TensorFlow unstable & not installing after update

Hi,
I managed to install TensorFlow a while ago (my configuration below)

let
  # Custom Python package with all the (Python) imports I need
  my-python-packages = python-packages: with python-packages; [
    tensorflow
    keras
   ...
  ]; 
  python-with-my-packages = pkgs.unstable.python3.withPackages my-python-packages;
  #python-with-my-packages = pkgs.python3.withPackages my-python-packages;
in
{
  # to try making tensorflow work
  hardware.opengl.setLdLibraryPath = true;
  
  environment.systemPackages = with pkgs; [
    python-with-my-packages
    ...
   ];
   ...
}

…but a recent sudo nixos-rebuild switch refuses to evaluate:

error: Package ‘python3.10-tensorflow-2.11.0’ in /nix/store/qw9nnl2wmvx0ad0f9aqvdbw5cl5mirvc-source/pkgs/development/python-modules/tensorflow/default.nix:445 is marked as insecure, refusing to evaluate.


       Known issues:
        - CVE-2023-27579
        - CVE-2023-25801
        - CVE-2023-25676
        - CVE-2023-25675
        - CVE-2023-25674
        - CVE-2023-25673
        - CVE-2023-25671
        - CVE-2023-25670
        - CVE-2023-25669
        - CVE-2023-25668
        - CVE-2023-25667
        - CVE-2023-25665
        - CVE-2023-25666
        - CVE-2023-25664
        - CVE-2023-25663
        - CVE-2023-25662
        - CVE-2023-25660
        - CVE-2023-25659
        - CVE-2023-25658

       You can install it anyway by allowing this package, using the
       following methods:

       a) To temporarily allow all insecure packages, you can use an environment
          variable for a single invocation of the nix tools:

            $ export NIXPKGS_ALLOW_INSECURE=1

        Note: For `nix shell`, `nix build`, `nix develop` or any other Nix 2.4+
        (Flake) command, `--impure` must be passed in order to read this
        environment variable.

       b) for `nixos-rebuild` you can add ‘python3.10-tensorflow-2.11.0’ to
          `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
          like so:

            {
              nixpkgs.config.permittedInsecurePackages = [
                "python3.10-tensorflow-2.11.0"
              ];
            }

       c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
          ‘python3.10-tensorflow-2.11.0’ to `permittedInsecurePackages` in
          ~/.config/nixpkgs/config.nix, like so:

            {
              permittedInsecurePackages = [
                "python3.10-tensorflow-2.11.0"
              ];
            }
(use '--show-trace' to show detailed location information)

I tried option b) but does not work.

Any help would be greatly appreciated :slight_smile:
Davide

1 Like

Hi! Tensorflow has been marked insecure because it’s lagging behind upstream, which has addressed a number of CVEs in their recent releases: python310Packages.tensorflow: mark insecure by dotlambda · Pull Request #224436 · NixOS/nixpkgs · GitHub

We’re tracking the issue here: Update request: python310Packages.tensorflow 2.10.1 → 2.12.0 · Issue #224353 · NixOS/nixpkgs · GitHub

And there’s been intermediate progress which likely alleviates this issue and needs to be reviewed: python3Packages.tensorflow(-bin): 2.11.0 -> 2.11.1 by risicle · Pull Request #224846 · NixOS/nixpkgs · GitHub

I tried option b) but does not work.

This however is unexpected. Tensorflow is supposed to be still buildable, only that there won’t be any public cache available. What kind of error do you get?

1 Like

I tried with the option --show-trace and I got a ton of messages which I cannot really understand:

building Nix...
building the system configuration...
error: Package ‘tensorflow-2.11.0’ in /nix/store/qw9nnl2wmvx0ad0f9aqvdbw5cl5mirvc-source/pkgs/development/python-modules/tensorflow/default.nix:445 is marked as insecure, refusing to evaluate.


