How to use a package from unstable with dependencies from stable

Because the librewolf package is backported only after a long delay, i would like to install it from unstable with the dependencies from 22.05.

If i do the following from the Nixos FAQ:

let unstable = import <nixos-unstable> { };
in {

and later on have

  programs.firejail.enable = true;
  programs.firejail.wrappedBinaries = {
   librewolf = {
      executable = "${pkgs.lib.getBin unstable.pkgs.librewolf}/bin/librewolf";
      profile = pkgs.writeText "librewolf.local" ''
        noblacklist ''${DOWNLOADS}
        whitelist ''${DOWNLOADS}
        # Add the next line to your librewolf.local to enable native notifications. org.freedesktop.Notifications
        # Add the next line to your librewolf.local to allow inhibiting screensavers. org.freedesktop.ScreenSaver
        # Add the next lines to your librewolf.local for plasma browser integration.
        dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration org.kde.JobViewServer org.kde.kuiserver
        include librewolf.profile

then Nixos will install librewolf unstable with the dependencies from unstable. But i don’t want the dependencies from unstable.

In the manual is a description how to use a module from unstable while leaving everthing else in place. I think this may be applicable to my case, however, i don’t know what to put in there instead of "services/databases/postgresql.nix".

Can someone please tell me how to install librewolf from unstable with the dependencies from 22.05?

I don’t think so, sadly, since modules are the things that define your options, they don’t change how a derivation is built.

You could try something like

let librewolf = pkgs.callPackage "${<nixos-unstable>}/pkgs/applications/networking/browsers/librewolf";

and then appropriately wrapFirefox it to make it work.

I’ve never seen this done before, though, and there’s no guarantee that the package will actually work this way. Have you considered actively helping with backports instead?

Sadly, i’m kind of a noob (using Linux only for 2,5 years and Nixos for a few months) and only as a desktop user. I wouldn’t know how to wrap or backport anything.

What i noticed is this:

The pull request for unstable gets the 1.severity: security tag and is merged quickly. The backport pull request however doesn’t get it and kind of falls to the wayside. I think if this was changed, then the backport would be as quick as the merge for unstable (the other browser packages get backported immediately, which is important in my opinion due to the security fixes they bring).

However, i either don’t have the rights to a add a tag or didn’t realize how to do it. Also, i think it would be nice if the package maintainer kept an eye on the backport to have it merged quickly.

You could learn :slight_smile: The manual explains quite well how you do a manual backport: Nix - Nixpkgs 22.05 manual

Wrapping it is quite easy, you’d do just exactly what is done in all-packages.nix (can’t link on GitHub, the file is too big):

  librewolf-unwrapped = pkgs.callPackage "${<nixos-unstable>}/pkgs/applications/networking/browsers/librewolf";
  librewolf = pkgs.wrapFirefox librewolf-unwrapped {
    inherit (librewolf-unwrapped) extraPrefsFiles extraPoliciesFiles;
    libName = "librewolf";
in ...

I agree, this is the proper fix, and why I suggest looking into helping out with this. I don’t know why it doesn’t work this way currently; opening an issue about the lack of that label upstream and mentioning the maintainer on it will probably give you an answer (maybe there already is an issue!). Maybe it’s just an oversight, maybe they don’t have time to keep an eye on the build. Sadly Squalus doesn’t seem to have a discourse or matrix handle, so it’s either GitHub or email.

Email might be more polite because it doesn’t put them on the spot about it.

I see, thank you for your explanations!

I close this issue for now, as it doesn’t seem possible to do just what i wanted in my original question.

I’ll add the security label on the backport PRs if there’s security content. The releases don’t always have security content though, so I can’t always add it. I’ll be more aggressive about CCing committers if the PRs linger.

It would be nice if the backport action (GitHub - zeebe-io/backport-action: GitHub action to backport pull requests) could copy labels from the original PR to the backport.

If anyone wants to help, testing the PRs and leaving a comment that it works OK is helpful!

1 Like

Thank you for your reply and your work!