Formalized "Legacy Package" Process for Critical Updates in Nixpkgs

spiage · November 24, 2025, 6:28pm

Hello everyone,

I would like to start a discussion about a recurring and painful problem in nixpkgs, which we recently faced with the langchain update. I propose we consider a formalized process for handling such situations to make the ecosystem more resilient and reduce the burden on maintainers.

Problem Description

Periodically, a critical library update in nixpkgs introduces breaking API/ABI changes (for example, libfoo from 1.x to 2.0). This leads to a cascade of build failures for all packages that depend on it (A, B, C, …).

Current Consequences:

Master branch blockage: The dependent package tree fails to build for several days or even weeks.

Rushed “Hacks”: Maintainers of dependent packages are forced to quickly create fragile patches to unblock the build, which is a temporary and unreliable solution.

Proposed Solution: Temporary “Legacy” Packages

I propose introducing a formalized process for creating temporary legacy packages during the transition period.

How it should work:

Trigger: The process is activated when a maintainer plans an update that breaks ABI/API and is expected to affect more than N packages (for example, N=5).

Action: Along with the commit updating the main package (libfoo to 2.0), a new package (libfoo-prev_semver) is added in the same PR.

This package contains the previous stable version (1.x).

It should be marked with a special attribute, for example: meta.isTemporaryLegacy = true;.

Legacy Package Lifecycle (Key Point):

Automatic Expiration: The package is assigned a lifespan (EOL), for example, 3-6 months from creation.

Automated Reminders: The CI system or a bot can automatically create Issues/PRs to remind about the need to remove the package after its EOL.

Marking as Outdated: One month before removal, the package is automatically marked as insecure to encourage migration away from it.

Adapting Dependent Packages: Maintainers of packages A, B, C can quickly and safely switch their dependencies to libfoo-1, immediately unblocking the master branch. This gives them time to properly adapt to the new libfoo 2.0 version.

Advantages of This Approach

Unblocks Master: The build is restored within hours, not days/weeks.

Continuous Security Updates: Critical fixes continue to flow into nixpkgs.

Reduced Stress and Load: Maintainers don’t have to work in emergency mode and can plan their work.

Prevents “Package Pollution”: A formalized and automated lifecycle directly addresses the main concern about repository “pollution”. The temporary package won’t be forgotten and won’t remain in the system forever.

Clear Path for Upstream Interaction: Creates a clear signal for upstream developers: you have several months to adapt, after which the old version will no longer be supported in Nixpkgs =)

Open Questions for Discussion

What should the activation threshold be (number of broken packages)?

Who is responsible for creating the legacy package — the author of the main update or a dedicated team?

What is the optimal lifespan for such packages? 3 or 6 months?

Which naming scheme is preferable (pkgname-prev_semver, pkgname_legacy)?

I am confident that introducing such a process will make nixpkgs a healthier and more predictable project for both maintainers and end users.

What does the community think?

arianvp · November 24, 2025, 6:52pm

Can you give examples of this happening? The exact scenario you describe is why we have the staging workflow. Packages with lots of downstream dependencies shouldn’t get breaking changes merged to master ever. They should go through staging and staging-next. What is lacking in those flows according to you?

