NixOS: Need help finding out what is pulling in nix-2.15.3 in my config

anticipatedfart · March 9, 2024, 8:38pm

Problem

When I run nixos-rebuild, I get the following error:

       error: Package ‘nix-2.15.3’ in /nix/store/y0c95bwyvs80pm69hdd4b11pyq2ghiwh-source/pkgs/tools/package-management/nix/common.nix:249 is marked as insecure, refusing to evaluate.


       Known issues:
        - CVE-2024-27297

       You can install it anyway by allowing this package, using the
       following methods:

How can I figure out which part of my config is responsible for pulling in nix-2.15.3?

Context

With CVE-2024-27297, many versions of nix got marked as insecure. I have a flake-based system with the following inputs:

  inputs = {
    nixpkgs = {
      url = "github:nixos/nixpkgs/nixos-23.11";
    };
    nixpkgsUnstable = {
      url = "github:nixos/nixpkgs/nixos-unstable";
    };
    home-manager = {
      url = "github:nix-community/home-manager/release-23.11";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    helix = {
      url = "github:helix-editor/helix/23.10";
      inputs.nixpkgs.follows = "nixpkgsUnstable";
    };
    one-more-thing = {
      url = "github:foo/something-private";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

I’m on the most up-to-date version of nixpkgs for my inputs, which AFAIK, should contain safe, patched versions of nix. Here is the snippet from flake.lock:

    "nixpkgs": {
      "locked": {
        "lastModified": 1709884566,
        "narHash": "sha256-NSYJg2sfdO/XS3L8XN/59Zhzn0dqWm7XtVnKI2mHq3w=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "2be119add7b37dc535da2dd4cba68e2cf8d1517e",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-23.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgsUnstable": {
      "locked": {
        "lastModified": 1709703039,
        "narHash": "sha256-6hqgQ8OK6gsMu1VtcGKBxKQInRLHtzulDo9Z5jxHEFY=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "9df3e30ce24fd28c7b3e2de0d986769db5d6225d",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },

I also don’t set nix.package anywhere in my config. I’m stumped.

IlliusDope · March 10, 2024, 2:07am

For me the culprit is rnix-lsp in home-manager. ymmv

wamserma · March 10, 2024, 12:09pm

Similar here, but it was nixd.

For others having this issue: A good start to find the culprit is running nix-tree /run/current-system, then hit / and type in the offending package (nix-2.16.2 in my case).

Edit: I’m still wondering how nix-2.16.2 got there in the first place:

nix registry list
user   flake:nixos path:/nix/store/ra9193qvpj7qwm41w49i6gc6my38amm8-source?lastModified=1709677081&narHash=sha256-tix36Y7u0rkn6mTm0lA45b45oab2cFLqAzDbJxeXS%2Bc%3D&rev=880992dcc006a5e00dd0591446fdf723e6a51a64

nix-repl> legacyPackages.x86_64-linux.nixd.buildInputs   
[ «derivation /nix/store/c1pg0ajckbx9h97wr3221ihz8hifyjs9-libbacktrace-unstable-2022-12-16.drv» «derivation /nix/store/r1099jwlkwxvs6yf4kvcz5allg1a0r1w-nix-2.16.2.drv» «derivation /nix/store/31j7zi0hzar661cr478a2nfba8mclr8i-gtest-1.12.1.drv» «derivation /nix/store/xnnkarvr406rg1ild8p2dis2a9g8j9ag-boost-1.82.0.drv» «derivation /nix/store/5yrfcx782nqymizxl61ck3gwi7inya3r-llvm-16.0.6.drv» ]

nix-repl> legacyPackages.x86_64-linux.nix.version     
"2.18.1"

It seems callPackage is passing a different nix version compared to the one defined in the top-level package set.

Edit2: Of couse it does, because all-packages.nix has

  nixd = callPackage ../development/tools/language-servers/nixd {
    llvmPackages = llvmPackages_16;
    nix = nixVersions.nix_2_16;
  };

olmokramer · March 10, 2024, 12:17pm

Alternatively you can use nix why-depends:

nix why-depends /nix/store/<your-configuration> /nix/store/<nix-2.15.3>

3rd · March 10, 2024, 2:55pm

For navi users:

# find why a package is installed (why-depends)
nix why-depends /run/current-system <system_package>

$ system_package: nix path-info -r /run/current-system

mhutter · March 11, 2024, 6:16am

Was the case for me as well, and JFYI, rnix-lsp will be removed from nixpkgs.

anticipatedfart · March 11, 2024, 9:12am

Thanks everyone! Removing rnix-lsp did the trick for me.

I still don’t understand how I could have discovered this by myself though. Running why-depends only got me this:

$ nix why-depends /run/current-system /nix/store/gc4yzswdjlwdfzdyqcn72gkp0mna57dh-nix-2.15.3                  
/nix/store/nysklzijcr0ar9arinxxq1lf5ykwn9wh-nixos-system-themis-23.11.20240207.6832d0d
└───/nix/store/a2qyig1dln4c36zxwnads3d1gmj9sffh-system-path
    └───/nix/store/408cs3bh80cywizcl95f20nah8niaz8i-nixos-option
        └───/nix/store/gc4yzswdjlwdfzdyqcn72gkp0mna57dh-nix-2.15.3

anticipatedfart · March 11, 2024, 9:12am

Thanks! This is the first time I’ve encountered nix-tree. It looks pretty neat.

don.dfh · March 13, 2024, 12:13am

How do you run nix-tree or nix why-depends against a flake devShell ?

I’m encountering the issue when using nix develop or devenv to enter my shell.

Using nix-tree against the entry in $PATH that contains devshell only lists 2.19 releases of nix. Nevertheless I need to skip the insecure package warning with NIXPKGS_ALLOW_INSECURE=1 nix develop --impure

UPDATE

I found my luck with nix develop --show-trace. Turned out to be rnix-lsp too.

rjpc · March 13, 2024, 12:23am

hmmm this is cropping up for me as well and from what I can tell it’s nixos-option in my case? but I need to better understand nix-tree as well I guess.

anticipatedfart · March 14, 2024, 9:35am

Yeah, that’s what it looked like for me too. My NixOS config contained this:

environment.systemPackages = with pkgs; [
  rnix-lsp
];

Using nix why-depends or nix-tree just point to nixos-option though. Not sure why that is…

rjpc · March 14, 2024, 10:57am

Nice, I guess all roads go back to rnix-lsp−many thanks