Allow insecure openssl version

[marvin-bitterlich]

Hello,

I am trying out your devshell with ruby 2.7 and am getting this error:

 Known issues:
        - OpenSSL 1.1 is reaching its end of life on 2023/09/11 and cannot be supported through the NixOS 23.05 release cycle. https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Since I'm not running NixOS and don't want to expect every developer to either modify their home folder or run with env variables, is there a way to modify the flake to allow the insecure openssl package? I am using the default template.

[caplod]

I have exactly the same question

[bobvanderlinden]

You can use an older version of nixpkgs-ruby which refers to an older version of nixpkgs where openssl 1.1 isn't deprecated/removed yet. For instance:

$ nix run 'github:bobvanderlinden/nixpkgs-ruby/853db1f7f6af87322c18042af555194b1306172f#"ruby-2.7"' -- --version
ruby 2.7.7p221 (2022-11-24 revision 168ec2b1e5) [x86_64-linux]

If you really want to use nixpkgs-ruby with an EOL version of Ruby against a new version of nixpkgs, then you'd need to repackage OpenSSL 1.1 or Ruby needs to be patched to be compatible with OpenSSL 3. I tried in the past, but it was too much effort for me to have an EOL version work with a modern OpenSSL.

[bobvanderlinden]

Since I'm not running NixOS and don't want to expect every developer to either modify their home folder or run with env variables, is there a way to modify the flake to allow the insecure openssl package? I am using the default template.

Just wanted to mention as well, if you're using devenv.sh, you can use the permittedInsecurePackages option in devenv.yaml, like so:

permittedInsecurePackages:
- openssl-1.1.1w

[johnhamelink]

Hi there,

I'm using permittedInsecurePackages, but when I try to use packageFromRubyVersionFile, the insecure packages seems to be out of scope somehow?

  outputs = { self, nixpkgs, nixpkgs-ruby, flake-utils }:
    flake-utils.lib.eachDefaultSystem (system:
      let
        pkgs = import nixpkgs {
          inherit system;

          overlays = [
            nixpkgs-ruby.overlays.default
          ];

          # All non-free dependencies are defined here.
          config.allowUnfreePredicate = pkg: builtins.elem (nixpkgs.lib.getName pkg) [
          ];

          config.permittedInsecurePackages = [
            "openssl-1.1.1w" # Needed by Ruby 2.7.x
          ];
        };

        ruby = nixpkgs-ruby.lib.packageFromRubyVersionFile {
          file = ./.ruby-version;
          inherit system;
        };
      in
        {
          packages.default = pkgs.mkShell {
            buildInputs = [ ruby ];
          }
         };

johnhamelink@jh-mbp pkg % nix flake check --show-trace                                                                                                                                                                ~/code/pkg
warning: Git tree '/Users/johnhamelink/code/pkg' is dirty
error:
       … while checking flake output 'packages'

         at /nix/store/p58d2j0ac7zvja5jl14xzbc19fakjxh2-source/lib.nix:39:17:

           38|               {
           39|                 ${key} = (attrs.${key} or { })
             |                 ^
           40|                   // { ${system} = ret.${key}; };

       … while checking the derivation 'packages.aarch64-darwin.default'

         at /nix/store/0lhk0h59ylkhc5pggdrk266r60v70kcy-source/flake.nix:39:11:

           38|         {
           39|           packages.default = pkgs.mkShell {
             |           ^
           40|             buildInputs = [

       … while calling the 'derivationStrict' builtin

         at /builtin/derivation.nix:9:12: (source not available)

       … while evaluating derivation 'nix-shell'
         whose name attribute is located at /nix/store/19kjl5p3hx3l51yfnii653a3qzm4l6hf-source/pkgs/stdenv/generic/make-derivation.nix:348:7

       … while evaluating attribute 'buildInputs' of derivation 'nix-shell'

         at /nix/store/19kjl5p3hx3l51yfnii653a3qzm4l6hf-source/pkgs/stdenv/generic/make-derivation.nix:395:7:

          394|       depsHostHost                = elemAt (elemAt dependencies 1) 0;
          395|       buildInputs                 = elemAt (elemAt dependencies 1) 1;
             |       ^
          396|       depsTargetTarget            = elemAt (elemAt dependencies 2) 0;

       … while evaluating derivation 'ruby-2.7.2'
         whose name attribute is located at /nix/store/19kjl5p3hx3l51yfnii653a3qzm4l6hf-source/pkgs/stdenv/generic/make-derivation.nix:348:7

       … while evaluating attribute 'buildInputs' of derivation 'ruby-2.7.2'

         at /nix/store/19kjl5p3hx3l51yfnii653a3qzm4l6hf-source/pkgs/stdenv/generic/make-derivation.nix:395:7:

          394|       depsHostHost                = elemAt (elemAt dependencies 1) 0;
          395|       buildInputs                 = elemAt (elemAt dependencies 1) 1;
             |       ^
          396|       depsTargetTarget            = elemAt (elemAt dependencies 2) 0;

