Error while updating?

yayayi · November 3, 2025, 4:08pm

last week I was trying to install some new software, after editing my config.nix (here the full config) and run sudo nixos-rebuild switch I got an error, at first I thought it was some problem with dependencies/some packaging and decided to wait a week for the next auto-update for it to be solved as it once happened.

however, upon today’s scheduled update, I noticed it didn’t updated, and so I decided to manually run the command again to check if the same error was ocurring, and it was.

this is what the terminal gives me:

building the system configuration...
evaluation warning: system.stateVersion is not set, defaulting to 25.11. Read why this matters on https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion.
evaluation warning: The option `services.xserver.desktopManager.gnome.enable' defined in `/etc/nixos/configuration.nix' has been renamed to `services.desktopManager.gnome.enable'.
evaluation warning: The option `services.xserver.displayManager.gdm.enable' defined in `/etc/nixos/configuration.nix' has been renamed to `services.displayManager.gdm.enable'.
evaluation warning: The option `hardware.pulseaudio' defined in `/etc/nixos/configuration.nix' has been renamed to `services.pulseaudio'.
error:
       … while calling the 'head' builtin
         at /nix/store/a0mnlgzx4jcfq2258iis9l3ggj9za0s7-nixos/nixos/lib/attrsets.nix:1696:13:
         1695|           if length values == 1 || pred here (elemAt values 1) (head values) then
         1696|             head values
             |             ^
         1697|           else

       … while evaluating the attribute 'value'
         at /nix/store/a0mnlgzx4jcfq2258iis9l3ggj9za0s7-nixos/nixos/lib/modules.nix:1118:7:
         1117|     // {
         1118|       value = addErrorContext "while evaluating the option `${showOption loc}':" value;
             |       ^
         1119|       inherit (res.defsFinal') highestPrio;

       … while evaluating the option `system.build.toplevel':

       … while evaluating definitions from `/nix/store/a0mnlgzx4jcfq2258iis9l3ggj9za0s7-nixos/nixos/nixos/modules/system/activation/top-level.nix':

       … while evaluating the option `system.systemBuilderArgs':

       … while evaluating definitions from `/nix/store/a0mnlgzx4jcfq2258iis9l3ggj9za0s7-nixos/nixos/nixos/modules/system/activation/activatable-system.nix':

       … while evaluating the option `system.activationScripts.etc.text':

       … while evaluating definitions from `/nix/store/a0mnlgzx4jcfq2258iis9l3ggj9za0s7-nixos/nixos/nixos/modules/system/etc/etc-activation.nix':

       … while evaluating definitions from `/nix/store/a0mnlgzx4jcfq2258iis9l3ggj9za0s7-nixos/nixos/nixos/modules/system/etc/etc.nix':

       … while evaluating the option `environment.etc.dbus-1.source':

       (stack trace truncated; use '--show-trace' to show the full, detailed trace)

       error: Package ‘python3.13-ecdsa-0.19.1’ in /nix/store/a0mnlgzx4jcfq2258iis9l3ggj9za0s7-nixos/nixos/pkgs/development/python-modules/ecdsa/default.nix:43 is marked as insecure, refusing to evaluate.


       Known issues:
        - CVE-2024-23342

       You can install it anyway by allowing this package, using the
       following methods:

       a) To temporarily allow all insecure packages, you can use an environment
          variable for a single invocation of the nix tools:

            $ export NIXPKGS_ALLOW_INSECURE=1

          Note: When using `nix shell`, `nix build`, `nix develop`, etc with a flake,
                then pass `--impure` in order to allow use of environment variables.

       b) for `nixos-rebuild` you can add ‘python3.13-ecdsa-0.19.1’ to
          `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
          like so:

            {
              nixpkgs.config.permittedInsecurePackages = [
                "python3.13-ecdsa-0.19.1"
              ];
            }

       c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
          ‘python3.13-ecdsa-0.19.1’ to `permittedInsecurePackages` in
          ~/.config/nixpkgs/config.nix, like so:

            {
              permittedInsecurePackages = [
                "python3.13-ecdsa-0.19.1"
              ];
            }
Command 'nix-build '<nixpkgs/nixos>' --attr config.system.build.toplevel --no-out-link' returned non-zero exit status 1.

even after rereading it multiple times, I’m honestly clueless of what could possibly be causing this and how to proceed with this, any ideas?

nulleric · November 3, 2025, 4:20pm

It appears the python package ecdsa has a CVE and wont fix and state it’s a teaching tool, not to be used in production - so nixpkgs has marked it as insecure.

If you want to still use it the output you provided shows a few solutions - one you can export the env var NIXPKGS_ALLOW_INSECURE=1 - which would work for one run, but you state you have it automated.

You can add this to your config:

              nixpkgs.config.permittedInsecurePackages = [
                "python3.13-ecdsa-0.19.1"
              ];

To allow it.

Or you can remove the package from your config.

HTH!

TLATER · November 3, 2025, 8:16pm

The reason you can’t find this package in your config is that a package you’re using depends on this one - you should figure out which package that is and then either stop using whatever that is, or at least take the problem upstream.

A low-tech way of figuring this out is just to comment out packages until you find the culprit.

More reasonably, you can use nix-tree to browse the dependency tree, and just search for this package.

While I’m at it:

Please set that option immediately (yes, even if you’re using unstable), and never change/remove it again.

TLATER · November 3, 2025, 8:43pm

I’ve dug into it. It’s electrum. I think it’s pretty safe to say that you don’t want to use an insecure encryption library for your crypto wallet.

There’s an open issue about updating the package, but it hasn’t been merged yet: electrum: fix building, update 4.6.0 -> 4.6.2 by starius · Pull Request #456881 · NixOS/nixpkgs · GitHub

No option in the mean time but to ignore the error (though I would just not update until that PR lands so that you don’t accidentally forget to undo the permission), apply that PR downstream, or switch to a different wallet.

In this specific case, the PR suggests that this CVE is not too problematic, so you’re probably ok waiting for a while, but be wary of simply ignoring insecure packages.

waffle8946 · November 3, 2025, 11:45pm

For future reference:

nixos-rebuild build --show-trace |& grep 'while evaluating derivation'

will show you the chain of dependencies.

wouldn’t work in this case, since it’s an eval error.

TLATER · November 4, 2025, 12:02am

The package would still exist on the existing system, so you could still find the dependant. But yep, I didn’t realize it’d show up in the trace, that’s a much better way.

yayayi · November 8, 2025, 3:28am

you mind if I ask how to set that up? (I always thought this was just usual and never paid much attention to it as I use the unstable channel)

also, I guess that for the mean time while I could just permit insecure packages I will remove electrum AND wait for a bit (it’s some versions outdated anyways, and I use it as a watch-only wallet tbh so not losing a lot) thanks a lot!

TLATER · November 8, 2025, 4:05am

Uncomment line 229 from your pastebin and change the value to 25.11. Normally you shouldn’t change that value (as the comment above it says), but by commenting it out you’ve been running with 25.11 for a while now and that means you should probably stay at that value. Any damage would have been done by now.

You’ll have to move it up a little too, of course, since at some point the attrset’s closing } moved as well. I would recommend moving the associated comment while you’re at it for future reference.