nix_2_3: drop
This has been marked insecure a while ago, as some CVEs have not been backported. Even if *some* CVEs are fixed, we'd need **all** of them to be, to get it back into the cache. Not having it in the cache means, we can not test it in CI. This means we can't make sure to actually support this version to evaluate Nixpkgs.
This commit is contained in:
parent
cc3d2295b6
commit
fa0cba1c39
@ -17,13 +17,7 @@ let
|
||||
else
|
||||
nixpkgs;
|
||||
|
||||
pkgs = import nixpkgs' {
|
||||
inherit system;
|
||||
config = {
|
||||
permittedInsecurePackages = [ "nix-2.3.18" ];
|
||||
};
|
||||
overlays = [ ];
|
||||
};
|
||||
pkgs = import nixpkgs' { inherit system; };
|
||||
|
||||
fmt =
|
||||
let
|
||||
|
@ -14,6 +14,10 @@
|
||||
|
||||
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
|
||||
|
||||
- `nixVersions.nix_2_3` has been dropped because it was insecure and unmaintained.
|
||||
|
||||
- The minimum version of Nix required to evaluate Nixpkgs has been raised from 2.3 to 2.18.
|
||||
|
||||
- The `offrss` package was removed due to lack of upstream maintenance since 2012. It's recommended for users to migrate to another RSS reader
|
||||
|
||||
- `base16-builder` node package has been removed due to lack of upstream maintenance.
|
||||
|
@ -1,2 +1,2 @@
|
||||
# Expose the minimum required version for evaluating Nixpkgs
|
||||
"2.3.17"
|
||||
"2.18"
|
||||
|
@ -2,16 +2,9 @@
|
||||
# The pkgs used for dependencies for the testing itself
|
||||
# Don't test properties of pkgs.lib, but rather the lib in the parent directory
|
||||
system ? builtins.currentSystem,
|
||||
pkgs ?
|
||||
import ../.. {
|
||||
inherit system;
|
||||
config = {
|
||||
permittedInsecurePackages = [ "nix-2.3.18" ];
|
||||
};
|
||||
}
|
||||
// {
|
||||
lib = throw "pkgs.lib accessed, but the lib tests should use nixpkgs' lib path directly!";
|
||||
},
|
||||
pkgs ? import ../.. { inherit system; } // {
|
||||
lib = throw "pkgs.lib accessed, but the lib tests should use nixpkgs' lib path directly!";
|
||||
},
|
||||
# For testing someone may edit impure.nix to return cross pkgs, use `pkgsBuildBuild` directly so everything here works.
|
||||
pkgsBB ? pkgs.pkgsBuildBuild,
|
||||
nix ? pkgs-nixVersions.stable,
|
||||
|
@ -121,9 +121,9 @@ python3Packages.buildPythonApplication rec {
|
||||
with_nix_stable = nixos-rebuild-ng.override {
|
||||
nix = nixVersions.stable;
|
||||
};
|
||||
with_nix_2_3 = nixos-rebuild-ng.override {
|
||||
# oldest / minimum supported version in nixpkgs
|
||||
nix = nixVersions.nix_2_3;
|
||||
with_nix_2_24 = nixos-rebuild-ng.override {
|
||||
# oldest supported version in nixpkgs
|
||||
nix = nixVersions.nix_2_24;
|
||||
};
|
||||
with_lix_latest = nixos-rebuild-ng.override {
|
||||
nix = lixPackageSets.latest.lix;
|
||||
|
@ -21,7 +21,6 @@
|
||||
}@args:
|
||||
assert (hash == null) -> (src != null);
|
||||
let
|
||||
atLeast224 = lib.versionAtLeast version "2.24pre";
|
||||
atLeast225 = lib.versionAtLeast version "2.25pre";
|
||||
in
|
||||
{
|
||||
@ -116,7 +115,7 @@ let
|
||||
]
|
||||
++ lib.optional stdenv.hostPlatform.isMusl "fortify";
|
||||
|
||||
nativeInstallCheckInputs = lib.optionals atLeast224 [
|
||||
nativeInstallCheckInputs = [
|
||||
git
|
||||
man
|
||||
];
|
||||
@ -129,21 +128,11 @@ let
|
||||
flex
|
||||
jq
|
||||
]
|
||||
++ lib.optionals enableDocumentation (
|
||||
if atLeast224 then
|
||||
[
|
||||
(lib.getBin lowdown-unsandboxed)
|
||||
mdbook
|
||||
mdbook-linkcheck
|
||||
]
|
||||
else
|
||||
[
|
||||
libxslt
|
||||
libxml2
|
||||
docbook_xsl_ns
|
||||
docbook5
|
||||
]
|
||||
)
|
||||
++ lib.optionals enableDocumentation [
|
||||
(lib.getBin lowdown-unsandboxed)
|
||||
mdbook
|
||||
mdbook-linkcheck
|
||||
]
|
||||
++ lib.optionals stdenv.hostPlatform.isLinux [
|
||||
util-linuxMinimal
|
||||
];
|
||||
@ -161,8 +150,6 @@ let
|
||||
gtest
|
||||
libarchive
|
||||
lowdown
|
||||
]
|
||||
++ lib.optionals atLeast224 [
|
||||
libgit2
|
||||
toml11
|
||||
rapidcheck
|
||||
@ -182,8 +169,6 @@ let
|
||||
|
||||
propagatedBuildInputs = [
|
||||
boehmgc
|
||||
]
|
||||
++ lib.optionals atLeast224 [
|
||||
nlohmann_json
|
||||
];
|
||||
|
||||
@ -202,24 +187,7 @@ let
|
||||
chmod u+w $out/lib/*.so.*
|
||||
patchelf --set-rpath $out/lib:${lib.getLib stdenv.cc.cc}/lib $out/lib/libboost_thread.so.*
|
||||
''}
|
||||
''
|
||||
+
|
||||
# On all versions before c9f51e87057652db0013289a95deffba495b35e7, which
|
||||
# removes config.nix entirely and is not present in 2.3.x, we need to
|
||||
# patch around an issue where the Nix configure step pulls in the build
|
||||
# system's bash and other utilities when cross-compiling.
|
||||
lib.optionalString (stdenv.buildPlatform != stdenv.hostPlatform && !atLeast224) ''
|
||||
mkdir tmp/
|
||||
substitute corepkgs/config.nix.in tmp/config.nix.in \
|
||||
--subst-var-by bash ${bash}/bin/bash \
|
||||
--subst-var-by coreutils ${coreutils}/bin \
|
||||
--subst-var-by bzip2 ${bzip2}/bin/bzip2 \
|
||||
--subst-var-by gzip ${gzip}/bin/gzip \
|
||||
--subst-var-by xz ${xz}/bin/xz \
|
||||
--subst-var-by tar ${gnutar}/bin/tar \
|
||||
--subst-var-by tr ${coreutils}/bin/tr
|
||||
mv tmp/config.nix.in corepkgs/config.nix.in
|
||||
'';
|
||||
'';
|
||||
|
||||
configureFlags = [
|
||||
"--with-store-dir=${storeDir}"
|
||||
@ -233,7 +201,7 @@ let
|
||||
++ lib.optionals stdenv.hostPlatform.isLinux [
|
||||
"--with-sandbox-shell=${busybox-sandbox-shell}/bin/busybox"
|
||||
]
|
||||
++ lib.optionals (atLeast224 && stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isStatic) [
|
||||
++ lib.optionals (stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isStatic) [
|
||||
"--enable-embedded-sandbox-shell"
|
||||
]
|
||||
++
|
||||
@ -250,7 +218,7 @@ let
|
||||
# RISC-V support in progress https://github.com/seccomp/libseccomp/pull/50
|
||||
"--disable-seccomp-sandboxing"
|
||||
]
|
||||
++ lib.optionals (atLeast224 && stdenv.cc.isGNU && !enableStatic) [
|
||||
++ lib.optionals (stdenv.cc.isGNU && !enableStatic) [
|
||||
"--enable-lto"
|
||||
];
|
||||
|
||||
@ -275,7 +243,7 @@ let
|
||||
installFlags = [ "sysconfdir=$(out)/etc" ];
|
||||
|
||||
doInstallCheck = true;
|
||||
installCheckTarget = if atLeast224 then "installcheck" else null;
|
||||
installCheckTarget = "installcheck";
|
||||
|
||||
# socket path becomes too long otherwise
|
||||
preInstallCheck =
|
||||
@ -288,10 +256,10 @@ let
|
||||
export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES
|
||||
''
|
||||
# See https://github.com/NixOS/nix/issues/5687
|
||||
+ lib.optionalString (atLeast224 && stdenv.hostPlatform.isDarwin) ''
|
||||
+ lib.optionalString (stdenv.hostPlatform.isDarwin) ''
|
||||
echo "exit 99" > tests/gc-non-blocking.sh
|
||||
'' # TODO: investigate why this broken
|
||||
+ lib.optionalString (atLeast224 && stdenv.hostPlatform.system == "aarch64-linux") ''
|
||||
+ lib.optionalString (stdenv.hostPlatform.system == "aarch64-linux") ''
|
||||
echo "exit 0" > tests/functional/flakes/show.sh
|
||||
''
|
||||
+ ''
|
||||
@ -299,7 +267,7 @@ let
|
||||
export MANPATH=$man/share/man:$MANPATH
|
||||
'';
|
||||
|
||||
separateDebugInfo = stdenv.hostPlatform.isLinux && (atLeast224 -> !enableStatic);
|
||||
separateDebugInfo = stdenv.hostPlatform.isLinux && !enableStatic;
|
||||
|
||||
enableParallelBuilding = true;
|
||||
|
||||
|
@ -151,32 +151,6 @@ lib.makeExtensible (
|
||||
self:
|
||||
(
|
||||
{
|
||||
nix_2_3 =
|
||||
(commonAutoconf {
|
||||
version = "2.3.18";
|
||||
hash = "sha256-jBz2Ub65eFYG+aWgSI3AJYvLSghio77fWQiIW1svA9U=";
|
||||
patches = [
|
||||
patch-monitorfdhup
|
||||
];
|
||||
self_attribute_name = "nix_2_3";
|
||||
knownVulnerabilities = [
|
||||
"CVE-2024-38531"
|
||||
"CVE-2024-47174"
|
||||
"CVE-2025-46415"
|
||||
"CVE-2025-46416"
|
||||
"CVE-2025-52991"
|
||||
"CVE-2025-52992"
|
||||
"CVE-2025-52993"
|
||||
];
|
||||
maintainers = with lib.maintainers; [ flokli ];
|
||||
teams = [ ];
|
||||
}).overrideAttrs
|
||||
{
|
||||
# https://github.com/NixOS/nix/issues/10222
|
||||
# spurious test/add.sh failures
|
||||
enableParallelChecking = false;
|
||||
};
|
||||
|
||||
nix_2_24 = commonAutoconf {
|
||||
version = "2.24.15";
|
||||
hash = "sha256-GHqFHLxvRID2IEPUwIfRMp8epYQMFcvG9ogLzfWRbPc=";
|
||||
|
@ -11,9 +11,6 @@ nix_versions=$(nix eval --impure --json --expr "with import ./. { config.allowAl
|
||||
|
||||
for name in $nix_versions; do
|
||||
minor_version=${name#nix_*_}
|
||||
if [[ "$name" = "nix_2_3" ]]; then # not maintained by the nix team
|
||||
continue
|
||||
fi
|
||||
|
||||
nix-update --override-filename "$SCRIPT_DIR/default.nix" --version-regex "(2\\.${minor_version}\..+)" --build --commit "nixVersions.$name"
|
||||
done
|
||||
@ -25,9 +22,6 @@ stable_version_trimmed=${stable_version_full%.*}
|
||||
|
||||
for name in $nix_versions; do
|
||||
minor_version=${name#nix_*_}
|
||||
if [[ "$name" = "nix_2_3" ]]; then # not maintained by the nix team
|
||||
continue
|
||||
fi
|
||||
if [[ "$name" = "nix_${stable_version_trimmed//./_}" ]]; then
|
||||
curl https://releases.nixos.org/nix/nix-$stable_version_full/fallback-paths.nix > "$NIXPKGS_DIR/nixos/modules/installer/tools/nix-fallback-paths.nix"
|
||||
# nix-update will commit the file if it has changed
|
||||
|
@ -1435,7 +1435,7 @@ mapAliases {
|
||||
nixFlakes = throw "'nixFlakes' has been renamed to/replaced by 'nixVersions.stable'"; # Converted to throw 2024-10-17
|
||||
nixStable = nixVersions.stable; # Added 2022-01-24
|
||||
nixUnstable = throw "nixUnstable has been removed. For bleeding edge (Nix master, roughly weekly updated) use nixVersions.git, otherwise use nixVersions.latest."; # Converted to throw 2024-04-22
|
||||
nix_2_3 = nixVersions.nix_2_3;
|
||||
nix_2_3 = throw "'nix_2_3' has been removed, because it was unmaintained and insecure."; # Converted to throw 2025-07-24
|
||||
nixfmt-rfc-style =
|
||||
if lib.oldestSupportedReleaseIsAtLeast 2511 then
|
||||
lib.warnOnInstantiate
|
||||
|
@ -3,13 +3,7 @@
|
||||
officialRelease,
|
||||
pkgs ? import nixpkgs.outPath { },
|
||||
nix ? pkgs.nix,
|
||||
lib-tests ? import ../../lib/tests/release.nix {
|
||||
pkgs = import nixpkgs.outPath {
|
||||
config = {
|
||||
permittedInsecurePackages = [ "nix-2.3.18" ];
|
||||
};
|
||||
};
|
||||
},
|
||||
lib-tests ? import ../../lib/tests/release.nix { inherit pkgs; },
|
||||
}:
|
||||
|
||||
pkgs.releaseTools.sourceTarball {
|
||||
|
@ -113,20 +113,7 @@ let
|
||||
|
||||
manual = pkgs.nixpkgs-manual.override { inherit nixpkgs; };
|
||||
metrics = import ./metrics.nix { inherit pkgs nixpkgs; };
|
||||
lib-tests = import ../../lib/tests/release.nix {
|
||||
pkgs = import nixpkgs (
|
||||
recursiveUpdate
|
||||
(recursiveUpdate {
|
||||
inherit system;
|
||||
config.allowUnsupportedSystem = true;
|
||||
} nixpkgsArgs)
|
||||
{
|
||||
config.permittedInsecurePackages = nixpkgsArgs.config.permittedInsecurePackages or [ ] ++ [
|
||||
"nix-2.3.18"
|
||||
];
|
||||
}
|
||||
);
|
||||
};
|
||||
lib-tests = import ../../lib/tests/release.nix { inherit pkgs; };
|
||||
pkgs-lib-tests = import ../pkgs-lib/tests { inherit pkgs; };
|
||||
|
||||
darwin-tested =
|
||||
|
Loading…
x
Reference in New Issue
Block a user