What to do when an update brings an package marked as insecure?

Recently I tried to update with nix-channel --update followed by nixos-rebuild switch but then I get this error:

building the system configuration...
error: Package ‘python3.9-mistune-0.8.4’ in /nix/store/inwjjzhpwm9vyaykza175jd26ssp2q8b-nixos-22.05/nixos/pkgs/development/python-modules/mistune/common.nix:23 is marked as insecure, refusing to evaluate.

I don’t want to allow this package but I don’t know from where it comes.

I tried:

nix-store -q --referrers /nix/store/inwjjzhpwm9vyaykza175jd26ssp2q8b-nixos-22.05/nixos/pkgs/development/python-modules/mistune/common.nix
/nix/store/dng5dni12dajcc9l8v988c85fyb0z0q4-env-manifest.nix
/nix/store/czi1jjfyn9hcb8xrs5ywjgwrp5gzihz1-user-environment

But it doesn’t help me much.

I don’t know if its relevant but I installed some unstable packages:

  nixpkgs.config = {
    allowUnfree = true;
    packageOverrides = pkgs: {
      unstable = import <nixos-unstable> { # pass the nixpkgs config to the unstable alias # to ensure `allowUnfree = true;` is propagated:
      config = config.nixpkgs.config;
    };
  };
};

To install darktable and digikam.

1 Like

Honestly, this is a big weak point of these kinds of errors (broken, insecure, …): They are not particularly convenient to pinpoint if you have a more elaborate derivation, e.g. a system configuration.

You can pass --show-trace to nixos-rebuild which’ll give you the backtrace of the error. You should be able to find the culprit somewhere in that.

1 Like

I didn’t find something interesting with the trace:

nixos-rebuild switch --show-trace

building Nix…
building the system configuration…
error: Package ‘python3.9-mistune-0.8.4’ in /nix/store/inwjjzhpwm9vyaykza175jd26ssp2q8b-nixos-22.05/nixos/pkgs/development/python-modules/mistune/common.nix:23 is marked as insecure, refusing to evaluate.

   Known issues:
    - CVE-2022-34749

   You can install it anyway by allowing this package, using the
   following methods:

   a) To temporarily allow all insecure packages, you can use an environment
      variable for a single invocation of the nix tools:

        $ export NIXPKGS_ALLOW_INSECURE=1

    Note: For `nix shell`, `nix build`, `nix develop` or any other Nix 2.4+
    (Flake) command, `--impure` must be passed in order to read this
    environment variable.

   b) for `nixos-rebuild` you can add ‘python3.9-mistune-0.8.4’ to
      `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
      like so:

        {
          nixpkgs.config.permittedInsecurePackages = [
            "python3.9-mistune-0.8.4"
          ];
        }

   c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
      ‘python3.9-mistune-0.8.4’ to `permittedInsecurePackages` in
      ~/.config/nixpkgs/config.nix, like so:

        {
          permittedInsecurePackages = [
            "python3.9-mistune-0.8.4"
          ];
        }



   … while evaluating 'handleEvalIssue'

   at /nix/store/inwjjzhpwm9vyaykza175jd26ssp2q8b-nixos-22.05/nixos/pkgs/stdenv/generic/check-meta.nix:196:38:

      195|
      196|   handleEvalIssue = { meta, attrs }: { reason , errormsg ? "" }:
         |                                      ^
      197|     let

   … from call site

   at /nix/store/inwjjzhpwm9vyaykza175jd26ssp2q8b-nixos-22.05/nixos/pkgs/stdenv/generic/check-meta.nix:323:16:

      322|         {
      323|           no = handleEvalIssue { inherit meta attrs; } { inherit (validity) reason errormsg; };
         |                ^
      324|           warn = handleEvalWarning { inherit meta attrs; } { inherit (validity) reason errormsg; };

   … while evaluating the attribute 'no'

   at /nix/store/inwjjzhpwm9vyaykza175jd26ssp2q8b-nixos-22.05/nixos/pkgs/stdenv/generic/check-meta.nix:323:11:

      322|         {
      323|           no = handleEvalIssue { inherit meta attrs; } { inherit (validity) reason errormsg; };
         |           ^
      324|           warn = handleEvalWarning { inherit meta attrs; } { inherit (validity) reason errormsg; };

   … while evaluating the attribute 'handled'

   at /nix/store/inwjjzhpwm9vyaykza175jd26ssp2q8b-nixos-22.05/nixos/pkgs/stdenv/generic/check-meta.nix:321:7:

      320|       # or, alternatively, just output a warning message.
      321|       handled =
         |       ^
      322|         {

   … while evaluating the attribute 'out.outPath'

   at /nix/store/inwjjzhpwm9vyaykza175jd26ssp2q8b-nixos-22.05/nixos/lib/customisation.nix:204:13:

      203|             drvPath = assert condition; drv.${outputName}.drvPath;
      204|             outPath = assert condition; drv.${outputName}.outPath;
         |             ^
      205|           };

   … while evaluating the attribute 'propagatedBuildInputs' of the derivation 'python3.9-nbconvert-6.5.0'

   at /nix/store/inwjjzhpwm9vyaykza175jd26ssp2q8b-nixos-22.05/nixos/pkgs/stdenv/generic/make-derivation.nix:278:7:

      277|     // (lib.optionalAttrs (attrs ? name || (attrs ? pname && attrs ? version)) {
      278|       name =
         |       ^
      279|         let

   … while evaluating the attribute 'out.outPath'

   at /nix/store/inwjjzhpwm9vyaykza175jd26ssp2q8b-nixos-22.05/nixos/lib/customisation.nix:204:13:

      203|             drvPath = assert condition; drv.${outputName}.drvPath;
      204|             outPath = assert condition; drv.${outputName}.outPath;
         |             ^
      205|           };

   … while evaluating the attribute 'propagatedBuildInputs' of the derivation 'python3.9-notebook-6.4.12'

   at /nix/store/inwjjzhpwm9vyaykza175jd26ssp2q8b-nixos-22.05/nixos/pkgs/stdenv/generic/make-derivation.nix:278:7:

      277|     // (lib.optionalAttrs (attrs ? name || (attrs ? pname && attrs ? version)) {
      278|       name =
         |       ^
      279|         let

   … while evaluating the attribute 'passAsFile'

   at /nix/store/inwjjzhpwm9vyaykza175jd26ssp2q8b-nixos-22.05/nixos/pkgs/build-support/buildenv/default.nix:77:5:

       76|     # XXX: The size is somewhat arbitrary
       77|     passAsFile = if builtins.stringLength pkgs >= 128*1024 then [ "pkgs" ] else [ ];
         |     ^
       78|   }

   … while evaluating the attribute 'passAsFile' of the derivation 'system-path'

   at /nix/store/inwjjzhpwm9vyaykza175jd26ssp2q8b-nixos-22.05/nixos/pkgs/stdenv/generic/make-derivation.nix:278:7:

      277|     // (lib.optionalAttrs (attrs ? name || (attrs ? pname && attrs ? version)) {
      278|       name =
         |       ^
      279|         let

   … while evaluating 'check'

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/types.nix:394:15:

      393|       name = "path";
      394|       check = x: isCoercibleToString x && builtins.substring 0 1 (toString x) == "/";
         |               ^
      395|       merge = mergeEqualOption;

   … from call site

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:782:22:

      781|       if isDefined then
      782|         if all (def: type.check def.value) defsFinal then type.merge loc defsFinal
         |                      ^
      783|         else let allInvalid = filter (def: ! type.check def.value) defsFinal;

   … while evaluating anonymous lambda

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:782:17:

      781|       if isDefined then
      782|         if all (def: type.check def.value) defsFinal then type.merge loc defsFinal
         |                 ^
      783|         else let allInvalid = filter (def: ! type.check def.value) defsFinal;

   … from call site

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:782:12:

      781|       if isDefined then
      782|         if all (def: type.check def.value) defsFinal then type.merge loc defsFinal
         |            ^
      783|         else let allInvalid = filter (def: ! type.check def.value) defsFinal;

   … while evaluating the attribute 'value'

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:793:27:

      792|     optionalValue =
      793|       if isDefined then { value = mergedValue; }
         |                           ^
      794|       else {};

   … while evaluating anonymous lambda

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/types.nix:403:14:

      402|       merge = loc: defs:
      403|         map (x: x.value) (filter (x: x ? value) (concatLists (imap1 (n: def:
         |              ^
      404|           imap1 (m: def':

   … from call site

   … while evaluating the attribute 'serviceDirectories' of the derivation 'dbus-1'

   at /nix/store/inwjjzhpwm9vyaykza175jd26ssp2q8b-nixos-22.05/nixos/pkgs/stdenv/generic/make-derivation.nix:278:7:

      277|     // (lib.optionalAttrs (attrs ? name || (attrs ? pname && attrs ? version)) {
      278|       name =
         |       ^
      279|         let

   … while evaluating 'check'

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/types.nix:394:15:

      393|       name = "path";
      394|       check = x: isCoercibleToString x && builtins.substring 0 1 (toString x) == "/";
         |               ^
      395|       merge = mergeEqualOption;

   … from call site

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:782:22:

      781|       if isDefined then
      782|         if all (def: type.check def.value) defsFinal then type.merge loc defsFinal
         |                      ^
      783|         else let allInvalid = filter (def: ! type.check def.value) defsFinal;

   … while evaluating anonymous lambda

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:782:17:

      781|       if isDefined then
      782|         if all (def: type.check def.value) defsFinal then type.merge loc defsFinal
         |                 ^
      783|         else let allInvalid = filter (def: ! type.check def.value) defsFinal;

   … from call site

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:782:12:

      781|       if isDefined then
      782|         if all (def: type.check def.value) defsFinal then type.merge loc defsFinal
         |            ^
      783|         else let allInvalid = filter (def: ! type.check def.value) defsFinal;

   … while evaluating the attribute 'mergedValue'

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:780:5:

      779|     # Type-check the remaining definitions, and merge them. Or throw if no definitions.
      780|     mergedValue =
         |     ^
      781|       if isDefined then

   … while evaluating the option `environment.etc.dbus-1.source':

   … while evaluating the attribute 'value'

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:746:9:

      745|     in warnDeprecation opt //
      746|       { value = builtins.addErrorContext "while evaluating the option `${showOption loc}':" value;
         |         ^
      747|         inherit (res.defsFinal') highestPrio;

   … while evaluating anonymous lambda

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:296:72:

      295|           # For definitions that have an associated option
      296|           declaredConfig = mapAttrsRecursiveCond (v: ! isOption v) (_: v: v.value) options;
         |                                                                        ^
      297|

   … from call site

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/attrsets.nix:401:20:

      400|               then recurse (path ++ [name]) value
      401|               else f (path ++ [name]) value;
         |                    ^
      402|         in mapAttrs g;

   … while evaluating 'g'

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/attrsets.nix:398:19:

      397|           g =
      398|             name: value:
         |                   ^
      399|             if isAttrs value && cond value

   … from call site

   … while evaluating 'escapeShellArg'

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/strings.nix:316:20:

      315|   */
      316|   escapeShellArg = arg: "'${replaceStrings ["'"] ["'\\''"] (toString arg)}'";
         |                    ^
      317|

   … from call site

   … while evaluating 'concatMapStringsSep'

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/strings.nix:111:5:

      110|     # List of input strings
      111|     list: concatStringsSep sep (map f list);
         |     ^
      112|

   … from call site

   at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/etc/etc.nix:54:43:

       53|     mkdir -p "$out/etc"
       54|     ${concatMapStringsSep "\n" (etcEntry: escapeShellArgs [
         |                                           ^
       55|       "makeEtcEntry"

   … while evaluating anonymous lambda

   at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/etc/etc.nix:54:33:

       53|     mkdir -p "$out/etc"
       54|     ${concatMapStringsSep "\n" (etcEntry: escapeShellArgs [
         |                                 ^
       55|       "makeEtcEntry"

   … from call site

   … while evaluating 'concatMapStringsSep'

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/strings.nix:111:5:

      110|     # List of input strings
      111|     list: concatStringsSep sep (map f list);
         |     ^
      112|

   … from call site

   at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/etc/etc.nix:54:7:

       53|     mkdir -p "$out/etc"
       54|     ${concatMapStringsSep "\n" (etcEntry: escapeShellArgs [
         |       ^
       55|       "makeEtcEntry"

   … while evaluating the attribute 'buildCommand' of the derivation 'etc'

   at /nix/store/inwjjzhpwm9vyaykza175jd26ssp2q8b-nixos-22.05/nixos/pkgs/stdenv/generic/make-derivation.nix:278:7:

      277|     // (lib.optionalAttrs (attrs ? name || (attrs ? pname && attrs ? version)) {
      278|       name =
         |       ^
      279|         let

   … while evaluating the attribute 'value'

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:581:44:

      580|       defnsByName' = byName "config" (module: value:
      581|           [{ inherit (module) file; inherit value; }]
         |                                            ^
      582|         ) configs;

   … while evaluating 'atDepth'

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/attrsets.nix:60:17:

       59|       len = length attrPath;
       60|       atDepth = n:
         |                 ^
       61|         if n == len

   … from call site

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/attrsets.nix:63:39:

       62|         then value
       63|         else { ${elemAt attrPath n} = atDepth (n + 1); };
         |                                       ^
       64|     in atDepth 0;

   … while evaluating the attribute 'value'

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/types.nix:461:58:

      460|         # Push down position info.
      461|         (map (def: mapAttrs (n: v: { inherit (def) file; value = v; }) def.value) defs);
         |                                                          ^
      462|       emptyValue = { value = {}; };

   … while evaluating 'dischargeProperties'

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:832:25:

      831|   */
      832|   dischargeProperties = def:
         |                         ^
      833|     if def._type or "" == "merge" then

   … from call site

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:761:137:

      760|         defs' = concatMap (m:
      761|           map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))
         |                                                                                                                                         ^
      762|         ) defs;

   … while evaluating definitions from `/nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/etc/etc.nix':

   … while evaluating anonymous lambda

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:760:28:

      759|         # Process mkMerge and mkIf properties.
      760|         defs' = concatMap (m:
         |                            ^
      761|           map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))

   … from call site

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:760:17:

      759|         # Process mkMerge and mkIf properties.
      760|         defs' = concatMap (m:
         |                 ^
      761|           map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))

   … while evaluating the attribute 'values'

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:873:7:

      872|     in {
      873|       values = concatMap (def: if getPrio def == highestPrio then [(strip def)] else []) defs;
         |       ^
      874|       inherit highestPrio;

   … while evaluating the attribute 'values'

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:774:9:

      773|       in {
      774|         values = defs''';
         |         ^
      775|         inherit (defs'') highestPrio;

   … while evaluating the attribute 'optionalValue.value'

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:792:5:

      791|
      792|     optionalValue =
         |     ^
      793|       if isDefined then { value = mergedValue; }

   … while evaluating anonymous lambda

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/types.nix:455:29:

      454|       merge = loc: defs:
      455|         zipAttrsWith (name: defs:
         |                             ^
      456|           let merged = mergeDefinitions (loc ++ [name]) elemType defs;

   … from call site

   … while evaluating anonymous lambda

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/attrsets.nix:518:24:

      517|     let f = attrPath:
      518|       zipAttrsWith (n: values:
         |                        ^
      519|         let here = attrPath ++ [n]; in

   … from call site

   … while evaluating the attribute 'value'

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:581:44:

      580|       defnsByName' = byName "config" (module: value:
      581|           [{ inherit (module) file; inherit value; }]
         |                                            ^
      582|         ) configs;

   … while evaluating 'dischargeProperties'

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:832:25:

      831|   */
      832|   dischargeProperties = def:
         |                         ^
      833|     if def._type or "" == "merge" then

   … from call site

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:761:137:

      760|         defs' = concatMap (m:
      761|           map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))
         |                                                                                                                                         ^
      762|         ) defs;

   … while evaluating definitions from `/nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/etc/etc-activation.nix':

   … while evaluating anonymous lambda

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:760:28:

      759|         # Process mkMerge and mkIf properties.
      760|         defs' = concatMap (m:
         |                            ^
      761|           map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))

   … from call site

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:760:17:

      759|         # Process mkMerge and mkIf properties.
      760|         defs' = concatMap (m:
         |                 ^
      761|           map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))

   … while evaluating the attribute 'values'

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:873:7:

      872|     in {
      873|       values = concatMap (def: if getPrio def == highestPrio then [(strip def)] else []) defs;
         |       ^
      874|       inherit highestPrio;

   … while evaluating the attribute 'values'

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:774:9:

      773|       in {
      774|         values = defs''';
         |         ^
      775|         inherit (defs'') highestPrio;

   … while evaluating the attribute 'mergedValue'

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:780:5:

      779|     # Type-check the remaining definitions, and merge them. Or throw if no definitions.
      780|     mergedValue =
         |     ^
      781|       if isDefined then

   … while evaluating the option `system.activationScripts.etc.text':

   … while evaluating the attribute 'value'

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:746:9:

      745|     in warnDeprecation opt //
      746|       { value = builtins.addErrorContext "while evaluating the option `${showOption loc}':" value;
         |         ^
      747|         inherit (res.defsFinal') highestPrio;

   … while evaluating anonymous lambda

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:296:72:

      295|           # For definitions that have an associated option
      296|           declaredConfig = mapAttrsRecursiveCond (v: ! isOption v) (_: v: v.value) options;
         |                                                                        ^
      297|

   … from call site

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/attrsets.nix:401:20:

      400|               then recurse (path ++ [name]) value
      401|               else f (path ++ [name]) value;
         |                    ^
      402|         in mapAttrs g;

   … while evaluating 'g'

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/attrsets.nix:398:19:

      397|           g =
      398|             name: value:
         |                   ^
      399|             if isAttrs value && cond value

   … from call site

   … while evaluating the attribute 'text'

   at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/activation-script.nix:9:5:

        8|   addAttributeName = mapAttrs (a: v: v // {
        9|     text = ''
         |     ^
       10|       #### Activation script snippet ${a}:

   … while evaluating 'id'

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/trivial.nix:14:5:

       13|     # The value to return
       14|     x: x;
         |     ^
       15|

   … from call site

   … while evaluating 'textClosureMap'

   at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/strings-with-deps.nix:75:35:

       74|
       75|   textClosureMap = f: predefined: names:
         |                                   ^
       76|     concatStringsSep "\n" (map f (textClosureList predefined names));

   … from call site

   at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/activation-script.nix:49:9:

       48|
       49|       ${textClosureMap id (withDrySnippets) (attrNames withDrySnippets)}
         |         ^
       50|

   … while evaluating 'systemActivationScript'

   at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/activation-script.nix:20:33:

       19|
       20|   systemActivationScript = set: onlyDry: let
         |                                 ^
       21|     set' = mapAttrs (_: v: if isString v then (noDepEntry v) // { supportsDryActivation = false; } else v) set;

   … from call site

   at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/activation-script.nix:137:18:

      136|       apply = set: set // {
      137|         script = systemActivationScript set false;
         |                  ^
      138|       };

   … while evaluating the attribute 'system.activationScripts.script'

   at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/activation-script.nix:137:9:

      136|       apply = set: set // {
      137|         script = systemActivationScript set false;
         |         ^
      138|       };

   … while evaluating the attribute 'activationScript' of the derivation 'nixos-system-nixos-22.05.2590.9a91318fffe'

   at /nix/store/inwjjzhpwm9vyaykza175jd26ssp2q8b-nixos-22.05/nixos/pkgs/stdenv/generic/make-derivation.nix:278:7:

      277|     // (lib.optionalAttrs (attrs ? name || (attrs ? pname && attrs ? version)) {
      278|       name =
         |       ^
      279|         let

Thats the last mentioned derivation name in the log, usually that is the manually installed package then.

1 Like

I read carefully but didn’t see it. I think the tip is to grep for of the derivation?

I don’t have notebook package in my list but I guessed it came from jupyter. I removed jupyter and was able to switch configuration.

It was a stroke of luck: if I didn’t know that it could be a dependency of jupyter I wouldn’t find it. There is no tool to see the tree of dependencies?

What about now? Should I report an issue to Issues · NixOS/nixpkgs · GitHub ?

nix why-depends technically exists, but afaik you need to specify the nixosConfigurarion as a derivation and that means remembering what the path for that is. I currently don’t ;p

I imagine that’s a known issue, though. I’d have a search through existing issues before raising another.

it’s quite obvious the broken and insecure flags in nixpkgs need more description data.

so not only should it tell me these things, it should also tell me why!

1 Like

This wouldn’t help to improve the described problem. Knowing why some package is marked as insecure (I think it even does that today if possible) doesn’t help me to determine what packages depend on it.

I think the only way to effectively solve this problem is to improve Nix’s stack traces or implement a custom eval error handling code in nixpkgs’ check-meta.nix that doesn’t rely on builtins.throw at all.

2 Likes