qtwebkit marked as insecure causes nixos-unstable to fail evaluation for dbus

[RossComputerGuy]

Describe the bug

Due to qtwebkit-5.212.0-alpha4 being marked as insecure, it is preventing the serviceDirectories variable in nixos/modules/services/system/dbus.nix from being evaluated. Even if Qt or qtwebkit are not explicitly specified, it still causes this error message.

error: Package ‘qtwebkit-5.212.0-alpha4’ in /nix/store/rhpn666sxdwxdlksvmg49v81r5dcx33s-source/pkgs/development/libraries/qt-5/qtModule.nix:72 is marked as insecure, refusing to evaluate.


       Known issues:
        - QtWebkit upstream is unmaintained and receives no security updates, see https://blogs.gnome.org/mcatanzaro/2022/11/04/stop-using-qtwebkit/

       You can install it anyway by allowing this package, using the
       following methods:

       a) To temporarily allow all insecure packages, you can use an environment
          variable for a single invocation of the nix tools:

            $ export NIXPKGS_ALLOW_INSECURE=1

        Note: For `nix shell`, `nix build`, `nix develop` or any other Nix 2.4+
        (Flake) command, `--impure` must be passed in order to read this
        environment variable.

       b) for `nixos-rebuild` you can add ‘qtwebkit-5.212.0-alpha4’ to
          `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
          like so:

            {
              nixpkgs.config.permittedInsecurePackages = [
                "qtwebkit-5.212.0-alpha4"
              ];
            }

       c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
          ‘qtwebkit-5.212.0-alpha4’ to `permittedInsecurePackages` in
          ~/.config/nixpkgs/config.nix, like so:

            {
              permittedInsecurePackages = [
                "qtwebkit-5.212.0-alpha4"
              ];
            }



       … while evaluating 'handleEvalIssue'

       at /nix/store/rhpn666sxdwxdlksvmg49v81r5dcx33s-source/pkgs/stdenv/generic/check-meta.nix:227:38:

          226|
          227|   handleEvalIssue = { meta, attrs }: { reason , errormsg ? "" }:
             |                                      ^
          228|     let

       … from call site

       at /nix/store/rhpn666sxdwxdlksvmg49v81r5dcx33s-source/pkgs/stdenv/generic/check-meta.nix:385:16:

          384|         {
          385|           no = handleEvalIssue { inherit meta attrs; } { inherit (validity) reason errormsg; };
             |                ^
          386|           warn = handleEvalWarning { inherit meta attrs; } { inherit (validity) reason errormsg; };

       … while evaluating the attribute 'no'

       at /nix/store/rhpn666sxdwxdlksvmg49v81r5dcx33s-source/pkgs/stdenv/generic/check-meta.nix:385:11:

          384|         {
          385|           no = handleEvalIssue { inherit meta attrs; } { inherit (validity) reason errormsg; };
             |           ^
          386|           warn = handleEvalWarning { inherit meta attrs; } { inherit (validity) reason errormsg; };

       … while evaluating the attribute 'handled'

       at /nix/store/rhpn666sxdwxdlksvmg49v81r5dcx33s-source/pkgs/stdenv/generic/check-meta.nix:383:7:

          382|       # or, alternatively, just output a warning message.
          383|       handled =
             |       ^
          384|         {

       … while evaluating the attribute 'passAsFile'

       at /nix/store/rhpn666sxdwxdlksvmg49v81r5dcx33s-source/pkgs/build-support/buildenv/default.nix:77:5:

           76|     # XXX: The size is somewhat arbitrary
           77|     passAsFile = if builtins.stringLength pkgs >= 128*1024 then [ "pkgs" ] else [ ];
             |     ^
           78|   }

       … while evaluating the attribute 'passAsFile' of the derivation 'qt-full-5.15.7'

       at /nix/store/rhpn666sxdwxdlksvmg49v81r5dcx33s-source/pkgs/stdenv/generic/make-derivation.nix:270:7:

          269|     // (lib.optionalAttrs (attrs ? name || (attrs ? pname && attrs ? version)) {
          270|       name =
             |       ^
          271|         let

       … while evaluating the attribute 'passAsFile'

       at /nix/store/rhpn666sxdwxdlksvmg49v81r5dcx33s-source/pkgs/build-support/buildenv/default.nix:77:5:

           76|     # XXX: The size is somewhat arbitrary
           77|     passAsFile = if builtins.stringLength pkgs >= 128*1024 then [ "pkgs" ] else [ ];
             |     ^
           78|   }

