Upgrading to 21.05 – Python 2.7-Pillow-6.2.2 marked as insecure

Hi everyone,

After reading 21.05’s release notes, I tried to do the upgrade from 20.09. However, I get a Python 2.7-Pillow-6.2.2 error and I can’t pinpoint where this dependency comes from in my configuration – only Python3Full is asked explicitly. You’ll find the trace below:

[root@tlap:/home/tcip]# nixos-rebuild switch --upgrade --show-trace 
unpacking channels...
building Nix...
building the system configuration...
error: while evaluating the attribute 'activationScript' of the derivation 'nixos-system-tlap-21.05.720.4c2e84394c0' at /nix/store/9fydsbjwgw5ch89h1i701vj6yxwaxi9d-nixos-21.05.720.4c2e84394c0/nixos/pkgs/stdenv/generic/make-derivation.nix:201:11:
while evaluating the attribute 'system.activationScripts.script' at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/activation-script.nix:80:9:
while evaluating 'textClosureMap' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/strings-with-deps.nix:75:35, called from /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/activation-script.nix:101:18:
while evaluating 'id' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/trivial.nix:14:5, called from undefined position:
while evaluating the attribute 'text' at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/activation-script.nix:9:5:
while evaluating the attribute 'text' at undefined position:
while evaluating 'g' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/attrsets.nix:298:19, called from undefined position:
while evaluating anonymous function at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:140:72, called from /nix/var/nix/profiles/per-user/root/channels/nixos/lib/attrsets.nix:301:20:
while evaluating the attribute 'value' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:525:9:
while evaluating the option `system.activationScripts.etc.text':
while evaluating the attribute 'mergedValue' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:557:5:
while evaluating the attribute 'values' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:551:9:
while evaluating the attribute 'values' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:650:7:
while evaluating anonymous function at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:537:28, called from /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:537:17:
while evaluating definitions from `/nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/etc/etc.nix':
while evaluating 'dischargeProperties' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:609:25, called from /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:538:137:
while evaluating the attribute 'value' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:392:44:
while evaluating the attribute 'sources' of the derivation 'etc' at /nix/store/9fydsbjwgw5ch89h1i701vj6yxwaxi9d-nixos-21.05.720.4c2e84394c0/nixos/pkgs/stdenv/generic/make-derivation.nix:201:11:
while evaluating anonymous function at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/etc/etc.nix:20:20, called from undefined position:
while evaluating the attribute 'source' at undefined position:
while evaluating 'g' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/attrsets.nix:298:19, called from undefined position:
while evaluating anonymous function at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:140:72, called from /nix/var/nix/profiles/per-user/root/channels/nixos/lib/attrsets.nix:301:20:
while evaluating the attribute 'value' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:525:9:
while evaluating the option `environment.etc.dbus-1.source':
