Package electron-13.6.9 marked as insecure: how to find parent package in my config.nix?

bgibson · February 26, 2022, 2:40am

I’m rebuilding my system to update Signal to a more recent version, and am getting the build error that the electron package is insecure. I think I have multiple packages specified in environment.pkgs that use electron, but I’m not sure I remember which they all are. Is there a way to list all the packages depend on Electron?

evaluating file '/nix/store/31pgj26hj476v5yqk7yppxbfbf5pvscc-nixos-21.11.336147.4275a321bea/nixos/pkgs/development/tools/electron/default.nix'
evaluating file '/nix/store/31pgj26hj476v5yqk7yppxbfbf5pvscc-nixos-21.11.336147.4275a321bea/nixos/pkgs/development/tools/electron/generic.nix'
error: while evaluating the attribute 'activationScript' of the derivation 'nixos-system-z11pa-d8-21.11.336147.4275a321bea' at /nix/store/31pgj26hj476v5yqk7yppxbfbf5pvscc-nixos-21.11.336147.4275a321bea/nixos/pkgs/stdenv/generic/make-derivation.nix:205:7:
while evaluating the attribute 'system.activationScripts.script' at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/activation-script.nix:136:9:
while evaluating 'systemActivationScript' at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/activation-script.nix:20:33, called from /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/activation-script.nix:136:18:
while evaluating 'textClosureMap' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/strings-with-deps.nix:75:35, called from /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/activation-script.nix:49:9:
while evaluating 'id' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/trivial.nix:14:5, called from undefined position:
while evaluating the attribute 'text' at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/activation-script.nix:9:5:
while evaluating the attribute 'text' at undefined position:
while evaluating 'g' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/attrsets.nix:301:19, called from undefined position:
while evaluating anonymous function at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:171:72, called from /nix/var/nix/profiles/per-user/root/channels/nixos/lib/attrsets.nix:304:20:
while evaluating the attribute 'value' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:585:9:
while evaluating the option `system.activationScripts.etc.text':
while evaluating the attribute 'mergedValue' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:617:5:
while evaluating the attribute 'values' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:611:9:
while evaluating the attribute 'values' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:710:7:
while evaluating anonymous function at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:597:28, called from /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:597:17:
while evaluating definitions from `/nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/etc/etc.nix':
while evaluating 'dischargeProperties' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:669:25, called from /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:598:137:
while evaluating the attribute 'value' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:452:44:
while evaluating the attribute 'buildCommand' of the derivation 'etc' at /nix/store/31pgj26hj476v5yqk7yppxbfbf5pvscc-nixos-21.11.336147.4275a321bea/nixos/pkgs/stdenv/generic/make-derivation.nix:205:7:
while evaluating 'concatMapStringsSep' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/strings.nix:110:5, called from /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/etc/etc.nix:54:7:
while evaluating anonymous function at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/etc/etc.nix:54:33, called from undefined position:
while evaluating 'concatMapStringsSep' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/strings.nix:110:5, called from /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/etc/etc.nix:54:43:
while evaluating 'escapeShellArg' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/strings.nix:318:20, called from undefined position:
while evaluating the attribute 'source' at undefined position:
while evaluating 'g' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/attrsets.nix:301:19, called from undefined position:
while evaluating anonymous function at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:171:72, called from /nix/var/nix/profiles/per-user/root/channels/nixos/lib/attrsets.nix:304:20:
while evaluating the attribute 'value' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:585:9:
while evaluating the option `environment.etc.dbus-1.source':
while evaluating the attribute 'mergedValue' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:617:5:
while evaluating anonymous function at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:619:17, called from /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:619:12:
while evaluating 'check' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/types.nix:362:15, called from /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:619:22:
while evaluating the attribute 'serviceDirectories' of the derivation 'dbus-1' at /nix/store/31pgj26hj476v5yqk7yppxbfbf5pvscc-nixos-21.11.336147.4275a321bea/nixos/pkgs/stdenv/generic/make-derivation.nix:205:7:
while evaluating anonymous function at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/types.nix:371:14, called from undefined position:
while evaluating the attribute 'value' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:630:27:
while evaluating anonymous function at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:619:17, called from /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:619:12:
while evaluating 'check' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/types.nix:362:15, called from /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:619:22:
while evaluating the attribute 'passAsFile' of the derivation 'system-path' at /nix/store/31pgj26hj476v5yqk7yppxbfbf5pvscc-nixos-21.11.336147.4275a321bea/nixos/pkgs/stdenv/generic/make-derivation.nix:205:7:
while evaluating the attribute 'passAsFile' at /nix/store/31pgj26hj476v5yqk7yppxbfbf5pvscc-nixos-21.11.336147.4275a321bea/nixos/pkgs/build-support/buildenv/default.nix:77:5:
while evaluating the attribute 'installPhase' of the derivation 'obsidian-0.12.19' at /nix/store/31pgj26hj476v5yqk7yppxbfbf5pvscc-nixos-21.11.336147.4275a321bea/nixos/pkgs/stdenv/generic/make-derivation.nix:205:7:
while evaluating the attribute 'handled' at /nix/store/31pgj26hj476v5yqk7yppxbfbf5pvscc-nixos-21.11.336147.4275a321bea/nixos/pkgs/stdenv/generic/check-meta.nix:309:7:
while evaluating 'handleEvalIssue' at /nix/store/31pgj26hj476v5yqk7yppxbfbf5pvscc-nixos-21.11.336147.4275a321bea/nixos/pkgs/stdenv/generic/check-meta.nix:195:38, called from /nix/store/31pgj26hj476v5yqk7yppxbfbf5pvscc-nixos-21.11.336147.4275a321bea/nixos/pkgs/stdenv/generic/check-meta.nix:310:14:
Package ‘electron-13.6.9’ in /nix/store/31pgj26hj476v5yqk7yppxbfbf5pvscc-nixos-21.11.336147.4275a321bea/nixos/pkgs/development/tools/electron/generic.nix:25 is marked as insecure, refusing to evaluate.