       … while evaluating the attribute 'passAsFile' of the derivation 'system-path'

       at /nix/store/rhpn666sxdwxdlksvmg49v81r5dcx33s-source/pkgs/stdenv/generic/make-derivation.nix:270:7:

          269|     // (lib.optionalAttrs (attrs ? name || (attrs ? pname && attrs ? version)) {
          270|       name =
             |       ^
          271|         let

       … while evaluating 'check'

       at /nix/store/rhpn666sxdwxdlksvmg49v81r5dcx33s-source/lib/types.nix:482:15:

          481|       descriptionClass = "noun";
          482|       check = x: isCoercibleToString x && builtins.substring 0 1 (toString x) == "/";
             |               ^
          483|       merge = mergeEqualOption;

       … from call site

       at /nix/store/rhpn666sxdwxdlksvmg49v81r5dcx33s-source/lib/modules.nix:749:22:

          748|       if isDefined then
          749|         if all (def: type.check def.value) defsFinal then type.merge loc defsFinal
             |                      ^
          750|         else let allInvalid = filter (def: ! type.check def.value) defsFinal;

       … while evaluating anonymous lambda

       at /nix/store/rhpn666sxdwxdlksvmg49v81r5dcx33s-source/lib/modules.nix:749:17:

          748|       if isDefined then
          749|         if all (def: type.check def.value) defsFinal then type.merge loc defsFinal
             |                 ^
          750|         else let allInvalid = filter (def: ! type.check def.value) defsFinal;

       … from call site

       at /nix/store/rhpn666sxdwxdlksvmg49v81r5dcx33s-source/lib/modules.nix:749:12:

          748|       if isDefined then
          749|         if all (def: type.check def.value) defsFinal then type.merge loc defsFinal
             |            ^
          750|         else let allInvalid = filter (def: ! type.check def.value) defsFinal;

       … while evaluating the attribute 'value'

       at /nix/store/rhpn666sxdwxdlksvmg49v81r5dcx33s-source/lib/modules.nix:760:27:

          759|     optionalValue =
          760|       if isDefined then { value = mergedValue; }
             |                           ^
          761|       else {};

       … while evaluating anonymous lambda

       at /nix/store/rhpn666sxdwxdlksvmg49v81r5dcx33s-source/lib/types.nix:492:14:

          491|       merge = loc: defs:
          492|         map (x: x.value) (filter (x: x ? value) (concatLists (imap1 (n: def:
             |              ^
          493|           imap1 (m: def':

       … from call site

       … while evaluating the attribute 'serviceDirectories' of the derivation 'dbus-1'

       at /nix/store/rhpn666sxdwxdlksvmg49v81r5dcx33s-source/pkgs/stdenv/generic/make-derivation.nix:270:7:

          269|     // (lib.optionalAttrs (attrs ? name || (attrs ? pname && attrs ? version)) {
          270|       name =
             |       ^
          271|         let

       … while evaluating 'check'

Steps To Reproduce

Steps to reproduce the behavior:

1. Try running nix build or nix-build of a derivation that is defined in config.system.build in a nixOS definition.

Expected behavior

dbus should evaluate and run.

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

Using nixos-unstable in a project but nixos-22.05 on host

Notify maintainers

@worldofpeace
@qknight
@ttuegel
@periklis
@bkchr

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

 - system: `"x86_64-linux"`
 - host os: `Linux 5.15.71, NixOS, 22.05 (Quokka), 22.05.4274.cf63ade6f74`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.8.1`
 - channels(root): `"expidus, nixos-22.05"`
 - channels(ross): `"expidus"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos

[FRidh]

 … while evaluating the attribute 'passAsFile' of the derivation 'qt-full-5.15.7'

From the trace it seems to be that somewhere you add qt5Full to your system packages. qt5Full isn't referenced in Nixpkgs from anywhere other than hsqml.

[RossComputerGuy]

I ran grep on my stuff for qt5Full and I get nothing.

