Librewolf Marked as Insecure

Hi, thought I should start a thread here about this. The Librewolf package has been marked as insecure due to no active committer. A couple of people have stepped up to maintain (and librewolf-unwrapped: add thbemme to maintainers by thbemme · Pull Request #532067 · NixOS/nixpkgs · GitHub). I also saw a comment about the lack of an active committer despite maintainers stepping up:

whilst it’s great to see some people step up to help, we need a committer on the package, or some sort of looser restrictions on being able to merge version-bump PR’s.

I found it quite disappointing when I saw that the PR to mark the librewolf package as vulnerable was approved and merged so rapidly, but the PR to bump the package version was (and still is) being delayed for no reason, even after multiple comments and approvals.

[…]

The way to solve this would be of course to have a committer on the team. not sure what the steps are to get something like that rolling.

marking the package as vulnerable has also hurt the userbase of the librewolf nix package by a considerable amount. considering that every user who wants to use it now has to build it from source, me (and i am assuming many others) are stuck wondering what to do next. the librewolf-bin package exists, but is also marked vulnerable. to add to that, the librewolf-bin package also has other issues and isn’t actually recommended for use: #518061 (comment)

I don’t know if I personally will have the time to step up but I can at least try get the ball rolling as Librewolf is my browser of choice. It looks like the merge requests mentioned in the comment have finally been approved, but it is making me wonder why has this happened? What blocked those merges for so long even after approvals?

7 Likes

Please note that “committer” means someone with merge access to the nixpkgs repo, not just a regular maintainer (which can be anyone). Your support is certainly welcome if you wish, but if you’re a regular maintainer, that won’t help this specific issue.

Nothing, a committer just needs to notice the PR exists and click the merge button.

3 Likes

See librewolf-unwrapped,librewolf-bin-unwrapped: add azahi to maintainers by azahi · Pull Request #533046 · NixOS/nixpkgs · GitHub

3 Likes

Does this mean librewolf will not be cached? I added it to insecure packages and now it needs to be built which has insane hardware requirements due to linker algorithms being stuck in 80s and needing absolute ai-nonsense-level RAM amount to link big projects :frowning:

EDIT:

Ah, it was marked as insecure and hence all cache was purged. This is pure evil solution. Now even if I pin last nixpkgs commit that I used for currently running Librewolf it does not use any cache and tries to rebuild it anyway (which I can’t do, no free 200gb ram server lying near my laptop and having days to deal with this). Is there any way to bypass this and use currently installed version and update rest of the system? When I make a librewolf overlay it tries to build it anyway :enraged_face: This is literally the opposite of making somebody’s nixos secure - one package may invalidate update of more pressing things. I"m so frustrated with this. Isn’t there a curated list with stuff that will shred people’s systems that should receive extra care when such decisions are made? Like kernel, browsers, other crucial components?

2 Likes

My current solution is to keep the flake lock to the version that worked, and don’t upadate it until it’s resolved.
… Which is easy to do as it seems unstable is down for a week now

2 Likes

Same here basically. Perhaps overlay from stable is still cached?

It will be cached when the channel advances.

1 Like

So the issue with nobody with proper title being assigned to it is resolved? Not trying to be picky, just trying to decide if port my flake back to Firefox and spend extra time removing unwanted stuff or risk drama with Librewolf :slight_smile:

Perhaps this is a valid solution - remove librewolf from flake temporarily, but create a symlink do it to prevent garbage collecting it and manually symlink the binary somewhere in my $PATH?

You can use -bin for now.

2 Likes

Yes. However your nixos doesn’t know that because the current state of the packages on unstable is… From the 2026-06-16… IDK for stable, but it seems like the builds are going and the PRs are merged

(Would have shared my build… If I could build it)

1 Like

Thanks @RustyNova016 ! I could not compile this c soup last time I tried - had a VM with 60GB of ram (so much fun to wait a day to get another linker error, that makes AI want to commit suicide when untangling) :smiley: this is the quiet apocalypse - not AI destroying the world, just reliance on vertical scaling in key components like a linker used at scale only by a select few :stuck_out_tongue:

This is awesome, thanks! Completely did not know there is a ready to use upstream build. Thank you!

Note that this can only happen if you switch to a generation that doesn’t have librewolf, delete all past generations, run a garbage collect, and then attempt to switch back.

In every other scenario you should have a locally cached copy. You might be holding nix wrong, or went out of your way to purge your cache.

3 Likes

I don’t think we retroactively remove all insecure packages from the cache…

4 Likes

Unstable-small seems to have it, 533046.
I just switched that package to said channel and it works.

2 Likes

Fair point - so I don’t know how and what is removed, I did have a local copy, just could not do system wide update due to build being queued each time. I tried creating an overlay that pointed to nixpkgs commit prior to Librewolf update or exactly the one that was used in my working configuration and each time Librewolf (older version this time, matching the one from pinned nixpkgs) was being queued for build and not downloaded from cache. Hence I thought it was purged completely for some reason :slight_smile: I did try only 4 commits before moving to -bin :slight_smile:

Gotcha, but I could not make the system flake revert to any nixpkgs commit that would result in grabbing a cached bin though :slight_smile:

Hard to say what without knowing your exact code/steps, but there probably was a way to get it right. The -bin version is a good escape hatch, though.