[Bug]: flake package is insecure error when using --allow-insecure

[andr-ec]

Current Behavior (bug)
if I have a flake.nix that uses an insecure package, it shows an error.

flake.nix

{
  description =
    "This flake outputs a modified version of Yarn that uses NodeJS 20";

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
    flake-utils.url = "github:numtide/flake-utils";
  };

  outputs = { self, nixpkgs, flake-utils }:
  # Use the flake-utils lib to easily create a multi-system flake
  flake-utils.lib.eachDefaultSystem (system:
    let
      # You can define overlays as functions using the example below
      # This overlay will modify yarn to use nodejs-16_x
      overlay = (final: prev: rec {
        nodejs = prev.nodejs_14;
        yarn = prev.yarn.override { nodejs = nodejs; };
      });

      #
      pkgs =
        import nixpkgs {
          inherit system;
          # Add your overlays to the list below. Note that they will be applied in order
          overlays = [ overlay ];
        };

    in rec {
      # For our outputs, we'll return the modified Yarn package from our overridden nixpkgs.
      packages = {
        yarn = pkgs.yarn;
        nodejs = pkgs.nodejs;
      };

    }
  );
}

add the flake with devbox:

devbox add "path:overlay#nodejs" --allow-insecure
# or 
devbox add "path:overlay#yarn" --allow-insecure

it shows an error:

Error: Package Package ‘nodejs-14.21.3’ is insecure. 

To override use `devbox add <pkg> --allow-insecure`

Expected Behavior (fix)
The flake with an insecure package is installed when using --allow-insecure

Additional context
Please include the output of devbox version -v and
a copy of your devbox.json file.

devbox version                                                                                                                                                                                                                                                                                                                                                                       (latestnhost x!?)
0.5.7

{
  "packages": [
  ],
  "shell": {
    "init_hook": "yarn"
  },
  "nixpkgs": {
    "commit": "f80ac848e3d6f0c12c52758c0f25c10c97ca3b62"
  }
}

[Lagoja]

@savil I confirmed that devbox shell didn't seem to pick up and add the permittedInsecurePackages clause when the flake threw an insecure package warning. I'm not sure if this is something we can detect and resolve from a flake dependency like this?

@andr-ec, I managed to fix the problem by adding the permittedInsecurePackages array to the config in your flake.nix -- here's an example of what that looks like:

{
  description =
    "This flake outputs a modified version of Yarn that uses NodeJS 20";

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
    flake-utils.url = "github:numtide/flake-utils";
  };

  outputs = { self, nixpkgs, flake-utils }:
    # Use the flake-utils lib to easily create a multi-system flake
    flake-utils.lib.eachDefaultSystem (system:
      let
        # You can define overlays as functions using the example below
        # This overlay will modify yarn to use nodejs-16_x
        overlay = (final: prev: rec {
          nodejs = prev.nodejs_14;
          yarn = prev.yarn.override { nodejs = nodejs; };
        });

        #
        pkgs =
          import nixpkgs {
            inherit system;
            # Add your overlays to the list below. Note that they will be applied in order
            overlays = [ overlay ];
            config = {
              permittedInsecurePackages = [ "nodejs-14.21.3" "openssl-1.1.1v" ];
            };
          };

      in
      rec {
        # For our outputs, we'll return the modified Yarn package from our overridden nixpkgs.
        packages = {
          yarn = pkgs.yarn;
          nodejs = pkgs.nodejs;
        };

      }
    );
}

Note the permittedInsecurePackages bit in the import nixpkgs step. The insecurity is caused by the package using a version of openssl that is no longer supported, so you need to add both packages

[ozeebee]

Hi,
Got the same issue trying to install sublime text package:

~ via ❄️  impure (nix-shell-env) 
➜ devbox global add sublime4 --allow-insecure
Info: Adding package "sublime4@latest" to devbox.json
Allowing insecure for sublime4@latest

Installing package: sublime4.

[1/1] sublime4
[1/1] sublime4: Success
✓ Computed the Devbox environment.

Error: Package Package ‘openssl-1.1.1w’ is insecure. 

To override use `devbox add <pkg> --allow-insecure`

[savil]

The flake we're generating has:

      let
        pkgs = nixpkgs.legacyPackages.x86_64-linux;
        nixpkgs-fd04be-pkgs = (import nixpkgs-fd04be {
          system = "x86_64-linux";
          config.allowUnfree = true;
          config.permittedInsecurePackages = [
            "sublime4"
          ];
        });
      in
           {
        devShells.x86_64-linux.default = pkgs.mkShell {
          buildInputs = [
            ....
            nixpkgs-fd04be-pkgs.sublime4
          ];
        };   

If I change to:

          config.permittedInsecurePackages = [
            "openssl-1.1.1w"
          ];

then it works as one expects.

Looking into what is a good fix for this situation. We currently handle the scenario where the package being installed was marked as insecure, rather than one of the dependent packages being insecure.