Can't upgrade unstable package because of outdated dependency

When I try to rebuild my system I get the following warning:

error: Package ‘electron-13.6.9’ in /nix/store/0pypqlnsmw5k1bkh2njpiyrdp7kiqymn-source/pkgs/development/tools/electron/generic.nix:26 is marked as insecure, refusing to evalua

I found out that the source is the Obsidian package however I’m using already the version from unstable so that solution in: Python 2 package Pillow is marked as insecure isn’t possible for me.
What would be the usual procedure in such a case?

While evaluating the attribute 'installPhase' of the derivation 'obsidian-0.13.23
1 Like

This is odd, that version doesn’t appear to be marked as insecure currently:

Have you recently updated both your user and root channels?

More to the point, this is the nixpkgs manual section on the topic of allowing insecure packages: Nixpkgs 23.11 manual | Nix & NixOS

I’d still suggest finding out why this is insecure, rather than just blindly accepting it, and perhaps fixing whatever is causing it to be marked as such (which may be as simple as resolving a mismatch between user and root channels).

1 Like

I’m using Flakes, do I have to update the channels in that case as well?

if your install the package from your flake, you will need to do nix flake update to advance the flake.lock file to the head of the repo’s you ‘follow’,

if you using old tooling like nix-shell , these still use channels, there is a way to unify the system flake to update the channels for the so the old tooling and new tooling pull from the same nixpkgs.

@NobbZ has a piece of code that can do this, and could probably explain it a lot better.

The code that does that is here too: Probably taken from @NobbZ in the past :slight_smile:

It sets the nixpkgs path to the input flake, which makes anything that imports <nixpkgs> refer to the system flake, and unbreaks a lot of these things. If you do that, make sure you’ve removed any channels you used before starting to use flakes, so you don’t accidentally use the channels anymore - I’d suggest that in general.

The bit after that also sets the nixpkgs registry entry to the input, which makes commands like nix shell not download the newest nixpkgs-unstable every time (huge usability plus, I’d love to see flakes do this by default somehow one day).

1 Like

That’s what I did and then got the error:

nix flake update
sudo nixos-rebuild build

And I got /etc/nixos/flake.nix instead of /etc/nixos/configuration.nix

And I got /etc/nixos/flake.nix instead of /etc/nixos/configuration.nix

not sure what you mean by that, some logs would be fun!

Tried this it’s still the same.

I mean that I link to a flake.nix file instead of the normal configuration.nix.
For logs you mean the full trace of nixos-rebuild?

It’s not quite the same, as your version changes the NIX_PATH environment variable and is therefore only active for processes that have started after the change, unless they inherit still old values from their parents.

I have my NIX_PATH pointing to fixed locations in the filesystem and change those symlinks targets on a rebuild.

I do use tempfiled to do so, which is probably overkill and etc.* hirarchy would be sufficient as well…

I’m a bit confused now, would that help in my case?

Unlikely, sorry for derailing.

I’ve tried this locally on my side too now:

tlater ~ $ NIXPKGS_ALLOW_UNFREE=1 nix shell --impure github:NixOS/nixpkgs/nixpkgs-unstable#obsidian
error: Package ‘electron-13.6.9’ in /nix/store/lgma05szq43zgqnjmzilahsd52il3phg-source/pkgs/development/tools/electron/generic.nix:26 is marked as insecure, refusing to evaluate.

       Known issues:
        - Electron version 13.6.9 is EOL

       You can install it anyway by allowing this package, using the
       following methods:

       a) To temporarily allow all insecure packages, you can use an environment
          variable for a single invocation of the nix tools:

            $ export NIXPKGS_ALLOW_INSECURE=1

        Note: For `nix shell`, `nix build`, `nix develop` or any other Nix 2.4+
        (Flake) command, `--impure` must be passed in order to read this
        environment variable.

       b) for `nixos-rebuild` you can add ‘electron-13.6.9’ to
          `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
          like so:

              nixpkgs.config.permittedInsecurePackages = [

       c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
          ‘electron-13.6.9’ to `permittedInsecurePackages` in
          ~/.config/nixpkgs/config.nix, like so:

              permittedInsecurePackages = [
(use '--show-trace' to show detailed location information)

Incidentally, that command lists all the ways you can work around this without fixing the problem.

I’m personally at a loss as for why the package is refusing to install, it may be a bug in the version-check function? You could try overriding the version of electron obsidian uses, test out the version check function in a nix repl, or maybe just concede and mark the package as usable despite insecure. I’d love to see a fix upstream though, if you can figure one out, or I may try later tonight :slight_smile:

Actually, this issue was raised a little after your post: Obsidian depends on an electron version that is EOL · Issue #158956 · NixOS/nixpkgs · GitHub

Seems it’s actually correctly reported as EOL, despite the nixpkgs metadata being outdated? How does it know?!?

Edit: Nevermind, looks like there’s a new commit:

Who knows what caching magic resulted in this confusion, you seem to simply have tried updating at the worst possible time; using the insecure version for the minute is probably fine, if you wait a couple of days it will probably be resolved, or you could even attempt a patch for this yourself.


Good to know thank you.
I thought about opening an issue about it but I don’t really know what the guidelines for that are and how quick things like this usually get discovered.
I’ll go with the insecure variant for the moment, if it takes too long I probably try to overwrite the Electron package.

if you tracking nixpkgs unstable, thing move fast from broken to fixed to broken,

if you want a smoother ride don’t use unstable!!!

maybe nixes-unstable should be renamed to “UNSTABLEno-it-really-is-unstable”

@NobbZ do you know what the long term plan is to remove channels entirely, and just reply on flakes, and what a system would look like that didn’t use any kind of channels.


I hope the remove channels soon, but leave use the NIX-PATH as a compatibility measure for a long time.

Though I doubt it will be like that, and think that channels will still be available in versions much after 4.0…


I don’t mind unstable for certain packages, just wanted to know how to proceed in this case.
After all I’m still fairly new to NixOS.

All the more reason to use stable. good luck, keep nixing!

For system applications absolutely, Obsidian isn’t that important or critical.

1 Like