       … from call site

         at /nix/store/19kjl5p3hx3l51yfnii653a3qzm4l6hf-source/pkgs/stdenv/generic/check-meta.nix:448:16:

          447|         {
          448|           no = handleEvalIssue { inherit meta attrs; } { inherit (validity) reason errormsg; };
             |                ^
          449|           warn = handleEvalWarning { inherit meta attrs; } { inherit (validity) reason errormsg; };

       … while calling 'handleEvalIssue'

         at /nix/store/19kjl5p3hx3l51yfnii653a3qzm4l6hf-source/pkgs/stdenv/generic/check-meta.nix:225:38:

          224|
          225|   handleEvalIssue = { meta, attrs }: { reason , errormsg ? "" }:
             |                                      ^
          226|     let

       error: Package ‘openssl-1.1.1w’ in /nix/store/19kjl5p3hx3l51yfnii653a3qzm4l6hf-source/pkgs/development/libraries/openssl/default.nix:223 is marked as insecure, refusing to evaluate.


       Known issues:
        - OpenSSL 1.1 is reaching its end of life on 2023/09/11 and cannot be supported through the NixOS 23.05 release cycle. https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

       You can install it anyway by allowing this package, using the
       following methods:

       a) To temporarily allow all insecure packages, you can use an environment
          variable for a single invocation of the nix tools:

            $ export NIXPKGS_ALLOW_INSECURE=1

          Note: When using `nix shell`, `nix build`, `nix develop`, etc with a flake,
                then pass `--impure` in order to allow use of environment variables.

       b) for `nixos-rebuild` you can add ‘openssl-1.1.1w’ to
          `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
          like so:

            {
              nixpkgs.config.permittedInsecurePackages = [
                "openssl-1.1.1w"
              ];
            }

       c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
          ‘openssl-1.1.1w’ to `permittedInsecurePackages` in
          ~/.config/nixpkgs/config.nix, like so:

            {
              permittedInsecurePackages = [
                "openssl-1.1.1w"
              ];
            }
johnhamelink@jh-mbp pkg %          

[bobvanderlinden]

Ah right, nixpkgs-ruby must then also follow nixpkgs of devenv:

inputs:
  nixpkgs-ruby:
    url: github:bobvanderlinden/nixpkgs-ruby
    inputs:
      nixpkgs:
        follows: nixpkgs
permittedInsecurePackages:
- openssl-1.1.1w

[ryanmoon]

inputs:
nixpkgs-ruby:
url: github:bobvanderlinden/nixpkgs-ruby
inputs:
nixpkgs:
follows: nixpkgs
permittedInsecurePackages:

• openssl-1.1.1w

I cannot get that to work as expected, my only source of success has been to run: export NIXPKGS_ALLOW_INSECURE=1 before running devenv shell

[adamgoose]

Using devenv in a flake, I was able to get this to work on an up-to-date version of nixpkgs by overriding the vulnerabilities associated with openssl_1_1.

flake.nix

{
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
    devenv.url = "github:cachix/devenv";
    nixpkgs-ruby.url = "github:bobvanderlinden/nixpkgs-ruby";
  };

  nixConfig = {
    extra-trusted-public-keys = "devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw=";
    extra-substituters = "https://devenv.cachix.org";
  };

  outputs = { self, nixpkgs, devenv, nixpkgs-ruby, ... } @ inputs:
    let
      pkgs = import nixpkgs { system = "aarch64-darwin"; };
    in
    {
      devShell.aarch64-darwin = devenv.lib.mkShell {
        inherit inputs pkgs;
        modules = [
          ({ pkgs, config, system, ... }:
            let
              openssl_1_1_insecure = pkgs.openssl_1_1.overrideAttrs (
                finalAttrs: previousAttrs: {
                  meta = previousAttrs.meta // { knownVulnerabilities = [ ]; };
                }
              );

              ruby = nixpkgs-ruby.lib.packageFromRubyVersionFile {
                system = "aarch64-darwin";
                file = ./.ruby-version;
              };

              ruby_insecure = ruby.override {
                openssl = openssl_1_1_insecure;
              };
            in
            {
              languages.ruby = {
                enable = true;
                package = ruby_insecure;
              };
            })
        ];
      };
    };
}

.ruby-version

2.7.4

[cassandracomar]

this is a bit simpler and also works:

pkgs = import nixpkgs {
  inherit system;
  config.permittedInsecurePackages = ["openssl-1.1.1w"];
  overlays = [
    (final: prev: {
      ruby_2_6_3 = nixpkgs-ruby.packages.${system}."ruby-2.6.3".override {
        openssl = prev.openssl_1_1;
      };
    })
  ];
};

the issue is that nixpkgs-ruby, being its own flake, constructs it's own import of nixpkgs that lacks any configuration changes you've made in your flake. so substituting the version of openssl used by the ruby package from your imported and configured copy of nixpkgs is all it takes to resolve this error.