Mark a `devShell` dependency as insecure

Pamplemousse · January 1, 2023, 4:18pm

When I run nix develop, I get the following error:

nix develop                                  
warning: Git tree '/home/pamplemousse/Workspace/machines' is dirty
error: Package ‘python3.10-poetry-1.2.2’ in /nix/store/3xv8f25jlgypwzyjqw2h2iixnlb8981j-source/pkgs/development/tools/poetry2nix/poetry2nix/pkgs/poetry/default.nix:50 is marked as insecure, refusing to evaluate.


       Known issues:
        - CVE-2022-42966

       You can install it anyway by allowing this package, using the
       following methods:

       a) To temporarily allow all insecure packages, you can use an environment
          variable for a single invocation of the nix tools:

            $ export NIXPKGS_ALLOW_INSECURE=1

        Note: For `nix shell`, `nix build`, `nix develop` or any other Nix 2.4+
        (Flake) command, `--impure` must be passed in order to read this
        environment variable.

       b) for `nixos-rebuild` you can add ‘python3.10-poetry-1.2.2’ to
          `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
          like so:

            {
              nixpkgs.config.permittedInsecurePackages = [
                "python3.10-poetry-1.2.2"
              ];
            }

       c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
          ‘python3.10-poetry-1.2.2’ to `permittedInsecurePackages` in
          ~/.config/nixpkgs/config.nix, like so:

            {
              permittedInsecurePackages = [
                "python3.10-poetry-1.2.2"
              ];
            }
(use '--show-trace' to show detailed location information)

I am assuming that one of the devShell’s buildInputs is dependent on python3.10-poetry-1.2.2.
Solution a) works, but is rather inelegant: the caller has to run NIXPKGS_ALLOW_INSECURE=1 nix develop --impure.
Not sure how solution b) could be applied in my flake.nix.

Is there a way to write directly in the flake.nix that I want to permit this insecure dependency for my devShell?

abathur · January 1, 2023, 5:36pm

I didn’t look directly at this case, but I looked at a similar one with an unsupported system error and couldn’t find an obvious lever for indicating it’s okay. I guess you could override the package to remove the vuln.

(Updating your nixpkgs may help in this case if you are on unstable; this was fixed in poetry2nix: 1.38.0 -> 1.39.1 by adisbladis · Pull Request #205429 · NixOS/nixpkgs · GitHub. It looks like the back ports may have failed. It was introduced in poetry: mark insecure by dotlambda · Pull Request #205341 · NixOS/nixpkgs · GitHub and that PR’s back ports succeeded.)

bernat · January 1, 2023, 6:12pm

I am using this:

        let
          pkgs = import inputs.nixpkgs
            {
              inherit system;
              config = {
                permittedInsecurePackages = [ "python3.10-poetry-1.2.2" "python3.10-certifi-2022.9.24" ];
              };
            };

abathur · January 1, 2023, 9:35pm

We bounced back and forth between overriding and setting config for a similar case with resholve in nixpkgs a few weeks ago, but @k0kada ended up switching it back to the override form (resholve: use stripped-down python27 by thiagokokada · Pull Request #205815 · NixOS/nixpkgs · GitHub). I’m failing to find a comment explaining why. Not sure if the config approach caused a problem or if it was just easier to do it in the override since we needed it for other reasons.

I suspect they’re equally acceptable in a flake. The config approach seems safer, since it’d catch new vulnerabilities?