When trying to upgrade my system (on channel unstable), I was told that libgit2-0.27.10 is insecure. I got around this by adding the following to my configuration.nix:
nixpkgs.config.permittedInsecurePackages = [
"libgit2-0.27.10"
];
Is this a bad move (makes my system less secure)? Could I have resolved it it a better way (like upgrading packages except this one)? Now it is compiling lots of stuff, which didn’t used to happen. Thanks for your advice.
It simply means that newer version of nixpkgs has the package properly annotated as insecure. Not upgrading the single package would get rid of the warning but you would still use the old insecure package. So from a security viewpoint, it is the same as ignoring the warning through permittedInsecurePackages. (Well, maybe slightly less secure since there is more space to make a mistake.)
The only secure thing to do is avoid using software depending on the old insecure libgit2 version – either gitin or julia 1.0 (julia 1.5 uses recent libgit2 so maybe switch to that).
But if you cannot avoid using that, you can only minimize your risk by only using the software on data you trust, while accepting your system is insecure.
Of course, you will need to build it yourself as Hydra does not build known insecure software.
OK, thanks. So if I understand you correctly, I probably don’t need this package at all, I just have to find out which other package I’m installing is pulling it in as a dependency and remove it. Is there an easy way to find out?
You can pass --show-trace argument to the command you are running (after removing permittedInsecurePackages) and it should reveal what pulls in the problematic package.
Cool, thanks. It was indeed julia, which you had mentioned. When I remove that, it works. You said that julia 1.5 doesn’t have this issue. Is that what’s called julia-stable?
Anyways, I tried it and it worked! Thanks for your help.
Yeah: