I’m trying to update a bunch of systems to fix the recent CVEs.
My understanding is I need to update the nix package for the root user so I get the new version of the Nix daemon. (Is this understanding correct?)
It’s a fairly vanilla Nix installation on macOS, and the nixpkgs channel of the root user points to https://nixos.org/channels/nixos-25.05.
Now, when I do (as root) nix-env -u nix, I get from nix --version:
nix-2.30pre20250521_76a4d4c2'
I expected 2.28.3 or 2.28.4. nix-shell -p nix followed by nix --version gives me 2.28.3. (Same for https://nixos.org/channels/nixpkgs-unstable, except nix-shell -p nix gives me 2.28.4.)
Can anyone explain how I get the pre version from using nix-env -u (also from nix-env -i).
nix-env’s update logic is systemically broken. It doesn’t work by checking for a new package at the same attribute path in nixpkgs (it doesn’t have that information to work with!). Rather, it scrapes the name attributes of every package in nixpkgs, and looks for one that has a higher-looking version. So nix-env -u is giving you the highest version number nix-<something> package that’s in nixpkgs at all. This is one of the reasons some people advise against using nix-env for actual package management in favor of declarative options.
As for getting the fix, fundamentally, you don’t need a different version number, the fixes are deployed by adding a patch to the nixpkgs-provided versions of nix. If you look inside your nixpkgs and see files matching pkgs/tools/package-management/nix/patches/ghsa-*.patch, then your nixpkgs has the fix, even though your nix version stays the same. Build your nix from that nixpkgs, and you’re good.
My knowledge is almost completely nixos-specific. I’m not sure precisely how the nix daemon is set up outside of that situation. I would assume, however, that the root user’s nix-env profile determines what version of nix is used for the daemon.
That’ll do, as long as you used nix-channel --update, your previous solution should have also worked (albeit by updating further than you intended). Thr important part is the channel update.
nix-env -iA is safer though, and as long as the package name matches up should replace the old package in the profile.
The v3 nix profile command is a less broken alternative to nix-env that would prevent a bunch of the issues you could have run into here if the package was a bit different, FWIW.