Why does my system depend on openssl 1.1?

I am trying to upgrade and get this error:

➜  ~ sudo nixos-rebuild boot --upgrade --verbose   
$ nix-channel --update nixos
unpacking channels...
$ nix --extra-experimental-features nix-command flakes build --out-link /tmp/nixos-rebuild.GAqkLI/nixos-rebuild /etc/nixos#nixosConfigurations."iceberg".config.system.build.nixos-rebuild --verbose
$ exec /nix/store/kmy5zdy474s7yhlh3qlf26g87wh03rz3-nixos-rebuild/bin/nixos-rebuild boot --upgrade --verbose
building the system configuration...
Building in flake mode.
$ nix --extra-experimental-features nix-command flakes build /etc/nixos#nixosConfigurations."iceberg".config.system.build.toplevel --verbose --out-link /tmp/nixos-rebuild.iZGm09/result
error: Package ‘openssl-1.1.1w’ in /nix/store/lgcjj6s23v2203zyihsd0j26wh1saj0c-source/pkgs/development/libraries/openssl/default.nix:222 is marked as insecure, refusing to evaluate.

       Known issues:
        - OpenSSL 1.1 is reaching its end of life on 2023/09/11 and cannot be supported through the NixOS 23.05 release cycle. https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

I do not rely explicitly on openSSL 1.1 anywhere in my configuration.nix. I assume one or more of my systemPackages relies on it. But I don’t know which one.

How to find the offender?

Could it have been nixops (currently in version 1.7)?

add the --show-trace flag, and see if you can find in the trace which package is the culprit.


nix why-depends --derivation could in theory give an answer too, without digging through the trace.

1 Like