spiage · November 24, 2025, 7:10pm

Can you please read this thread

github.com/NixOS/nixpkgs

open-webui: build failures

opened 03:09PM - 14 Nov 25 UTC

closed 09:23AM - 22 Nov 25 UTC

GEMISIS

0.kind: bug

### Nixpkgs version - Stable (25.05) ### Describe the bug Trying to get the l…atest version of open-webui and am hitting a bunch of build failures. There's an issue with several langchain tests requiring a bash shell, conflicting python version requirements, and other various issues when it gets built, and since there's no cached version with Hydra since it's unfree, this means you have to build from source each time. Working around these with overlays but it's janky. ### Steps to reproduce # Steps to Reproduce The following steps reproduce the build failures encountered when attempting to build `open-webui` on NixOS (both with and without overlays). These steps assume: - NixOS 24.11 or unstable (any recent revision) - flakes enabled - Python 3.13 is the default interpreter in nixpkgs - `open-webui` version 0.6.36 (current in nixpkgs) --- ## 1. Create a minimal flake using NixOS + home-manager + open-webui **flake.nix:** ```nix { description = "Minimal reproduction of open-webui build failures"; inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; home-manager.url = "github:nix-community/home-manager"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = { self, nixpkgs, home-manager, ... }: let system = "x86_64-linux"; in { nixosConfigurations.repro-host = nixpkgs.lib.nixosSystem { inherit system; modules = [ home-manager.nixosModules.home-manager { services.open-webui.enable = true; # Optional: allow unfree so open-webui enables MongoDB nixpkgs.config.allowUnfree = true; # Minimal config for trusted-users (builds can run as non-root) nix.settings.trusted-users = [ "root" ]; # Standard options networking.hostName = "repro-host"; system.stateVersion = "24.11"; } ]; }; }; } ```` --- ## 2. Attempt to build the system Run: ```bash sudo nixos-rebuild switch --flake .#repro-host ``` --- ## 3. Observe failures in Python dependencies During the build, the following Python packages consistently fail: ### `langchain` * Fails due to tests invoking `/bin/bash` inside sandbox ### `langchain-community` * Fails during test collection (21+ errors) ### `fpdf2` * Fails due to deterministic image hash comparisons differing from upstream --- ## 4. Observe that `open-webui` fails even with dependent test suites disabled Even when adding overlays that disable test phases for all three Python dependencies, `open-webui` still fails during `pythonCatchConflictsPhase` with: * duplicate `langchain` derivations in closure * conflict hooks aborting the build --- ## 5. If running the build as a non-root user, observe trust issues Running: ```bash nix build nixpkgs#open-webui ``` may emit: ``` [INFO] You are not trusted by store uri: daemon ``` which disables substituters and forces all builds to occur locally. --- ## 6. If `allowUnfree = true`, observe MongoDB builds locally Because `mongodb` is marked unfree in nixpkgs, Hydra does not provide a binary substitute. This causes the build to attempt: ``` /nix/store/...-mongodb-x.y.z.drv ``` which significantly increases build time and contributes to multiple cascading failures. --- # Result Following the above steps reproducibly leads to: 1. Test failures in: * `langchain` * `langchain-community` * `fpdf2` 2. Failure of `open-webui` to pass `pythonCatchConflictsPhase` due to closure duplication of the `langchain` package. 3. Local rebuilds of MongoDB due to `unfree` license and no Hydra cache. These steps should reproduce the failures consistently when building `open-webui` from nixpkgs on NixOS. ### Expected behaviour Should just build with no issues. ### Screenshots _No response_ ### Relevant log output ```console # Relevant Log Output Below is a collection of the relevant build failures encountered while attempting to build `open-webui` on NixOS, including Python dependency failures, test failures, and closure conflicts. All identifying system information has been removed. --- ## 1. `langchain` test failure (`/bin/bash` missing) error: Cannot build '...-python3.13-langchain-1.0.2.drv'. Reason: builder failed with exit code 1. Last 25 log lines: FileNotFoundError: [Errno 2] No such file or directory: '/bin/bash' --------------------------- snapshot report summary ---------------------------- 22 snapshots passed. ============================= slowest 5 durations ============================== ... =========================== short test summary info ============================ --- ## 2. `langchain-community` multiple test failures error: Cannot build '...-python3.13-langchain-community-0.3.27.drv'. Reason: builder failed with exit code 2. Last 25 log lines: ERROR tests/unit_tests/agents/test_openai_assistant.py ERROR tests/unit_tests/agents/test_react.py ERROR tests/unit_tests/agents/test_tools.py ERROR tests/unit_tests/callbacks/test_callback_manager.py ERROR tests/unit_tests/chains/test_api.py ... !!!!!!!!!!!!!!!!!!! Interrupted: 21 errors during collection !!!!!!!!!!!!!!!!!!! ================ 1 deselected, 19 warnings, 21 errors ========================== --- ## 3. `fpdf2` deterministic output test failures (hash mismatches) error: Cannot build '...-python3.13-fpdf2-2.8.4.drv'. Reason: builder failed with exit code 1. Last 25 log lines: FAILED test/image/image_types/test_insert_images.py::test_insert_png_monochromatic FAILED test/image/image_types/test_insert_images.py::test_insert_g4_tiff FAILED test/image/test_image_info.py::test_get_img_info FAILED test/table/test_table_with_image.py::test_table_with_qrcode FAILED test/template/test_flextemplate.py::test_flextemplate_rotation FAILED test/template/test_flextemplate.py::test_flextemplate_elements FAILED test/template/test_template.py::test_template_qrcode = 7 failed, 1371 passed, 6 deselected, 1 xfailed, 7 warnings = --- ## 4. `open-webui` closure conflict: duplicate `langchain` Even after disabling failing tests, `open-webui` fails during `pythonCatchConflictsPhase` due to duplicated dependency closures. error: Cannot build '...-open-webui-0.6.36.drv'. Reason: builder failed with exit code 1. Last 25 log lines: Running phase: pythonCatchConflictsPhase Found duplicated packages in closure for dependency 'langchain': langchain 1.0.2 (/nix/store/na996kg1sd1yp076dawks7kivwl5ddma-python3.13-langchain-1.0.2) dependency chain: ...depending on: ...-python3.13-langchain-1.0.2 langchain 1.0.2 (/nix/store/f3rd6n8vnv7dj0qpr0dyyp1f5anl6ama-python3.13-langchain-1.0.2) dependency chain: ...depending on: ...-python3.13-langchain-community-0.3.27 ...depending on: ...-python3.13-langchain-1.0.2 Package duplicates found in closure. Usually this happens if two packages depend on different versions of the same dependency. --- ## 5. Additional background errors ### User not trusted (when running build as non-root) [INFO] You are not trusted by store uri: daemon This prevented substituters from being used. ### MongoDB being built locally (unfree license) mongodb is unfree; substituters skipped these 1 derivations will be built: /nix/store/...-mongodb-6.x.drv This significantly increases local build time. --- # Summary Several Python dependencies required by `open-webui` fail in their `checkPhase`, including: - `langchain` - `langchain-community` - `fpdf2` Additionally, `open-webui` fails due to duplicated `langchain` derivations during `pythonCatchConflictsPhase`. These failures prevent `open-webui` from being successfully built on NixOS without overriding test phases and/or removing conflict hooks. ``` ### Additional context _No response_ ### System metadata - system: `"x86_64-linux"` - host os: `Linux 6.16.0, NixOS, 25.11 (Xantusia), 25.11.20250814.fbcf476` - multi-user?: `yes` - sandbox: `yes` - version: `nix-env (Nix) 2.28.4` - channels(root): `"nixos-25.05"` - nixpkgs: `/nix/store/75d0qr8zvhv921ili0y2fqxa5drk9xpi-source` ### Notify maintainers @shivaraj-bh @codgician --- **Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.) ### I assert that this issue is relevant for Nixpkgs - [x] I assert that this is a bug and not a support request. - [x] I assert that this is not a [duplicate of an existing issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%220.kind%3A+bug%22+-label%3A%226.topic%3A+darwin%22+-label%3A%226.topic%3A+nixos%22). - [x] I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it. ### Is this issue important to you? Add a :+1: [reaction] to [issues you find important]. [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/ [issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