[RossComputerGuy]

Looking for Qt5, I see that my version of nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-gnome.nix has Qt5 in it but I am not building the derivation from that. I am building this which does not mention Qt5 anywhere. Not sure how Qt5 is being included and nix repl doesn't show why.

nix-repl> nixosConfigurations.x86_64-linux.config.services.dbus.packages
[ «derivation /nix/store/kigxqgcsxag7zalmm290hw4fpaal8iny-gdm-43.0.drv» «derivation /nix/store/ywr7nyk452cwsmmbg817xsjx5kikb3sl-colord-1.4.6.drv» «derivatiotrace: Obsolete option `system.nixos.version' is used. It was renamed to `system.expidus.version'.
trace: Obsolete option `system.nixos.codeName' is used. It was renamed to `system.expidus.codeName'.
trace: Obsolete option `system.nixos.revision' is used. It was renamed to `system.expidus.revision'.
«derivation /nix/store/zwvnpmqawll7a8bn30rdmhd8zgcakh6a-system-path.drv» «derivation /nix/store/x8ssis4l302kfav85q8sh0d43vvn55v5-modemmanager-1.18.12.drv» «derivation /nix/store/yqs5ngpi3vfwykkqn6hmsgi7ml5csxdf-networkmanager-1.40.2.drv» «derivation /nix/store/mls8461nrc052wp5ligd0zizfxjfmnni-NetworkManager-fortisslvpn-gnome-1.4.0.drv» «derivation /nix/store/7fi4iqzszz3a3hwdl5qn1d9ghvjl8yh1-NetworkManager-iodine-gnome-unstable-2019-11-05.drv» «derivation /nix/store/y88llh20gsnvm5pvq803hlnvpjdxvhyk-NetworkManager-l2tp-gnome-1.20.4.drv» «derivation /nix/store/rpjw5dlzpnax1bp8w9x6ysf3dby8jzrq-NetworkManager-openconnect-1.2.8.drv» «derivation /nix/store/q3yzc2a14hcl4i5fw4lkg42rjr2k2bhi-NetworkManager-openvpn-1.10.0.drv» «derivation /nix/store/z4wkl0py8hdx26xrklm933iqqkm95ncq-NetworkManager-vpnc-1.2.8.drv» «derivation /nix/store/56i8snafz5jnqxgwhw3v7884c4p2c5mn-NetworkManager-sstp-gnome-1.3.1.drv» «derivation /nix/store/djpj8ivv5d56rcvpagscf6vhbb1x6iy2-wpa_supplicant-2.10.drv» «derivation /nix/store/dx40kib2hgx4dd98jgrviyi4fvi7pdbn-upower-1.90.0.drv» «derivation /nix/store/v21qa2ss2qyzbd7j8km7f60m2flvll46-evolution-with-plugins.drv» «derivation /nix/store/173dk1rxgn2hvi77ljss4d309ynh0747-accountsservice-22.08.8.drv» «derivation /nix/store/c88kc754d09jzs2y965rf4cz1fcmw2k1-rtkit-0.13.drv» «derivation /nix/store/rnx4rz9q43nz2fcbwbsp21xl7kb7dwrv-polkit-121.drv» «derivation /nix/store/wnplwrip94gzvr2a09gf32hqb9fl595b-dconf-0.40.0.drv» «derivation /nix/store/bvv2l3n0442vr7rzc2nczgzj2r09zlir-ibus-with-plugins-1.5.27.drv» «derivation /nix/store/cpq28744s2q3k9wr13facsw95mgfkyxi-xdg-desktop-portal-1.15.0.drv» «derivation /nix/store/ps2082kgqzbkg78as5s3c1l3r9s50k67-xdg-desktop-portal-gtk-1.14.0.drv» «derivation /nix/store/51jk44hb4vq2byfxwm39ni8v3pydjkfc-xdg-desktop-portal-wlr-0.6.0.drv» «derivation /nix/store/bvv2l3n0442vr7rzc2nczgzj2r09zlir-ibus-with-plugins-1.5.27.drv» «derivation /nix/store/51jk44hb4vq2byfxwm39ni8v3pydjkfc-xdg-desktop-portal-wlr-0.6.0.drv» ]

I wasn't having this error until Wednesday of this week so I am unsure why this is all of a sudden a problem.

[l0b0]

Surely there must be a general way to resolve this back to a setting in /etc/nixos? I'm in the process of upgrading from nixpkgs 22.05 to 22.11, and bisecting my entire configuration is going to be extremely painful.

[RossComputerGuy]

@l0b0 You can permit the use of qtwebkit in NixOS with

nixpkgs.config.permittedInsecurePackages = [
  "qtwebkit-5.212.0-alpha4"
];

in your configuration. However, I think it should be fixed upstream so wherever this is being called, it doesn't require everyone to add that.

[l0b0]

Fixed my case by checking for references to the package using rg -l qtwebkit-5.212.0-alpha4 /nix/store and then uninstalling the only package which used it.

[janhn]

In my case it was wkhtmltopdf; see #209680.