Known issues:
 - Electron version 13.6.9 is EOL

You can install it anyway by allowing this package, using the
following methods:

a) To temporarily allow all insecure packages, you can use an environment
   variable for a single invocation of the nix tools:

     $ export NIXPKGS_ALLOW_INSECURE=1
     
 Note: For `nix shell`, `nix build`, `nix develop` or any other Nix 2.4+
 (Flake) command, `--impure` must be passed in order to read this
 environment variable.
    
b) for `nixos-rebuild` you can add ‘electron-13.6.9’ to
   `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
   like so:

     {
       nixpkgs.config.permittedInsecurePackages = [
         "electron-13.6.9"
       ];
     }

c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
   ‘electron-13.6.9’ to `permittedInsecurePackages` in
   ~/.config/nixpkgs/config.nix, like so:

     {
       permittedInsecurePackages = [
         "electron-13.6.9"
       ];
     }

gravndal · February 26, 2022, 3:32am

Two ways that come to mind are:

nix-store -q --referrers /nix/store/hash-electronWhatever
Or if you’re on a flake enabled system, nix why-depends /path/to/built/system nixpkgs#electron_13

Note that both of these might require you to build a complete system with the whole permitInsecurePackages bit to provide useful/relevant/any output.

bgibson · February 26, 2022, 8:02am

Thank you! I’m actually not changing my current build, just re-building it to pull in an updated version of Signal.

However, I just ran it:

nix-store -q --referrers /nix/store/31pgj26hj476v5yqk7yppxbfbf5pvscc-nixos-21.11.336147.4275a321bea/nixos/pkgs/development/tools/electron/generic.nix

And got:

/nix/store/aq8sd66jj1cizsdl4jfbqfjv6dw4cidq-env-manifest.nix
/nix/store/5fs72madqi853niig5qbc3vmnxcng4vq-user-environment

But neither of those refers directly to electron:

$> cat /nix/store/aq8sd66jj1cizsdl4jfbqfjv6dw4cidq-env-manifest.nix

[ { meta = { }; name = "nixos-21.11.336147.4275a321bea"; out = { outPath = "/nix/store/31pgj26hj476v5yqk7yppxbfbf5pvscc-nixos-21.11.336147.4275a321bea"; }; outPath = "/nix/store/31pgj26hj476v5yqk7yppxbfbf5pvscc-nixos-21.11.336147.4275a321bea"; outputs = [ "out" ]; system = "x86_64-linux"; type = "derivation"; } ]%     

$> ls /nix/store/5fs72madqi853niig5qbc3vmnxcng4vq-user-environment/

Permissions Links Size User Group Date Modified    Name
lrwxrwxrwx      2   60 root root  1969-12-31 16:00 manifest.nix -> /nix/store/aq8sd66jj1cizsdl4jfbqfjv6dw4cidq-env-manifest.nix
lrwxrwxrwx      2   80 root root  1969-12-31 16:00 nixos -> /nix/store/31pgj26hj476v5yqk7yppxbfbf5pvscc-nixos-21.11.336147.4275a321bea/nixos/

Not the list of the dependencies I’m looking for. Any idea what I might be doing wrong here?

gravndal · February 26, 2022, 8:26am

Try passing the electron package or drv itself like so: nix-store -q --referrers /nix/store/cry82s0smrfiwji1cy87afkqdvdf3qas-electron-13.6.9.drv (though adjust the hash/version to whatever is appropriate for your system).

Nebucatnetzer · February 26, 2022, 11:24am

For me it was caused by Obsidian.

aabccd021 · July 25, 2023, 10:44pm

I also got openssl-1.1.1u marked as insecure when upgrading NixOS to 23.05.

So I run

find /nix/store -maxdepth 1 -type d -name "*openssl-1.1.1u" | xargs nix-store -q --referrers

Output:

/nix/store/j90d191x26k6ig74b962x7x837d6cn93-openssl-1.1.1u
/nix/store/mn1k37bhxwpbnscspm11njrw1628dn1v-curl-8.1.1
/nix/store/xjn4g64kmsm9nrwkam52hbmbm687jcq6-github-desktop-3.2.1

So I removed github-desktop (which I wasn’t using anyway).

yarekt · October 24, 2023, 11:48am

Same thing is happening to me, and nix-store -q --referrers prints nothing IMO that giant error message should list dependencies of this insecure package, or at least non-cryptic commands to find out more.

delroth · October 24, 2023, 2:46pm

If you --show-trace it should show up not too far from the end of the displayed eval trace. In OP’s example you can for example see: while evaluating the attribute 'installPhase' of the derivation 'obsidian-0.12.19'.

(But yes, I think it should be made better too!)