How to use "permittedInsecurePackages"?

[sevillaarvin]

I have a very similar problem with #623. I see that a new key was added to address this #619.

However, when I added it, the error still shows.

devenv.nix

{ pkgs, ... }:

{
  # https://devenv.sh/basics/
  env.GREET = "devenv";

  # https://devenv.sh/packages/
  packages =
    [ 
      
    ];

  # https://devenv.sh/scripts/
  scripts.hello.exec = "echo hello from $GREET";

  enterShell = ''
  '';

  # https://devenv.sh/languages/
  languages.ruby = {
    enable = true; 
    version = "2.6.5";
  };

  # languages.ruby.bundler = {
  #   enable = true;
  #   package = ?;
  # };

  # https://devenv.sh/pre-commit-hooks/
  # pre-commit.hooks.shellcheck.enable = true;

  # https://devenv.sh/processes/
  # processes.ping.exec = "ping example.com";

  # See full reference at https://devenv.sh/reference/options/
}

devenv.yaml

inputs:
  nixpkgs:
    url: github:NixOS/nixpkgs/nixpkgs-unstable
  nixpkgs-ruby:
    url: github:bobvanderlinden/nixpkgs-ruby
    inputs:
      nixpkgs:
        follows: nixpkgs
permittedInsecurePackages:
  - "openssl-1.1.1v"
  - "openssl-1.1.1t"
  - "openssl_1_1"

cli error

       error: Package ‘openssl-1.1.1v’ in «github:NixOS/nixpkgs/9b2aa98db6b10503666a50f4eb93b2fc0d57bde5»/pkgs/development/libraries/openssl/default.nix:222 is marked as insecure, refusing to evaluate.


       Known issues:
        - OpenSSL 1.1 is reaching its end of life on 2023/09/11 and cannot be supported through the NixOS 23.05 release cycle. https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

       You can install it anyway by allowing this package, using the
       following methods:

       a) To temporarily allow all insecure packages, you can use an environment
          variable for a single invocation of the nix tools:

            $ export NIXPKGS_ALLOW_INSECURE=1

        Note: For `nix shell`, `nix build`, `nix develop` or any other Nix 2.4+
        (Flake) command, `--impure` must be passed in order to read this
        environment variable.

       b) for `nixos-rebuild` you can add ‘openssl-1.1.1v’ to
          `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
          like so:

            {
              nixpkgs.config.permittedInsecurePackages = [
                "openssl-1.1.1v"
              ];
            }

       c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
          ‘openssl-1.1.1v’ to `permittedInsecurePackages` in
          ~/.config/nixpkgs/config.nix, like so:

            {
              permittedInsecurePackages = [
                "openssl-1.1.1v"
              ];
            }

devenv version

devenv: 0.6.3

Any advice is appreciated, thanks!

[sevillaarvin]

I should note that I am able to use it in another project successfully:

cli error without permittedInsecurePackages

       error: Package ‘nodejs-16.20.2’ in «github:NixOS/nixpkgs/f0451844bbdf545f696f029d1448de4906c7f753»/pkgs/development/web/nodejs/v16.nix:16 is marked as insecure, refusing to evaluate.


       Known issues:
        - This NodeJS release has reached its end of life. See https://nodejs.org/en/about/releases/.

       You can install it anyway by allowing this package, using the
       following methods:

       a) To temporarily allow all insecure packages, you can use an environment
          variable for a single invocation of the nix tools:

            $ export NIXPKGS_ALLOW_INSECURE=1

        Note: For `nix shell`, `nix build`, `nix develop` or any other Nix 2.4+
        (Flake) command, `--impure` must be passed in order to read this
        environment variable.

       b) for `nixos-rebuild` you can add ‘nodejs-16.20.2’ to
          `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
          like so:

            {
              nixpkgs.config.permittedInsecurePackages = [
                "nodejs-16.20.2"
              ];
            }

       c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
          ‘nodejs-16.20.2’ to `permittedInsecurePackages` in
          ~/.config/nixpkgs/config.nix, like so:

            {
              permittedInsecurePackages = [
                "nodejs-16.20.2"
              ];
            }
direnv: loading the environment failed
direnv: error exit status 1

success with permittedInsecurePackages in devenv.yaml

inputs:
  nixpkgs:
    url: github:NixOS/nixpkgs/nixpkgs-unstable
permittedInsecurePackages:
  - "nodejs-16.20.2"

direnv.nix

{ pkgs, ... }:

{
  packages = with pkgs;
      [ nodePackages.typescript-language-server
        nodePackages.volar
      ];

  enterShell = ''
    export VUE_LANGUAGE_SERVER_TSDK="$(dirname $(dirname $(which -a typescript-language-server)))/lib/node_modules/typescript/lib"
  '';

  languages.javascript = {
      enable = true;
      package = pkgs.nodejs-16_x;
  };

  # https://devenv.sh/pre-commit-hooks/
  # pre-commit.hooks.shellcheck.enable = true;
}

EDIT:
Also I'm using MacOS 13.5 if that matters.

[domenkozar]

The issue here is that nixpkgs is imported by https://github.com/bobvanderlinden/nixpkgs-ruby doesn't pass our settings.

We'd have to somehow collect config in flakes at central location so all imports of nixpkgs can use it.

cc @bobvanderlinden

[domenkozar]

We can fix this for #745 by setting NIXPKGS_CONFIG so that all nixpkgs imports respect it.

[bobvanderlinden]

Hmm, that is indeed unfortunate. NIXPKGS_CONFIG sounds like a way to go for now since we're using impure Nix in devenv. Hopefully these kinds of issues can be resolved in Nix Flakes eventually.

[domenkozar]

We got rid of --impure so we'll have to be creative solving this one.

[bobvanderlinden]

Hmm, indeed. This is tricky.

I'm thinking that nixpkgs-ruby should allow injecting pkgs or nixpkgs config? Downside is that it doesnt seem to match with any flake standard and we're thinking up a new solution.

Or avoid using nixpkgs in nixpkgs-ruby by using the overlay on devenvs nixpkgs. More standardized, but it'll probably not be able to use the cache of nixpkgs-ruby.

[domenkozar]

I managed to come up with a way to fix this, going to write a prototype tomorrow.

It should work as long as you use nixpkgs.legacyPackages and follow the nixpkgs we provide.

[instantepiphany]

I managed to come up with a way to fix this, going to write a prototype tomorrow.

It should work as long as you use nixpkgs.legacyPackages and follow the nixpkgs we provide.

I just came up against this. nodejs-16* was removed from nixpkgs November 2023.

My understanding is that to use it, I need to have a specific input that uses the revision that still had that package in the tree.

Are you saying your fix will only work for nixpkgs inputs that follow the devenv one?

As that means old packages (that are no longer in the nixpkgs tree provided with devenv) can't be installed, right?

I suppose one workaround is repackaging nodejs-16* in my own flake and pulling that in that way.

Would that be the best path forward for this case?

[bobvanderlinden]

Regarding nodejs-16, it is a different issue. It isn't so much an insecure package, it is removed from nixpkgs. See #218 (comment) for an example on how to use packages from older nixpkgs. The issues that cover this are: #16 and #681

As for insecure packages, they could also be overridden in an overlay. Always use an overlay for (for instance) nixpkgs-ruby and having a way to mark packages as non-insecure (which uses override of meta behind the scenes).

[domenkozar]

Relevent nix issue NixOS/nix#9875