I am try to upgrade one of my systems to version 25.11 but the rebuild and upgrade of the new generations fails with an error. The rebuild fails because of an internal program that Nix uses is now unsupported: gradle_7
This is an enormous show-stopper, because something like this must not happen in an upgrade. Does any have a solution as to handle this situation? The next step would be to do a clean install, but that would be a negative experience in my environment.
Also, after updating the channel and creating a new build from my configuration.nix I needed to iron out a whole lot of programs by giving them new names - this happen per program after each attempt to run nixos-rebuild switch upgrade. This alone was very time consuming, and just when I thought I was done, I was handed the detail about the gradle version not being supported. This was a sad experience.
Your advice and offered help is greatly appreciated.
Recently I’ve had this issues using unstable flakes. nix-tree does not show dependancies and nixos-rebuild build --show-trace |& grep ‘while evaluating derivation’ does not return anything. If it works for you, you can allow insecure to let the build continue. Not had time to investigate further, but I did think perhaps I was the only one with this issue!
Previously, my configuration.nix had some kde packages like filelight which needed to be renamed kdePackages.filelight, just as an example. There were other items and services that need to be renamed as well; I’ll put together an better answer tomorrow, when I am at my machine again. I will also provide the output from the debug effort that you mention.
Hi again - here is the output from the problem with the failed upgrade:
$ sudo nixos-rebuild switch --upgrade
unpacking channels...
unpacking 1 channels...
building the system configuration...
error:
… while calling the 'head' builtin
at /nix/store/2ax5fc7s1w96xkav8kjmp29g9gb1sd1y-nixos-25.11/nixos/lib/attrsets.nix:1696:13:
1695| if length values == 1 || pred here (elemAt values 1) (head values) then
1696| head values
| ^
1697| else
… while evaluating the attribute 'value'
at /nix/store/2ax5fc7s1w96xkav8kjmp29g9gb1sd1y-nixos-25.11/nixos/lib/modules.nix:1118:7:
1117| // {
1118| value = addErrorContext "while evaluating the option `${showOption loc}':" value;
| ^
1119| inherit (res.defsFinal') highestPrio;
… while evaluating the option `system.build.toplevel':
… while evaluating definitions from `/nix/store/2ax5fc7s1w96xkav8kjmp29g9gb1sd1y-nixos-25.11/nixos/nixos/modules/system/activation/top-level.nix':
… while evaluating the option `system.systemBuilderArgs':
… while evaluating definitions from `/nix/store/2ax5fc7s1w96xkav8kjmp29g9gb1sd1y-nixos-25.11/nixos/nixos/modules/system/activation/activatable-system.nix':
… while evaluating the option `system.activationScripts.etc.text':
… while evaluating definitions from `/nix/store/2ax5fc7s1w96xkav8kjmp29g9gb1sd1y-nixos-25.11/nixos/nixos/modules/system/etc/etc-activation.nix':
… while evaluating definitions from `/nix/store/2ax5fc7s1w96xkav8kjmp29g9gb1sd1y-nixos-25.11/nixos/nixos/modules/system/etc/etc.nix':
… while evaluating the option `environment.etc.dbus-1.source':
(stack trace truncated; use '--show-trace' to show the full, detailed trace)
error: Package ‘gradle-7.6.6’ in /nix/store/2ax5fc7s1w96xkav8kjmp29g9gb1sd1y-nixos-25.11/nixos/pkgs/development/tools/build-managers/gradle/default.nix:299 is marked as insecure, refusing to evaluate.
Known issues:
- Gradle 7 no longer receives security updates with the release of Gradle 9 on 31 July 2025. https://endoflife.date/gradle
You can install it anyway by allowing this package, using the
following methods:
a) To temporarily allow all insecure packages, you can use an environment
variable for a single invocation of the nix tools:
$ export NIXPKGS_ALLOW_INSECURE=1
Note: When using `nix shell`, `nix build`, `nix develop`, etc with a flake,
then pass `--impure` in order to allow use of environment variables.
b) for `nixos-rebuild` you can add ‘gradle-7.6.6’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"gradle-7.6.6"
];
}
c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘gradle-7.6.6’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"gradle-7.6.6"
];
}
Command 'nix-build '<nixpkgs/nixos>' --attr config.system.build.toplevel --no-out-link' returned non-zero exit status 1.
This is a diff of my configuration.nix files before and after trying to upgrade:
And this is the output from the command suggested by waffle:
gustav@288-nixos /etc/nixos
2026-01-06 09:36:20
$ sudo nixos-rebuild build --show-trace |& grep 'while evaluating derivation'
… while evaluating derivation 'etc'
… while evaluating derivation 'dbus-1'
… while evaluating derivation 'system-path'
… while evaluating derivation 'ganttproject-bin-3.3.3316'
… while evaluating derivation 'openjdk-17.0.17+10'
… while evaluating derivation 'openjfx-modular-sdk-17.0.11+3'
gustav@288-nixos /etc/nixos
2026-01-06 09:36:45
$
What I cannot understand, is that the gradle program is never updated with each new generation, and that it obviously remains static. Is this the default behavior of NixOS? I haven’t encountered this blockage on my other NixOS machines?
Since gradle 7 is now marked as insecure, that version of openjfx can no longer be built, and as such you can’t build ganttproject-bin without allowing gradle 7 to be used. You’ll have to wait for it to update to a newer java version, or for openjfx to backport gradle 8 build support to its java 17 branch (which doesn’t seem likely; java 17 will hit EOL this year).
It’s a bit annoying that security of a tool used exclusively at build time cascades like this, but hey, NixOS is doing its best to prevent you from using insecure software.
So, bottom line, you can either allow using gradle 7 (like your error message instructs) if you don’t think gradle 7 being EOL is a significant security problem for your use case, or you can stop using ganttproject-bin entirely.
Or you could find a different way to get a jdk with a pre-built openjfx or something, or contribute to openjfx, or any number of other workarounds that require understanding what you’re doing at least a little.
I don’t really understand what you’re trying to say here.
Yes, removing the gantproject program from the configuration file fixed the the issue with gradle.
My comments about gradle and Nixos was misunderstadingly based on information I found else where, that gave me the impression that NixOS itself was dependent on gradle. This also is apparent that I only experienced this problem on a single machine, and not the others that I had recently upgraded.
Thanks to TLATER and waffle for their kind efforts in solving this problem.
Best regards and happy New Year,
Gustav