Problem
When I run nixos-rebuild
, I get the following error:
error: Package ‘nix-2.15.3’ in /nix/store/y0c95bwyvs80pm69hdd4b11pyq2ghiwh-source/pkgs/tools/package-management/nix/common.nix:249 is marked as insecure, refusing to evaluate.
Known issues:
- CVE-2024-27297
You can install it anyway by allowing this package, using the
following methods:
How can I figure out which part of my config is responsible for pulling in nix-2.15.3?
Context
With CVE-2024-27297, many versions of nix got marked as insecure. I have a flake-based system with the following inputs:
inputs = {
nixpkgs = {
url = "github:nixos/nixpkgs/nixos-23.11";
};
nixpkgsUnstable = {
url = "github:nixos/nixpkgs/nixos-unstable";
};
home-manager = {
url = "github:nix-community/home-manager/release-23.11";
inputs.nixpkgs.follows = "nixpkgs";
};
helix = {
url = "github:helix-editor/helix/23.10";
inputs.nixpkgs.follows = "nixpkgsUnstable";
};
one-more-thing = {
url = "github:foo/something-private";
inputs.nixpkgs.follows = "nixpkgs";
};
};
I’m on the most up-to-date version of nixpkgs for my inputs, which AFAIK, should contain safe, patched versions of nix. Here is the snippet from flake.lock
:
"nixpkgs": {
"locked": {
"lastModified": 1709884566,
"narHash": "sha256-NSYJg2sfdO/XS3L8XN/59Zhzn0dqWm7XtVnKI2mHq3w=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "2be119add7b37dc535da2dd4cba68e2cf8d1517e",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgsUnstable": {
"locked": {
"lastModified": 1709703039,
"narHash": "sha256-6hqgQ8OK6gsMu1VtcGKBxKQInRLHtzulDo9Z5jxHEFY=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "9df3e30ce24fd28c7b3e2de0d986769db5d6225d",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
I also don’t set nix.package
anywhere in my config. I’m stumped.