Struggling to install nRF toolkit because of an insecure package

denast · September 16, 2024, 7:03pm

Hi all! I’ve recently acquired an embedded board with a Nordic nRF chip that I want to learn how to work with.

There are a bunch of nRF tools available in nixpkgs like nrfutil, nrf5-sdk, nrf-command-line-tools, and nrfconnect. However, all of them seem to rely on an insecure segger-jlink-qt4-796s package, so when I try to rebuild I get the following trace:

       error: Package ‘segger-jlink-qt4-796s’ in /nix/store/l3amk5lsakpc93him5kry24kax23sn4h-source/pkgs/by-name/se/segger-jlink/qt4-bundled.nix:44 is marked as insecure, refusing to evaluate.


       Known issues:
        - This bundled version of Qt 4 has reached its end of life after 2015. See https://github.com/NixOS/nixpkgs/pull/174634
        - CVE-2023-43114
        - CVE-2023-38197
        - CVE-2023-37369
        - CVE-2023-34410
        - CVE-2023-32763
        - CVE-2023-32762
        - CVE-2023-32573
        - CVE-2022-25634
        - CVE-2020-17507
        - CVE-2020-0570
        - CVE-2018-21035
        - CVE-2018-19873
        - CVE-2018-19871
        - CVE-2018-19870
        - CVE-2018-19869
        - CVE-2015-1290
        - CVE-2014-0190
        - CVE-2013-0254
        - CVE-2012-6093
        - CVE-2012-5624
        - CVE-2009-2700

       You can install it anyway by allowing this package, using the
       following methods:

       a) To temporarily allow all insecure packages, you can use an environment
          variable for a single invocation of the nix tools:

            $ export NIXPKGS_ALLOW_INSECURE=1

          Note: When using `nix shell`, `nix build`, `nix develop`, etc with a flake,
                then pass `--impure` in order to allow use of environment variables.

       b) for `nixos-rebuild` you can add ‘segger-jlink-qt4-796s’ to
          `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
          like so:

            {
              nixpkgs.config.permittedInsecurePackages = [
                "segger-jlink-qt4-796s"
              ];
            }

       c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
          ‘segger-jlink-qt4-796s’ to `permittedInsecurePackages` in
          ~/.config/nixpkgs/config.nix, like so:

            {
              permittedInsecurePackages = [
                "segger-jlink-qt4-796s"
              ];
            }

Sure, I said, and tried option B (Here is a link to relevant part of my config), but unfortunately adding the package to permitted insecure has had zero effect. I’ve then tried option A with an env var and had no success either.

I’m a bit at a loss as to what else to do in this situation.

Edit:
One detail I forgot to mention, is while nrf packages attempt to build segger-jlink-qt4-796s for themselves, it is not a package present in current Unstable list of packages. At least when using search.nixos.org I don’t see it. There is segger-jlink, but adding it to a list of packages does not help.

Could it be that adding segger-jlink-qt4-796s to permittedInsecurePackages doesn’t work because it’s not a package at the branch of nixpkgs I use?

h7x4 · September 17, 2024, 8:31pm

Hello!

This is a bit unfortunate. I think what might have happened is this something along the lines of this:

The nixpkgs you are using in your configuration is a finalized one injected by the flake. The nixpkgs option has no effect. You would’ve needed to set the permittedInsecurePackages where you create your pkgs, that is here: nixos-config/flake.nix at 5c7fcbc5736d4cfd067fb092811197bc3c1b3b9f · TheDenast/nixos-config · GitHub
When rebuilding with the flake, it does not accept your environment variable because of purity reasons. There is a note about it in the output, but it’s easy to overlook. You might have better luck rebuilding with --impure.

Some side notes:

qt4 was purged a long time ago, but segger software is somewhat critical for all sorts of embedded applications, so it’s partially been exempted from the rule, under the condition that we mark it as heavily insecure and don’t expose the qt4 package into the toplevel package list.
Because the segger software requires you to accept the license before even downloading the software, using licenses.unfree isn’t enough. We have a custom config flag you need to enable for your pkgs instance named segger-jlink.acceptLicense (put it in the config attrs together with permittedInsecurePackages)
The existing nrfutil package is the old deprecated python pc-nrfutil one, I have a pending PR here for the new nrfutil tool: nrfutil: reinit at 7.11.1 by h7x4 · Pull Request #327945 · NixOS/nixpkgs · GitHub
The tooling might be unstable because the segger version is newer than the one that is included in the nrf tooling (and hence officially supported by Nordic Semi). If segger stuff starts breaking, you might want to assume it to be a downstream issue and open an ticket in nixpkgs before going to the nordic forums.
You might also want to add nrf-udev and/or segger-jlink to services.udev.packages

denast · September 17, 2024, 8:50pm

Hi!

Thank you so much, I was able to rebuild the system using your advice. I’m new to nix so I get confused with flakes overwriting things.

I’ll see how it goes with version mismatch and will report issues to nixpkgs if I encounter any.

Thanks again!