       Known issues:
        - CVE-2023-27579
        - CVE-2023-25801
        - CVE-2023-25676
        - CVE-2023-25675
        - CVE-2023-25674
        - CVE-2023-25673
        - CVE-2023-25671
        - CVE-2023-25670
        - CVE-2023-25669
        - CVE-2023-25668
        - CVE-2023-25667
        - CVE-2023-25665
        - CVE-2023-25666
        - CVE-2023-25664
        - CVE-2023-25663
        - CVE-2023-25662
        - CVE-2023-25660
        - CVE-2023-25659
        - CVE-2023-25658

       You can install it anyway by allowing this package, using the
       following methods:

       a) To temporarily allow all insecure packages, you can use an environment
          variable for a single invocation of the nix tools:

            $ export NIXPKGS_ALLOW_INSECURE=1

        Note: For `nix shell`, `nix build`, `nix develop` or any other Nix 2.4+
        (Flake) command, `--impure` must be passed in order to read this
        environment variable.

       b) for `nixos-rebuild` you can add ‘tensorflow-2.11.0’ to
          `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
          like so:

            {
              nixpkgs.config.permittedInsecurePackages = [
                "tensorflow-2.11.0"
              ];
            }

       c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
          ‘tensorflow-2.11.0’ to `permittedInsecurePackages` in
          ~/.config/nixpkgs/config.nix, like so:

            {
              permittedInsecurePackages = [
                "tensorflow-2.11.0"
              ];
            }



       … while evaluating 'handleEvalIssue'

       at /nix/store/qw9nnl2wmvx0ad0f9aqvdbw5cl5mirvc-source/pkgs/stdenv/generic/check-meta.nix:226:38:

          225|
          226|   handleEvalIssue = { meta, attrs }: { reason , errormsg ? "" }:
             |                                      ^
          227|     let

       … from call site

       at /nix/store/qw9nnl2wmvx0ad0f9aqvdbw5cl5mirvc-source/pkgs/stdenv/generic/check-meta.nix:400:16:

          399|         {
          400|           no = handleEvalIssue { inherit meta attrs; } { inherit (validity) reason errormsg; };
             |                ^
          401|           warn = handleEvalWarning { inherit meta attrs; } { inherit (validity) reason errormsg; };

       … while evaluating the attribute 'no'

       at /nix/store/qw9nnl2wmvx0ad0f9aqvdbw5cl5mirvc-source/pkgs/stdenv/generic/check-meta.nix:400:11:

          399|         {
          400|           no = handleEvalIssue { inherit meta attrs; } { inherit (validity) reason errormsg; };
             |           ^
          401|           warn = handleEvalWarning { inherit meta attrs; } { inherit (validity) reason errormsg; };

       … while evaluating the attribute 'handled'

       at /nix/store/qw9nnl2wmvx0ad0f9aqvdbw5cl5mirvc-source/pkgs/stdenv/generic/check-meta.nix:398:7:

          397|       # or, alternatively, just output a warning message.
          398|       handled =
             |       ^
          399|         {

       … while evaluating the attribute 'src' of the derivation 'python3.10-tensorflow-2.11.0'

       at /nix/store/qw9nnl2wmvx0ad0f9aqvdbw5cl5mirvc-source/pkgs/stdenv/generic/make-derivation.nix:302:7:

          301|     // (lib.optionalAttrs (attrs ? name || (attrs ? pname && attrs ? version)) {
          302|       name =
             |       ^
          303|         let

       … while evaluating the attribute 'outPath'

       at /nix/store/qw9nnl2wmvx0ad0f9aqvdbw5cl5mirvc-source/lib/customisation.nix:229:7:

          228|       drvPath = assert condition; drv.drvPath;
          229|       outPath = assert condition; drv.outPath;
             |       ^
          230|     };

       … while evaluating the attribute 'outPath'

       at /nix/store/qw9nnl2wmvx0ad0f9aqvdbw5cl5mirvc-source/lib/customisation.nix:229:7:

          228|       drvPath = assert condition; drv.drvPath;
          229|       outPath = assert condition; drv.outPath;
             |       ^
          230|     };

       … while evaluating anonymous lambda

       at /nix/store/qw9nnl2wmvx0ad0f9aqvdbw5cl5mirvc-source/lib/lists.nix:658:25:

          657|    */
          658|   unique = foldl' (acc: e: if elem e acc then acc else acc ++ [ e ]) [];
             |                         ^
          659|

       … from call site

       at /nix/store/qw9nnl2wmvx0ad0f9aqvdbw5cl5mirvc-source/pkgs/development/interpreters/python/python-packages-base.nix:55:6:

           54|     modules = lib.filter hasPythonModule drvs;
           55|   in lib.unique ([python] ++ modules ++ lib.concatLists (lib.catAttrs "requiredPythonModules" modules));
             |      ^
           56|

       … while evaluating 'requiredPythonModules'

       at /nix/store/qw9nnl2wmvx0ad0f9aqvdbw5cl5mirvc-source/pkgs/development/interpreters/python/python-packages-base.nix:53:27:

           52|   # Get list of required Python modules given a list of derivations.
           53|   requiredPythonModules = drvs: let
             |                           ^
           54|     modules = lib.filter hasPythonModule drvs;

       … from call site

       at /nix/store/qw9nnl2wmvx0ad0f9aqvdbw5cl5mirvc-source/pkgs/development/interpreters/python/wrapper.nix:20:13:

           19|   env = let
           20|     paths = requiredPythonModules (extraLibs ++ [ python ] ) ;
             |             ^
           21|     pythonPath = "${placeholder "out"}/${python.sitePackages}";

       … while evaluating the attribute 'passAsFile'

       at /nix/store/qw9nnl2wmvx0ad0f9aqvdbw5cl5mirvc-source/pkgs/build-support/buildenv/default.nix:77:5:

           76|     # XXX: The size is somewhat arbitrary
           77|     passAsFile = if builtins.stringLength pkgs >= 128*1024 then [ "pkgs" ] else [ ];
             |     ^
           78|   }

       … while evaluating the attribute 'passAsFile' of the derivation 'python3-3.10.10-env'

       at /nix/store/qw9nnl2wmvx0ad0f9aqvdbw5cl5mirvc-source/pkgs/stdenv/generic/make-derivation.nix:302:7:

          301|     // (lib.optionalAttrs (attrs ? name || (attrs ? pname && attrs ? version)) {
          302|       name =
             |       ^
          303|         let

       … while evaluating the attribute 'passAsFile'

       at /nix/store/c475f7p3krxgyqh5lmr7hyn0szf1s6r3-nixos-22.11/nixos/pkgs/build-support/buildenv/default.nix:77:5:

           76|     # XXX: The size is somewhat arbitrary
           77|     passAsFile = if builtins.stringLength pkgs >= 128*1024 then [ "pkgs" ] else [ ];
             |     ^
           78|   }

       … while evaluating the attribute 'passAsFile' of the derivation 'system-path'

       at /nix/store/c475f7p3krxgyqh5lmr7hyn0szf1s6r3-nixos-22.11/nixos/pkgs/stdenv/generic/make-derivation.nix:270:7:

          269|     // (lib.optionalAttrs (attrs ? name || (attrs ? pname && attrs ? version)) {
          270|       name =
             |       ^
          271|         let

       … while evaluating 'check'

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/types.nix:482:15:

          481|       descriptionClass = "noun";
          482|       check = x: isCoercibleToString x && builtins.substring 0 1 (toString x) == "/";
             |               ^
          483|       merge = mergeEqualOption;

       … from call site

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:760:22:

          759|       if isDefined then
          760|         if all (def: type.check def.value) defsFinal then type.merge loc defsFinal
             |                      ^
          761|         else let allInvalid = filter (def: ! type.check def.value) defsFinal;

       … while evaluating anonymous lambda

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:760:17:

          759|       if isDefined then
          760|         if all (def: type.check def.value) defsFinal then type.merge loc defsFinal
             |                 ^
          761|         else let allInvalid = filter (def: ! type.check def.value) defsFinal;

       … from call site

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:760:12:

          759|       if isDefined then
          760|         if all (def: type.check def.value) defsFinal then type.merge loc defsFinal
             |            ^
          761|         else let allInvalid = filter (def: ! type.check def.value) defsFinal;

       … while evaluating the attribute 'value'

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:771:27:

          770|     optionalValue =
          771|       if isDefined then { value = mergedValue; }
             |                           ^
          772|       else {};

       … while evaluating anonymous lambda

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/types.nix:492:14:

          491|       merge = loc: defs:
          492|         map (x: x.value) (filter (x: x ? value) (concatLists (imap1 (n: def:
             |              ^
          493|           imap1 (m: def':