while evaluating the attribute 'mergedValue' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:557:5:
while evaluating anonymous function at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:559:17, called from /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:559:12:
while evaluating 'check' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/types.nix:349:15, called from /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:559:22:
while evaluating the attribute 'serviceDirectories' of the derivation 'dbus-1' at /nix/store/9fydsbjwgw5ch89h1i701vj6yxwaxi9d-nixos-21.05.720.4c2e84394c0/nixos/pkgs/stdenv/generic/make-derivation.nix:201:11:
while evaluating anonymous function at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/types.nix:358:14, called from undefined position:
while evaluating the attribute 'value' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:570:27:
while evaluating anonymous function at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:559:17, called from /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:559:12:
while evaluating 'check' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/types.nix:349:15, called from /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:559:22:
while evaluating the attribute 'passAsFile' of the derivation 'system-path' at /nix/store/9fydsbjwgw5ch89h1i701vj6yxwaxi9d-nixos-21.05.720.4c2e84394c0/nixos/pkgs/stdenv/generic/make-derivation.nix:201:11:
while evaluating the attribute 'passAsFile' at /nix/store/9fydsbjwgw5ch89h1i701vj6yxwaxi9d-nixos-21.05.720.4c2e84394c0/nixos/pkgs/build-support/buildenv/default.nix:77:5:
while evaluating the attribute 'buildInputs' of the derivation 'scribus-1.4.8' at /nix/store/9fydsbjwgw5ch89h1i701vj6yxwaxi9d-nixos-21.05.720.4c2e84394c0/nixos/pkgs/stdenv/generic/make-derivation.nix:201:11:
while evaluating the attribute 'passAsFile' of the derivation 'python-2.7.18-env' at /nix/store/9fydsbjwgw5ch89h1i701vj6yxwaxi9d-nixos-21.05.720.4c2e84394c0/nixos/pkgs/stdenv/generic/make-derivation.nix:201:11:
while evaluating the attribute 'passAsFile' at /nix/store/9fydsbjwgw5ch89h1i701vj6yxwaxi9d-nixos-21.05.720.4c2e84394c0/nixos/pkgs/build-support/buildenv/default.nix:77:5:
while evaluating 'requiredPythonModules' at /nix/store/9fydsbjwgw5ch89h1i701vj6yxwaxi9d-nixos-21.05.720.4c2e84394c0/nixos/pkgs/top-level/python-packages.nix:65:27, called from /nix/store/9fydsbjwgw5ch89h1i701vj6yxwaxi9d-nixos-21.05.720.4c2e84394c0/nixos/pkgs/development/interpreters/python/wrapper.nix:20:13:
while evaluating anonymous function at /nix/store/9fydsbjwgw5ch89h1i701vj6yxwaxi9d-nixos-21.05.720.4c2e84394c0/nixos/lib/lists.nix:645:24, called from /nix/store/9fydsbjwgw5ch89h1i701vj6yxwaxi9d-nixos-21.05.720.4c2e84394c0/nixos/pkgs/top-level/python-packages.nix:67:6:
while evaluating the attribute 'outPath' at /nix/store/9fydsbjwgw5ch89h1i701vj6yxwaxi9d-nixos-21.05.720.4c2e84394c0/nixos/lib/customisation.nix:164:7:
while evaluating the attribute 'handled' at /nix/store/9fydsbjwgw5ch89h1i701vj6yxwaxi9d-nixos-21.05.720.4c2e84394c0/nixos/pkgs/stdenv/generic/check-meta.nix:301:7:
while evaluating 'handleEvalIssue' at /nix/store/9fydsbjwgw5ch89h1i701vj6yxwaxi9d-nixos-21.05.720.4c2e84394c0/nixos/pkgs/stdenv/generic/check-meta.nix:188:38, called from /nix/store/9fydsbjwgw5ch89h1i701vj6yxwaxi9d-nixos-21.05.720.4c2e84394c0/nixos/pkgs/stdenv/generic/check-meta.nix:302:14:
Package ‘python2.7-Pillow-6.2.2’ in /nix/store/9fydsbjwgw5ch89h1i701vj6yxwaxi9d-nixos-21.05.720.4c2e84394c0/nixos/pkgs/development/python-modules/pillow/6.nix:19 is marked as insecure, refusing to evaluate.


Known issues:
 - CVE-2020-10177
 - CVE-2020-10378
 - CVE-2020-10379
 - CVE-2020-10994
 - CVE-2020-11538
 - CVE-2020-35653
 - CVE-2020-35654
 - CVE-2020-35655
 - CVE-2021-25289
 - CVE-2021-25290
 - CVE-2021-25291
 - CVE-2021-25292
 - CVE-2021-25293
 - CVE-2021-27921
 - CVE-2021-27922
 - CVE-2021-27923

You can install it anyway by allowing this package, using the
following methods:

a) To temporarily allow all insecure packages, you can use an environment
   variable for a single invocation of the nix tools:

     $ export NIXPKGS_ALLOW_INSECURE=1

b) for `nixos-rebuild` you can add ‘python2.7-Pillow-6.2.2’ to
   `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
   like so:

     {
       nixpkgs.config.permittedInsecurePackages = [
         "python2.7-Pillow-6.2.2"
       ];
     }

c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
   ‘python2.7-Pillow-6.2.2’ to `permittedInsecurePackages` in
   ~/.config/nixpkgs/config.nix, like so:

     {
       permittedInsecurePackages = [
         "python2.7-Pillow-6.2.2"
       ];
     }

Any idea ?

Thanks for reading and all the best,

It looks like the dependency comes from system-path → scribus-1.4.8 → python-2.7.18-env → python2.7-Pillow-6.2.2, so you are using scribus somewhere in your configuration (probably in environment.systemPackages).

You could use scribusUnstable instead which uses python3 and does not depend on an insecure package.

Thanks a lot for your answer @sbruder ! I have Scribus installed indeed, but I would like to stay with the stable version to be able to edit document in the future. I’ll see tonight whether I’ll allow Python2.7-Pillow-6.2.2 in insecure packages or not.

However, can you tell me how you got this information from my previous message so that I might be able to handle this next time?

Just thinking by the way, maybe I might be able to override the stable scribus package with a Python3 dependency as shown in the documentation with emacs and gtk3.

The stack trace you posted basically includes the dependency path, though it’s not that easy to read. Beginning from the last line (the one that indicates the failure) and going up, looking for things that look like package names helps to filter for the important details. In this case, the following lines are important:

[…]
while evaluating the attribute 'passAsFile' of the derivation 'system-path' at /nix/store/9fydsbjwgw5ch89h1i701vj6yxwaxi9d-nixos-21.05.720.4c2e84394c0/nixos/pkgs/stdenv/generic/make-derivation.nix:201:11:
[…]
while evaluating the attribute 'buildInputs' of the derivation 'scribus-1.4.8' at /nix/store/9fydsbjwgw5ch89h1i701vj6yxwaxi9d-nixos-21.05.720.4c2e84394c0/nixos/pkgs/stdenv/generic/make-derivation.nix:201:11:
while evaluating the attribute 'passAsFile' of the derivation 'python-2.7.18-env' at /nix/store/9fydsbjwgw5ch89h1i701vj6yxwaxi9d-nixos-21.05.720.4c2e84394c0/nixos/pkgs/stdenv/generic/make-derivation.nix:201:11:
[…]
Package ‘python2.7-Pillow-6.2.2’ in /nix/store/9fydsbjwgw5ch89h1i701vj6yxwaxi9d-nixos-21.05.720.4c2e84394c0/nixos/pkgs/development/python-modules/pillow/6.nix:19 is marked as insecure, refusing to evaluate.

If the dependency path is more complex, it may be a better idea to instantiate the configuration (while temporarily allowing insecure packages) and then showing the dependency tree of the derivation: nix-store -q --tree "$(NIXPKGS_ALLOW_INSECURE=1 nix-instantiate -I nixos-config=/path/to/configuration.nix -A config.system.build.toplevel '<nixpkgs/nixos>')"

That only works when the software supports both versions. I doubt the stale version of scribus will support Python 3 since it is super ancient.

At best, it might work if the Python support is optional, in which case, you could just pass in null instead. But either way, it will require recompilation. But you cannot avoid that since Hydra will not build insecure software.

Also note that while the attribute is named scribusUnstable since it is building from the development branch, the upstream developers consider it stable enough.

Thanks for those informations @sbruder – a shame I missed those parts in the error message… I’ll take a closer look next time.

Thanks @jtojnar – I thought it might not be that simple ^^’! I’ll try unstable since I don’t have anything important to do right now on Scribus, but I’m kind of reluctant since I already had some troubles opening an old design in the past (although, I have to admit, switching from an old unstable to a new stable was not wise at that time).
I’m an open-source advocate, emphasizing that one’s work should be perennial, but sometimes you just have to settle for « anyway better than closed-source softwares » ;).