From fa0cba1c398faad0b810555daea3bfeb05719a8c Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Thu, 24 Jul 2025 16:08:14 +0200 Subject: [PATCH] nix_2_3: drop This has been marked insecure a while ago, as some CVEs have not been backported. Even if *some* CVEs are fixed, we'd need **all** of them to be, to get it back into the cache. Not having it in the cache means, we can not test it in CI. This means we can't make sure to actually support this version to evaluate Nixpkgs. --- ci/default.nix | 8 +-- doc/release-notes/rl-2511.section.md | 4 ++ lib/minver.nix | 2 +- lib/tests/release.nix | 13 +---- pkgs/by-name/ni/nixos-rebuild-ng/package.nix | 6 +- .../nix/common-autoconf.nix | 58 +++++-------------- pkgs/tools/package-management/nix/default.nix | 26 --------- .../package-management/nix/update-all.sh | 6 -- pkgs/top-level/aliases.nix | 2 +- pkgs/top-level/make-tarball.nix | 8 +-- pkgs/top-level/release.nix | 15 +---- 11 files changed, 28 insertions(+), 120 deletions(-) diff --git a/ci/default.nix b/ci/default.nix index 46c3c77064b9..c75de0ff2b9a 100644 --- a/ci/default.nix +++ b/ci/default.nix @@ -17,13 +17,7 @@ let else nixpkgs; - pkgs = import nixpkgs' { - inherit system; - config = { - permittedInsecurePackages = [ "nix-2.3.18" ]; - }; - overlays = [ ]; - }; + pkgs = import nixpkgs' { inherit system; }; fmt = let diff --git a/doc/release-notes/rl-2511.section.md b/doc/release-notes/rl-2511.section.md index 6cd94f483531..7cd35f74fa9e 100644 --- a/doc/release-notes/rl-2511.section.md +++ b/doc/release-notes/rl-2511.section.md @@ -14,6 +14,10 @@ +- `nixVersions.nix_2_3` has been dropped because it was insecure and unmaintained. + +- The minimum version of Nix required to evaluate Nixpkgs has been raised from 2.3 to 2.18. + - The `offrss` package was removed due to lack of upstream maintenance since 2012. It's recommended for users to migrate to another RSS reader - `base16-builder` node package has been removed due to lack of upstream maintenance. diff --git a/lib/minver.nix b/lib/minver.nix index cb9c6ee3156f..c9fc45354d2e 100644 --- a/lib/minver.nix +++ b/lib/minver.nix @@ -1,2 +1,2 @@ # Expose the minimum required version for evaluating Nixpkgs -"2.3.17" +"2.18" diff --git a/lib/tests/release.nix b/lib/tests/release.nix index 1f8c666eab01..3eb62912ffc4 100644 --- a/lib/tests/release.nix +++ b/lib/tests/release.nix @@ -2,16 +2,9 @@ # The pkgs used for dependencies for the testing itself # Don't test properties of pkgs.lib, but rather the lib in the parent directory system ? builtins.currentSystem, - pkgs ? - import ../.. { - inherit system; - config = { - permittedInsecurePackages = [ "nix-2.3.18" ]; - }; - } - // { - lib = throw "pkgs.lib accessed, but the lib tests should use nixpkgs' lib path directly!"; - }, + pkgs ? import ../.. { inherit system; } // { + lib = throw "pkgs.lib accessed, but the lib tests should use nixpkgs' lib path directly!"; + }, # For testing someone may edit impure.nix to return cross pkgs, use `pkgsBuildBuild` directly so everything here works. pkgsBB ? pkgs.pkgsBuildBuild, nix ? pkgs-nixVersions.stable, diff --git a/pkgs/by-name/ni/nixos-rebuild-ng/package.nix b/pkgs/by-name/ni/nixos-rebuild-ng/package.nix index e7aa5f3d3ff4..b52193d33d35 100644 --- a/pkgs/by-name/ni/nixos-rebuild-ng/package.nix +++ b/pkgs/by-name/ni/nixos-rebuild-ng/package.nix @@ -121,9 +121,9 @@ python3Packages.buildPythonApplication rec { with_nix_stable = nixos-rebuild-ng.override { nix = nixVersions.stable; }; - with_nix_2_3 = nixos-rebuild-ng.override { - # oldest / minimum supported version in nixpkgs - nix = nixVersions.nix_2_3; + with_nix_2_24 = nixos-rebuild-ng.override { + # oldest supported version in nixpkgs + nix = nixVersions.nix_2_24; }; with_lix_latest = nixos-rebuild-ng.override { nix = lixPackageSets.latest.lix; diff --git a/pkgs/tools/package-management/nix/common-autoconf.nix b/pkgs/tools/package-management/nix/common-autoconf.nix index 894380f71cf0..fed7eb3ac0a9 100644 --- a/pkgs/tools/package-management/nix/common-autoconf.nix +++ b/pkgs/tools/package-management/nix/common-autoconf.nix @@ -21,7 +21,6 @@ }@args: assert (hash == null) -> (src != null); let - atLeast224 = lib.versionAtLeast version "2.24pre"; atLeast225 = lib.versionAtLeast version "2.25pre"; in { @@ -116,7 +115,7 @@ let ] ++ lib.optional stdenv.hostPlatform.isMusl "fortify"; - nativeInstallCheckInputs = lib.optionals atLeast224 [ + nativeInstallCheckInputs = [ git man ]; @@ -129,21 +128,11 @@ let flex jq ] - ++ lib.optionals enableDocumentation ( - if atLeast224 then - [ - (lib.getBin lowdown-unsandboxed) - mdbook - mdbook-linkcheck - ] - else - [ - libxslt - libxml2 - docbook_xsl_ns - docbook5 - ] - ) + ++ lib.optionals enableDocumentation [ + (lib.getBin lowdown-unsandboxed) + mdbook + mdbook-linkcheck + ] ++ lib.optionals stdenv.hostPlatform.isLinux [ util-linuxMinimal ]; @@ -161,8 +150,6 @@ let gtest libarchive lowdown - ] - ++ lib.optionals atLeast224 [ libgit2 toml11 rapidcheck @@ -182,8 +169,6 @@ let propagatedBuildInputs = [ boehmgc - ] - ++ lib.optionals atLeast224 [ nlohmann_json ]; @@ -202,24 +187,7 @@ let chmod u+w $out/lib/*.so.* patchelf --set-rpath $out/lib:${lib.getLib stdenv.cc.cc}/lib $out/lib/libboost_thread.so.* ''} - '' - + - # On all versions before c9f51e87057652db0013289a95deffba495b35e7, which - # removes config.nix entirely and is not present in 2.3.x, we need to - # patch around an issue where the Nix configure step pulls in the build - # system's bash and other utilities when cross-compiling. - lib.optionalString (stdenv.buildPlatform != stdenv.hostPlatform && !atLeast224) '' - mkdir tmp/ - substitute corepkgs/config.nix.in tmp/config.nix.in \ - --subst-var-by bash ${bash}/bin/bash \ - --subst-var-by coreutils ${coreutils}/bin \ - --subst-var-by bzip2 ${bzip2}/bin/bzip2 \ - --subst-var-by gzip ${gzip}/bin/gzip \ - --subst-var-by xz ${xz}/bin/xz \ - --subst-var-by tar ${gnutar}/bin/tar \ - --subst-var-by tr ${coreutils}/bin/tr - mv tmp/config.nix.in corepkgs/config.nix.in - ''; + ''; configureFlags = [ "--with-store-dir=${storeDir}" @@ -233,7 +201,7 @@ let ++ lib.optionals stdenv.hostPlatform.isLinux [ "--with-sandbox-shell=${busybox-sandbox-shell}/bin/busybox" ] - ++ lib.optionals (atLeast224 && stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isStatic) [ + ++ lib.optionals (stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isStatic) [ "--enable-embedded-sandbox-shell" ] ++ @@ -250,7 +218,7 @@ let # RISC-V support in progress https://github.com/seccomp/libseccomp/pull/50 "--disable-seccomp-sandboxing" ] - ++ lib.optionals (atLeast224 && stdenv.cc.isGNU && !enableStatic) [ + ++ lib.optionals (stdenv.cc.isGNU && !enableStatic) [ "--enable-lto" ]; @@ -275,7 +243,7 @@ let installFlags = [ "sysconfdir=$(out)/etc" ]; doInstallCheck = true; - installCheckTarget = if atLeast224 then "installcheck" else null; + installCheckTarget = "installcheck"; # socket path becomes too long otherwise preInstallCheck = @@ -288,10 +256,10 @@ let export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES '' # See https://github.com/NixOS/nix/issues/5687 - + lib.optionalString (atLeast224 && stdenv.hostPlatform.isDarwin) '' + + lib.optionalString (stdenv.hostPlatform.isDarwin) '' echo "exit 99" > tests/gc-non-blocking.sh '' # TODO: investigate why this broken - + lib.optionalString (atLeast224 && stdenv.hostPlatform.system == "aarch64-linux") '' + + lib.optionalString (stdenv.hostPlatform.system == "aarch64-linux") '' echo "exit 0" > tests/functional/flakes/show.sh '' + '' @@ -299,7 +267,7 @@ let export MANPATH=$man/share/man:$MANPATH ''; - separateDebugInfo = stdenv.hostPlatform.isLinux && (atLeast224 -> !enableStatic); + separateDebugInfo = stdenv.hostPlatform.isLinux && !enableStatic; enableParallelBuilding = true; diff --git a/pkgs/tools/package-management/nix/default.nix b/pkgs/tools/package-management/nix/default.nix index 80bb48013817..db149bf8b3e4 100644 --- a/pkgs/tools/package-management/nix/default.nix +++ b/pkgs/tools/package-management/nix/default.nix @@ -151,32 +151,6 @@ lib.makeExtensible ( self: ( { - nix_2_3 = - (commonAutoconf { - version = "2.3.18"; - hash = "sha256-jBz2Ub65eFYG+aWgSI3AJYvLSghio77fWQiIW1svA9U="; - patches = [ - patch-monitorfdhup - ]; - self_attribute_name = "nix_2_3"; - knownVulnerabilities = [ - "CVE-2024-38531" - "CVE-2024-47174" - "CVE-2025-46415" - "CVE-2025-46416" - "CVE-2025-52991" - "CVE-2025-52992" - "CVE-2025-52993" - ]; - maintainers = with lib.maintainers; [ flokli ]; - teams = [ ]; - }).overrideAttrs - { - # https://github.com/NixOS/nix/issues/10222 - # spurious test/add.sh failures - enableParallelChecking = false; - }; - nix_2_24 = commonAutoconf { version = "2.24.15"; hash = "sha256-GHqFHLxvRID2IEPUwIfRMp8epYQMFcvG9ogLzfWRbPc="; diff --git a/pkgs/tools/package-management/nix/update-all.sh b/pkgs/tools/package-management/nix/update-all.sh index a2b459e67e7f..d84b6f56a47f 100755 --- a/pkgs/tools/package-management/nix/update-all.sh +++ b/pkgs/tools/package-management/nix/update-all.sh @@ -11,9 +11,6 @@ nix_versions=$(nix eval --impure --json --expr "with import ./. { config.allowAl for name in $nix_versions; do minor_version=${name#nix_*_} - if [[ "$name" = "nix_2_3" ]]; then # not maintained by the nix team - continue - fi nix-update --override-filename "$SCRIPT_DIR/default.nix" --version-regex "(2\\.${minor_version}\..+)" --build --commit "nixVersions.$name" done @@ -25,9 +22,6 @@ stable_version_trimmed=${stable_version_full%.*} for name in $nix_versions; do minor_version=${name#nix_*_} - if [[ "$name" = "nix_2_3" ]]; then # not maintained by the nix team - continue - fi if [[ "$name" = "nix_${stable_version_trimmed//./_}" ]]; then curl https://releases.nixos.org/nix/nix-$stable_version_full/fallback-paths.nix > "$NIXPKGS_DIR/nixos/modules/installer/tools/nix-fallback-paths.nix" # nix-update will commit the file if it has changed diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index bc616ce90640..d31ac7e68d93 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -1435,7 +1435,7 @@ mapAliases { nixFlakes = throw "'nixFlakes' has been renamed to/replaced by 'nixVersions.stable'"; # Converted to throw 2024-10-17 nixStable = nixVersions.stable; # Added 2022-01-24 nixUnstable = throw "nixUnstable has been removed. For bleeding edge (Nix master, roughly weekly updated) use nixVersions.git, otherwise use nixVersions.latest."; # Converted to throw 2024-04-22 - nix_2_3 = nixVersions.nix_2_3; + nix_2_3 = throw "'nix_2_3' has been removed, because it was unmaintained and insecure."; # Converted to throw 2025-07-24 nixfmt-rfc-style = if lib.oldestSupportedReleaseIsAtLeast 2511 then lib.warnOnInstantiate diff --git a/pkgs/top-level/make-tarball.nix b/pkgs/top-level/make-tarball.nix index b1ddef188d93..1b90e4bfdb66 100644 --- a/pkgs/top-level/make-tarball.nix +++ b/pkgs/top-level/make-tarball.nix @@ -3,13 +3,7 @@ officialRelease, pkgs ? import nixpkgs.outPath { }, nix ? pkgs.nix, - lib-tests ? import ../../lib/tests/release.nix { - pkgs = import nixpkgs.outPath { - config = { - permittedInsecurePackages = [ "nix-2.3.18" ]; - }; - }; - }, + lib-tests ? import ../../lib/tests/release.nix { inherit pkgs; }, }: pkgs.releaseTools.sourceTarball { diff --git a/pkgs/top-level/release.nix b/pkgs/top-level/release.nix index ca8da7b04d7f..bc5b83d3db56 100644 --- a/pkgs/top-level/release.nix +++ b/pkgs/top-level/release.nix @@ -113,20 +113,7 @@ let manual = pkgs.nixpkgs-manual.override { inherit nixpkgs; }; metrics = import ./metrics.nix { inherit pkgs nixpkgs; }; - lib-tests = import ../../lib/tests/release.nix { - pkgs = import nixpkgs ( - recursiveUpdate - (recursiveUpdate { - inherit system; - config.allowUnsupportedSystem = true; - } nixpkgsArgs) - { - config.permittedInsecurePackages = nixpkgsArgs.config.permittedInsecurePackages or [ ] ++ [ - "nix-2.3.18" - ]; - } - ); - }; + lib-tests = import ../../lib/tests/release.nix { inherit pkgs; }; pkgs-lib-tests = import ../pkgs-lib/tests { inherit pkgs; }; darwin-tested =