and I think it was the starting PR

github.com/NixOS/nixpkgs

python3Packages.{langchain,langgraph}-*: updates and build fixes

master ← sarahec:init-langchain-classic

opened 07:23PM - 12 Nov 25 UTC

sarahec

+288 -64

Hydra: [313983934](https://hydra.nixos.org/build/313983934) on langchain-communi…ty, the rest are mostly `nixpkgs-review` cleanups. 1. `python3Packages.langchain-classic: init at 1.0.0` , adopts [CHANGELOG]() 2. `python3Packages.langchain-core: 1.0.0 -> 1.0.7` to support `langchain-community` [CHANGELOG](https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.0.7) [DIFF](https://github.com/langchain-ai/langchain/compare/langchain-core%3D%3D1.0.0...langchain-core%3D%3D1.0.7) 3. `python3Packages.langchain-openai: 1.0.1 -> 1.0.3` that fixes a broken test [CHANGELOG](https://github.com/langchain-ai/langchain/releases/tag/langchain-openai%3D%3D1.0.3) [DIFF](https://github.com/langchain-ai/langchain/compare/langchain-openai%3D%3D1.0.1...langchain-openai%3D%3D1.0.3) 4. `python3Packages.langchain-community: 0.3.27 -> 0.4.1` and fixes test collection errors [CHANGELOG](https://github.com/langchain-ai/langchain-community/releases/tag/libs%2Fcommunity%2Fv0.4.1) [DIFF](https://github.com/langchain-ai/langchain-community/compare/libs/community/v0.3.27...libs/community/v0.4.1) 5. `python3Packages.langchain-experimental: 0.3.4 -> 0.4.0`, adopts [CHANGELOG](https://github.com/langchain-ai/langchain-experimental/releases/tag/libs%2Fexperimental%2Fv0.4.0) [DIFF](https://github.com/langchain-ai/langchain-experimental/compare/libs/experimental/v0.3.4...libs/experimental/v0.4.0) 6. `python3Packages.langchain-mongodb: 0.2.0 -> 0.8.0` [CHANGELOG]() [DIFF]() 7. `python3Packages.langgraph-store-mongodb: init at 1.0.1` [CHANGELOG](https://github.com/langchain-ai/langchain-mongodb/releases/tag/libs%2Flanggraph-store-mongodb%2Fv0.1.1) 8. `python3Packages.langchain-groq: 1.0.0 -> 1.0.1` that fixes a broken test [CHANGELOG](https://github.com/langchain-ai/langchain/releases/tag/langchain-groq%3D%3D1.0.1) [DIFF](https://github.com/langchain-ai/langchain/compare/langchain-groq%3D%3D1.0.0...langchain-groq%3D%3D1.0.1) 9. `python3Packages.langgraph-mistralai: 1.0.0 -> 1.0.1` due to broken tests [CHANGELOG](https://github.com/langchain-ai/langchain/releases/tag/langchain-mistralai%3D%3D1.0.1) [DIFF](https://github.com/langchain-ai/langchain/compare/langchain-mistralai%3D%3D1.0.0...langchain-mistralai%3D%3D1.0.1) 10. `python3Packages.langgraph-checkpoint-mongodb: init at 0.3.0`, adopt [CHANGELOG](https://github.com/langchain-ai/langchain-mongodb/releases/tag/libs%2Flanggraph-checkpoint-mongodb%2Fv0.3.0) Fixes #461605 Supersedes #460914 ZHF: #457852 ## Things done - Built on platform: - [x] x86_64-linux - [ ] aarch64-linux - [ ] x86_64-darwin - [ ] aarch64-darwin **requires working pyarrow** - Tested, as applicable: - [ ] [NixOS tests] in [nixos/tests]. - [ ] [Package tests] at `passthru.tests`. - [x] Tests in [lib/tests] or [pkgs/test] for functions and "core" functionality. - [x] Ran `nixpkgs-review` on this PR. See [nixpkgs-review usage]. - [ ] Tested basic functionality of all binary files, usually in `./result/bin/`. - Nixpkgs Release Notes - [ ] Package update: when the change is major or breaking. - NixOS Release Notes - [ ] Module addition: when adding a new NixOS module. - [ ] Module update: when the change is significant. - [x] Fits [CONTRIBUTING.md], [pkgs/README.md], [maintainers/README.md] and other READMEs. [NixOS tests]: https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests [Package tests]: https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#package-tests [nixpkgs-review usage]: https://github.com/Mic92/nixpkgs-review#usage [CONTRIBUTING.md]: https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md [lib/tests]: https://github.com/NixOS/nixpkgs/blob/master/lib/tests [maintainers/README.md]: https://github.com/NixOS/nixpkgs/blob/master/maintainers/README.md [nixos/tests]: https://github.com/NixOS/nixpkgs/blob/master/nixos/tests [pkgs/README.md]: https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md [pkgs/test]: https://github.com/NixOS/nixpkgs/blob/master/pkgs/test --- Add a :+1: [reaction] to [pull requests you find important]. [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/ [pull requests you find important]: https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+sort%3Areactions-%2B1-desc

spiage · November 24, 2025, 7:15pm

Nevertheless, I think having a mechanism to keep the previous upstream package version is a useful capability.

For example, judging by the speed of previous lock-file updates, it will take the open-webui upstream several months to transition to the new version of langchain (which we have as current now)

arianvp · November 24, 2025, 7:44pm

Well the problem here is that you’re expecting guarantees from a non-open source package that isn’t built by hydra due to licensing issues. That’s a completely different problem. We have no way of guaranteeing that they work and it’s hard to ask from a project to not break projects we can’t legally build and distribute.

I don’t really have interest in formalizing processes to bend to projects that we can’t even build in our CI. The fix is to not depend on things that we cant build and test in this particular case IMO

vcunat · November 24, 2025, 7:49pm

We already do have some packages in multiple versions. A problem is that if you overuse this, especially for popular libraries, you tend to get into clashes. Many “languages”, e.g. C libraries, are not meant to deal with multiple versions. For a single binary you normally only allow a single version of each library for the whole linking closure. (I’m not sure if e.g. Python suffers also from this.)

reckenrode · November 24, 2025, 10:25pm

This particular problem is due to Python packages being updated together as a package set. If a package requires a specific (usually older) version, it needs to use an override in nixpkgs to pin to the version to exactly what it needs. See the Airflow derivation for an example of how to do that.