       … from call site

       … while evaluating the attribute 'serviceDirectories' of the derivation 'dbus-1'

       at /nix/store/c475f7p3krxgyqh5lmr7hyn0szf1s6r3-nixos-22.11/nixos/pkgs/stdenv/generic/make-derivation.nix:270:7:

          269|     // (lib.optionalAttrs (attrs ? name || (attrs ? pname && attrs ? version)) {
          270|       name =
             |       ^
          271|         let

       … while evaluating 'check'

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/types.nix:482:15:

          481|       descriptionClass = "noun";
          482|       check = x: isCoercibleToString x && builtins.substring 0 1 (toString x) == "/";
             |               ^
          483|       merge = mergeEqualOption;

       … from call site

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:760:22:

          759|       if isDefined then
          760|         if all (def: type.check def.value) defsFinal then type.merge loc defsFinal
             |                      ^
          761|         else let allInvalid = filter (def: ! type.check def.value) defsFinal;

       … while evaluating anonymous lambda

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:760:17:

          759|       if isDefined then
          760|         if all (def: type.check def.value) defsFinal then type.merge loc defsFinal
             |                 ^
          761|         else let allInvalid = filter (def: ! type.check def.value) defsFinal;

       … from call site

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:760:12:

          759|       if isDefined then
          760|         if all (def: type.check def.value) defsFinal then type.merge loc defsFinal
             |            ^
          761|         else let allInvalid = filter (def: ! type.check def.value) defsFinal;

       … while evaluating the attribute 'mergedValue'

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:758:5:

          757|     # Type-check the remaining definitions, and merge them. Or throw if no definitions.
          758|     mergedValue =
             |     ^
          759|       if isDefined then

       … while evaluating the option `environment.etc.dbus-1.source':

       … while evaluating the attribute 'value'

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:723:9:

          722|     in warnDeprecation opt //
          723|       { value = builtins.addErrorContext "while evaluating the option `${showOption loc}':" value;
             |         ^
          724|         inherit (res.defsFinal') highestPrio;

       … while evaluating anonymous lambda

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:265:72:

          264|           # For definitions that have an associated option
          265|           declaredConfig = mapAttrsRecursiveCond (v: ! isOption v) (_: v: v.value) options;
             |                                                                        ^
          266|

       … from call site

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/attrsets.nix:420:20:

          419|               then recurse (path ++ [name]) value
          420|               else f (path ++ [name]) value;
             |                    ^
          421|         in mapAttrs g;

       … while evaluating 'g'

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/attrsets.nix:417:19:

          416|           g =
          417|             name: value:
             |                   ^
          418|             if isAttrs value && cond value

       … from call site

       … while evaluating 'escapeShellArg'

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/strings.nix:354:20:

          353|   */
          354|   escapeShellArg = arg: "'${replaceStrings ["'"] ["'\\''"] (toString arg)}'";
             |                    ^
          355|

       … from call site

       … while evaluating 'concatMapStringsSep'

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/strings.nix:111:5:

          110|     # List of input strings
          111|     list: concatStringsSep sep (map f list);
             |     ^
          112|

       … from call site

       at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/etc/etc.nix:54:43:

           53|     mkdir -p "$out/etc"
           54|     ${concatMapStringsSep "\n" (etcEntry: escapeShellArgs [
             |                                           ^
           55|       "makeEtcEntry"

       … while evaluating anonymous lambda

       at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/etc/etc.nix:54:33:

           53|     mkdir -p "$out/etc"
           54|     ${concatMapStringsSep "\n" (etcEntry: escapeShellArgs [
             |                                 ^
           55|       "makeEtcEntry"

       … from call site

       … while evaluating 'concatMapStringsSep'

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/strings.nix:111:5:

          110|     # List of input strings
          111|     list: concatStringsSep sep (map f list);
             |     ^
          112|

       … from call site

       at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/etc/etc.nix:54:7:

           53|     mkdir -p "$out/etc"
           54|     ${concatMapStringsSep "\n" (etcEntry: escapeShellArgs [
             |       ^
           55|       "makeEtcEntry"

       … while evaluating the attribute 'buildCommand' of the derivation 'etc'

       at /nix/store/c475f7p3krxgyqh5lmr7hyn0szf1s6r3-nixos-22.11/nixos/pkgs/stdenv/generic/make-derivation.nix:270:7:

          269|     // (lib.optionalAttrs (attrs ? name || (attrs ? pname && attrs ? version)) {
          270|       name =
             |       ^
          271|         let

       … while evaluating the attribute 'value'

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:563:44:

          562|       defnsByName' = byName "config" (module: value:
          563|           [{ inherit (module) file; inherit value; }]
             |                                            ^
          564|         ) configs;

       … while evaluating 'atDepth'

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/attrsets.nix:60:17:

           59|       len = length attrPath;
           60|       atDepth = n:
             |                 ^
           61|         if n == len

       … from call site

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/attrsets.nix:63:39:

           62|         then value
           63|         else { ${elemAt attrPath n} = atDepth (n + 1); };
             |                                       ^
           64|     in atDepth 0;

       … while evaluating the attribute 'value'

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/types.nix:552:58:

          551|         # Push down position info.
          552|         (map (def: mapAttrs (n: v: { inherit (def) file; value = v; }) def.value) defs);
             |                                                          ^
          553|       emptyValue = { value = {}; };

       … while evaluating 'dischargeProperties'

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:810:25:

          809|   */
          810|   dischargeProperties = def:
             |                         ^
          811|     if def._type or "" == "merge" then

       … from call site

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:739:137:

          738|         defs' = concatMap (m:
          739|           map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))
             |                                                                                                                                         ^
          740|         ) defs;

       … while evaluating definitions from `/nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/etc/etc.nix':

       … while evaluating anonymous lambda

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:738:28:

          737|         # Process mkMerge and mkIf properties.
          738|         defs' = concatMap (m:
             |                            ^
          739|           map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))

       … from call site

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:738:17:

          737|         # Process mkMerge and mkIf properties.
          738|         defs' = concatMap (m:
             |                 ^
          739|           map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))

       … while evaluating the attribute 'values'

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:851:7:

          850|     in {
          851|       values = concatMap (def: if getPrio def == highestPrio then [(strip def)] else []) defs;
             |       ^
          852|       inherit highestPrio;

       … while evaluating the attribute 'values'

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:752:9:

          751|       in {
          752|         values = defs''';
             |         ^
          753|         inherit (defs'') highestPrio;

       … while evaluating the attribute 'optionalValue.value'

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:770:5:

          769|
          770|     optionalValue =
             |     ^
          771|       if isDefined then { value = mergedValue; }

       … while evaluating anonymous lambda

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/types.nix:546:29:

          545|       merge = loc: defs:
          546|         zipAttrsWith (name: defs:
             |                             ^
          547|           let merged = mergeDefinitions (loc ++ [name]) elemType defs;

       … from call site

       … while evaluating anonymous lambda

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/attrsets.nix:537:24:

          536|     let f = attrPath:
          537|       zipAttrsWith (n: values:
             |                        ^
          538|         let here = attrPath ++ [n]; in

       … from call site

       … while evaluating the attribute 'value'

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:563:44:

          562|       defnsByName' = byName "config" (module: value:
          563|           [{ inherit (module) file; inherit value; }]
             |                                            ^
          564|         ) configs;

       … while evaluating 'dischargeProperties'

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:810:25:

          809|   */
          810|   dischargeProperties = def:
             |                         ^
          811|     if def._type or "" == "merge" then

       … from call site

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:739:137:

          738|         defs' = concatMap (m:
          739|           map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))
             |                                                                                                                                         ^
          740|         ) defs;

       … while evaluating definitions from `/nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/etc/etc-activation.nix':

       … while evaluating anonymous lambda

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:738:28:

          737|         # Process mkMerge and mkIf properties.
          738|         defs' = concatMap (m:
             |                            ^
          739|           map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))

       … from call site

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:738:17:

          737|         # Process mkMerge and mkIf properties.
          738|         defs' = concatMap (m:
             |                 ^
          739|           map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))

       … while evaluating the attribute 'values'

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:851:7:

          850|     in {
          851|       values = concatMap (def: if getPrio def == highestPrio then [(strip def)] else []) defs;
             |       ^
          852|       inherit highestPrio;

       … while evaluating the attribute 'values'

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:752:9:

          751|       in {
          752|         values = defs''';
             |         ^
          753|         inherit (defs'') highestPrio;

