Damage
September 13, 2025, 1:01pm
1
I’ve got some packages that depend on an insecure package (qtwebengine-5 to be specific) - Tellico and jellyfin-media-player. The source specifies:
qtwebengine
The exact version is not defined in either package.
My question is how is the actual version of qtwebengine chosen? Some packages use qtwebengine-6.9.1, some 6.9.0 and the insecure package 5.15.19
Tellico can use qt5 or qt6 according to the website, so why does the dependency not use 6.9.1? Is it that the latest version was 5.15.19 when the package was initially built, or something else? I use flakes, so is there something in the flake system that causes this to happen (and is the issue the same without flakes)?
A follow-on question is what is the best approach to fix the packages that have these dependencies (in this case tellico and jellyfin-media-player).
Thanks for any insight - I have searched for more information, but not found anything helpful, although I suspect that it could be poor search criteria on my part!
Ctrl-F in that file for the remaining. Unless they’re in pkgs/by-name, then it may not be in all-packages.nix.
Don’t use them, they don’t support Qt6.
1 Like
I just read the part where you mentioned tellico can support it.libsFromQt5 to kdePackages, possibly other bits in that nix expression need to change too. And looks like tellico already uses qt6 on unstable, btw:
But the PR wasn’t backported to stable for some reason. You could request that to be backported, in that case, citing security concerns.
2 Likes
Damage
September 13, 2025, 4:29pm
4
Thanks for the reply. I am using unstable (forgot to mention) - I had used nix-tree to find the dependencies on 5.15.19 explicitly and up came tellico along with jellyfin. Having got rid of jellyfin, all is good so I can only assume I used nix-tree incorrectly.
Not sure how to ask for the backport in stable but I will do when I work out how!
dshatz
September 17, 2025, 11:29am
5
opened 10:06AM - 28 Aug 25 UTC
0.kind: build failure
### Nixpkgs version
- Unstable (25.11)
### Steps to reproduce
```
{
config … = {
environment = {
systemPackages = with pkgs; [
jellyfin-media-player
];
};
};
}
```
### Can Hydra reproduce this build failure?
No, Hydra cannot reproduce this build failure.
### Link to Hydra build job
_No response_
### Relevant log output
```console
… while evaluating derivation 'jellyfin-media-player-1.12.0'
whose name attribute is located at /nix/store/r6g8ksyz42q28va8qjd021fwlxs010xw-source/pkgs/stdenv/generic/make-derivation.nix:480:13
… while evaluating attribute 'buildInputs' of derivation 'jellyfin-media-player-1.12.0'
at /nix/store/r6g8ksyz42q28va8qjd021fwlxs010xw-source/pkgs/stdenv/generic/make-derivation.nix:534:13:
533| depsHostHost = elemAt (elemAt dependencies 1) 0;
534| buildInputs = elemAt (elemAt dependencies 1) 1;
| ^
535| depsTargetTarget = elemAt (elemAt dependencies 2) 0;
… in the condition of the assert statement
at /nix/store/r6g8ksyz42q28va8qjd021fwlxs010xw-source/lib/customisation.nix:392:15:
391| outPath =
392| assert condition;
| ^
393| drv.${outputName}.outPath;
… while evaluating the attribute 'handled'
at /nix/store/r6g8ksyz42q28va8qjd021fwlxs010xw-source/pkgs/stdenv/generic/check-meta.nix:651:9:
650| # or, alternatively, just output a warning message.
651| handled = (
| ^
652| if valid == "yes" then
… from call site
at /nix/store/r6g8ksyz42q28va8qjd021fwlxs010xw-source/pkgs/stdenv/generic/check-meta.nix:655:14:
654| else if valid == "no" then
655| (handleEvalIssue { inherit meta attrs; } { inherit (validity) reason errormsg; })
| ^
656| else if valid == "warn" then
… while calling 'handleEvalIssue'
at /nix/store/r6g8ksyz42q28va8qjd021fwlxs010xw-source/pkgs/stdenv/generic/check-meta.nix:300:5:
299| { meta, attrs }:
300| {
| ^
301| reason,
… while calling the 'throw' builtin
at /nix/store/r6g8ksyz42q28va8qjd021fwlxs010xw-source/pkgs/stdenv/generic/check-meta.nix:317:5:
316| in
317| handler msg;
| ^
318|
error: Package ‘qtwebengine-5.15.19’ in /nix/store/r6g8ksyz42q28va8qjd021fwlxs010xw-source/pkgs/development/libraries/qt-5/modules/qtwebengine.nix:442 is marked as insecure, refusing to evaluate.
Known issues:
- qt5 qtwebengine is unmaintained upstream since april 2025.
It is based on chromium 87.0.4280.144, and supposedly patched up to 135.0.7049.95 which is outdated.
Security issues are frequently discovered in chromium.
The following list of CVEs was fixed in the life cycle of chromium 138 and likely also affects qtwebengine:
- CVE-2025-8879
- CVE-2025-8880
- CVE-2025-8901
- CVE-2025-8881
- CVE-2025-8882
- CVE-2025-8576
- CVE-2025-8577
- CVE-2025-8578
- CVE-2025-8579
- CVE-2025-8580
- CVE-2025-8581
- CVE-2025-8582
- CVE-2025-8583
- CVE-2025-8292
- CVE-2025-8010
- CVE-2025-8011
- CVE-2025-7656
- CVE-2025-6558 (known to be exploited in the wild)
- CVE-2025-7657
- CVE-2025-6554
- CVE-2025-6555
- CVE-2025-6556
- CVE-2025-6557
The actual list of CVEs affecting qtwebengine is likely much longer,
as this list is missing issues fixed in chromium 136/137 and even more
issues are continuously discovered and lack upstream fixes in qtwebengine.
You can install it anyway by allowing this package, using the
following methods:
a) To temporarily allow all insecure packages, you can use an environment
variable for a single invocation of the nix tools:
$ export NIXPKGS_ALLOW_INSECURE=1
Note: When using `nix shell`, `nix build`, `nix develop`, etc with a flake,
then pass `--impure` in order to allow use of environment variables.
b) for `nixos-rebuild` you can add ‘qtwebengine-5.15.19’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"qtwebengine-5.15.19"
];
}
c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘qtwebengine-5.15.19’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"qtwebengine-5.15.19"
];
}
Command 'nix --extra-experimental-features 'nix-command flakes' build --print-out-paths '/home/crimson/nixos#nixosConfigurations."donnager".config.system.build.toplevel' --show-trace --commit-lock-file --no-link' returned non-zero exit status 1.
```
### Additional context
It looks like qtwebengine-5.15.19 is marked as insecure, while being a dependency for jellyfin-media-player, thus requiring an override to complete the build. Notifying both jellyfin-media-player and qtwebengine v5 maintainers.
### System metadata
- system: `"x86_64-linux"`
- host os: `Linux 6.16.3, NixOS, 25.11 (Xantusia), 25.11.20250825.3b9f00d`
- multi-user?: `yes`
- sandbox: `yes`
- version: `nix-env (Nix) 2.28.4`
- channels(root): `""`
- nixpkgs: `/nix/store/r33xw4w5nmpmfac4g47h1lmrcl4qlz7k-source`
### Notify maintainers
@jojosch @Kranzes @paumr
@matthewbauer
---
**Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
### I assert that this issue is relevant for Nixpkgs
- [x] I assert that this is a bug and not a support request.
- [x] I assert that this is not a [duplicate of an existing issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%220.kind%3A+build+failure%22).
- [x] I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it.
### Is this issue important to you?
Add a :+1: [reaction] to [issues you find important].
[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc
Here is the relevant github issue for those who find this thread through a search engine
1 Like
mio-19
November 3, 2025, 2:10am
6