Infinisil · November 25, 2025, 1:57am

This was indirectly addressed in @spiage’s post:

I like this idea!

Atemu · November 25, 2025, 2:38am

Not really, no.

Staging is for bundling rebuild-heavy changes to occur in a limited number of global rebuilds. Its policy w.r.t. breaking changes is the same as master.

The only difference is that it’s often quite a bit harder to ascetrain the knock-on effects on reverse dependencies w.r.t. build failures because there’s just too many of them; requiring testing to be done at a later stage than before the PR is merged.

github.com/NixOS/nixpkgs

CONTRIBUTING.md

master

# Contributing to Nixpkgs

This document is for people wanting to contribute to Nixpkgs.
This involves changes that are proposed using [GitHub](https://github.com) [pull requests](https://docs.github.com/pull-requests) to the [Nixpkgs repository](https://github.com/nixos/nixpkgs).

A GitHub account is recommended, which you can sign up for [here](https://github.com/signup).
See [here](https://discourse.nixos.org/t/about-the-patches-category/477) for how to contribute without a GitHub account.

This document assumes that you already know how to use GitHub and Git.
If that's not the case, we recommend learning about it [here](https://docs.github.com/en/get-started/quickstart/hello-world).

## Overview
[overview]: #overview

This file contains general contributing information.
More specific information about individual parts of Nixpkgs can be found here:
- [`doc`](./doc/README.md): Sources and infrastructure for the [Nixpkgs manual](https://nixos.org/manual/nixpkgs/stable/)
- [`lib`](./lib/README.md): Sources and documentation of the [library functions](https://nixos.org/manual/nixpkgs/stable/#chap-functions)
- [`maintainers`](./maintainers/README.md): Nixpkgs maintainer and team listings, maintainer scripts
- [`nixos`](./nixos/README.md): Implementation of [NixOS](https://nixos.org/manual/nixos/stable/)

This file has been truncated. show original

Breaking changes in this regard do correlate with large amounts of rebuilds but that’s the just that: a correlation.

While the motivation might have been a proprietary software, this happens in OSS too and has happened a bunch of times already.

I support having a standard method to deal with this circumstance because that way everone can predict what will happen.

I’d caution against over-formalising it though. I think it’d be enough to have this be merely a (documented!) convention, not a rule or process.

A 6 Month grace period with 1 Month warning window sounds like a really good starting point to me.

reckenrode · November 25, 2025, 12:34pm

My concern with formalizing a process like this is it’s just pushing out the updates to effect the removal, which will probably end up being done by a motivated contributor rather than the package maintainers. I’d not want to rely on that because those kinds of cleanups can burn people out.

There are also questions about how to handle
transient dependencies if they also depend on your dependency. You need to override them too. That’s kind of what overrideSDK did. It could be resurrected as a generic function to replace a dependency, but it can’t get them all (e.g., if it’s substituted or interpolated into a script).

If we’re going to package language ecosystems with a prescribed version, we should probably have a standardized way to override the version across a package’s dependencies and documentation on how and when to do that.

sarahec · November 26, 2025, 7:54pm

Speaking as the primary langchain/langgraph maintainer: Langchain started releasing 1.0 alpha versions back in August. I kept a local branch where I tested builds ~weekly until I saw substantial adoption. 1.0.0 release landed after that and I pushed those updates to staging (both for the number of rebuilds and to allow time for any stragglers to catch up.)

Once that landed, a few packages broke. Adding 'classic fixed most of them, the rest could be patched or retired (namely, if obsolete, unmaintained, and had no dependents).

open-webui, in particular, pinned to the last pre-1.0 alpha release of langchain and depended on its internals rather than the documented API. This kept us from swapping in 'classic and needed source changes, see open-webui: patch imports for langchain v1 by thunze · Pull Request #463538 · NixOS/nixpkgs · GitHub

Would keeping temporary “legacy packages” help? Perhaps if it’s a single package, but this becomes messy when it’s an ecosystem. That’s why I took an informed “watch and wait” approach. We can always patch (and send patches upstream, if sensible).