was dumb of me. Both approaches here are very useful for me to help push forward, thanks!

1 Like