       … while evaluating the attribute 'mergedValue'

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:758:5:

          757|     # Type-check the remaining definitions, and merge them. Or throw if no definitions.
          758|     mergedValue =
             |     ^
          759|       if isDefined then

       … while evaluating the option `system.activationScripts.etc.text':

       … while evaluating the attribute 'value'

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:723:9:

          722|     in warnDeprecation opt //
          723|       { value = builtins.addErrorContext "while evaluating the option `${showOption loc}':" value;
             |         ^
          724|         inherit (res.defsFinal') highestPrio;

       … while evaluating anonymous lambda

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:265:72:

          264|           # For definitions that have an associated option
          265|           declaredConfig = mapAttrsRecursiveCond (v: ! isOption v) (_: v: v.value) options;
             |                                                                        ^
          266|

       … from call site

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/attrsets.nix:420:20:

          419|               then recurse (path ++ [name]) value
          420|               else f (path ++ [name]) value;
             |                    ^
          421|         in mapAttrs g;

       … while evaluating 'g'

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/attrsets.nix:417:19:

          416|           g =
          417|             name: value:
             |                   ^
          418|             if isAttrs value && cond value

       … from call site

       … while evaluating the attribute 'text'

       at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/activation-script.nix:9:5:

            8|   addAttributeName = mapAttrs (a: v: v // {
            9|     text = ''
             |     ^
           10|       #### Activation script snippet ${a}:

       … while evaluating 'id'

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/trivial.nix:14:5:

           13|     # The value to return
           14|     x: x;
             |     ^
           15|

       … from call site

       … while evaluating 'textClosureMap'

       at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/strings-with-deps.nix:75:35:

           74|
           75|   textClosureMap = f: predefined: names:
             |                                   ^
           76|     concatStringsSep "\n" (map f (textClosureList predefined names));

       … from call site

       at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/activation-script.nix:49:9:

           48|
           49|       ${textClosureMap id (withDrySnippets) (attrNames withDrySnippets)}
             |         ^
           50|

       … while evaluating 'systemActivationScript'

       at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/activation-script.nix:20:33:

           19|
           20|   systemActivationScript = set: onlyDry: let
             |                                 ^
           21|     set' = mapAttrs (_: v: if isString v then (noDepEntry v) // { supportsDryActivation = false; } else v) set;

       … from call site

       at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/activation-script.nix:137:18:

          136|       apply = set: set // {
          137|         script = systemActivationScript set false;
             |                  ^
          138|       };

       … while evaluating the attribute 'system.activationScripts.script'

       at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/activation-script.nix:137:9:

          136|       apply = set: set // {
          137|         script = systemActivationScript set false;
             |         ^
          138|       };

       … while evaluating the attribute 'activationScript' of the derivation 'nixos-system-nixos-22.11.1069.cbe419ed4c8'

       at /nix/store/c475f7p3krxgyqh5lmr7hyn0szf1s6r3-nixos-22.11/nixos/pkgs/stdenv/generic/make-derivation.nix:270:7:

          269|     // (lib.optionalAttrs (attrs ? name || (attrs ? pname && attrs ? version)) {
          270|       name =
             |       ^
          271|         let

Option a) also gives a similar result

Oh! This is because tensorflow actually consists of two nix derivations, one is the native Bazel build which produces a wheel, and another is the python install that consumes the wheel

              nixpkgs.config.permittedInsecurePackages = [
                "python3.10-tensorflow-2.11.0"
                "tensorflow-2.11.0"
              ];

P.S. These builds are going to be expensive…

1 Like

This only works in the impure evaluation mode, e.g. nix-build or nix build --impure

1 Like

Actually, three:

 nixpkgs.config.permittedInsecurePackages = [
    "python3.10-tensorflow-2.11.0"
    "tensorflow-2.11.0"
    "tensorflow-2.11.0-deps.tar.gz"
  ];

But I understood the mechanism from your reply and corrected accordingly following the new error message.

Thenk you very much, problem solved & tensorflow working!

1 Like

Note that python3Packages.tensorflow: 2.11.0 -> 2.11.1 by risicle · Pull Request #224846 · NixOS/nixpkgs · GitHub has been merged, removing the knownVulnerabilities flag

1 Like