-
Notifications
You must be signed in to change notification settings - Fork 349
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to use "permittedInsecurePackages"? #792
Comments
I should note that I am able to use it in another project successfully: cli error without permittedInsecurePackages
success with permittedInsecurePackages in devenv.yamlinputs:
nixpkgs:
url: github:NixOS/nixpkgs/nixpkgs-unstable
permittedInsecurePackages:
- "nodejs-16.20.2" direnv.nix{ pkgs, ... }:
{
packages = with pkgs;
[ nodePackages.typescript-language-server
nodePackages.volar
];
enterShell = ''
export VUE_LANGUAGE_SERVER_TSDK="$(dirname $(dirname $(which -a typescript-language-server)))/lib/node_modules/typescript/lib"
'';
languages.javascript = {
enable = true;
package = pkgs.nodejs-16_x;
};
# https://devenv.sh/pre-commit-hooks/
# pre-commit.hooks.shellcheck.enable = true;
} EDIT: |
The issue here is that nixpkgs is imported by https://github.com/bobvanderlinden/nixpkgs-ruby doesn't pass our settings. We'd have to somehow collect |
We can fix this for #745 by setting |
Hmm, that is indeed unfortunate. |
We got rid of |
Hmm, indeed. This is tricky. I'm thinking that nixpkgs-ruby should allow injecting pkgs or nixpkgs config? Downside is that it doesnt seem to match with any flake standard and we're thinking up a new solution. Or avoid using nixpkgs in nixpkgs-ruby by using the overlay on devenvs nixpkgs. More standardized, but it'll probably not be able to use the cache of nixpkgs-ruby. |
I managed to come up with a way to fix this, going to write a prototype tomorrow. It should work as long as you use nixpkgs.legacyPackages and follow the nixpkgs we provide. |
I just came up against this. My understanding is that to use it, I need to have a specific input that uses the revision that still had that package in the tree. Are you saying your fix will only work for nixpkgs inputs that follow the devenv one? As that means old packages (that are no longer in the nixpkgs tree provided with devenv) can't be installed, right? I suppose one workaround is repackaging Would that be the best path forward for this case? |
Regarding nodejs-16, it is a different issue. It isn't so much an insecure package, it is removed from nixpkgs. See #218 (comment) for an example on how to use packages from older nixpkgs. The issues that cover this are: #16 and #681 As for insecure packages, they could also be overridden in an overlay. Always use an overlay for (for instance) nixpkgs-ruby and having a way to mark packages as non-insecure (which uses override of meta behind the scenes). |
Relevent nix issue NixOS/nix#9875 |
I've implemented this in 427d360faec649842761919c6be9911e5286603a, but there's no way to convince flakes to allow importing an absolute path here: https://github.com/NixOS/nixpkgs/blob/c2e03072b8e365b0a76cf884f781f0f196b96214/pkgs/top-level/impure.nix#L31 Tests for this are in 4af4099b14dfd6802b81bfa2dd6059ab4b332c26 once someone circles back to it. |
The second sentence of my comment was that nodejs-16 was removed 😄
I ended up fixing it by running @domenkozar the commit you reference isn't in a branch on this repo, I can't see it in the rust rewrite you mentioned this issue in, and when I look at the code in the commit you referenced, that code change isn't in the same file on I also can't see anything in docs about it. Did it maybe get lost in that sizeable PR, or did you achieve the same functionality with different code? |
I've explored this in different directions and found out the only way to make it work with by using We could support |
That is unfortunate! I also would much prefer to allow packages individually. I'm hoping to get my company onboard with nixpkgs, probably via I'd then be able to import that list from a separate file, which requires me or someone from my team to approve changes. Would make keeping things secure a lot easier. Otherwise, setting Thanks for reopening. |
This issue is a top priority for me, and I need to brainstorm a way to make progress. |
Hey same issue here. While commit 7fa7e03 still is not in the air, is there a quick & dirty way to allow insecure packages using .envrc? UPDATE SOLVED WITH:
in AND
in Although solution is a dirty fix, while some more intuitive way using |
Are there any updates on this topic? @instantepiphany Did you manage to use devenv with node16? It may be EOL but we have legacy projects that cannot be updatet atm so we are still in the urge of using that version. |
I don't recall if I got devenv working. I just checked where we use Node 16 via Nix and all I committed was a So I probably just set the Maybe try the approach mentioned above: #792 (comment) My company has now committed to Nix - we are using it in production and we are already growing the scope of what it handles for us. I've been writing everything in plain flakes so far - I'm quite comfortable with "vanilla" Nix with flakes. But for the internal "customers" of the files I'm writing, I want them to have a more user friendly way of installing packages, hence trying to get devenv working. We've also upgraded our internal code that used Node 16, so we don't need that to work in Devenv anymore. But I'm still hoping Devenv gains this capability, as I don't want a binary flag that allows all insecure packages to be installed enabled on my colleagues machines. |
Thanks @instantepiphany for your reply and support. I'll see if I can get a workaround. |
Going to be addressed by #1548 |
I have a very similar problem with #623. I see that a new key was added to address this #619.
However, when I added it, the error still shows.
devenv.nix
devenv.yaml
cli error
devenv version
devenv: 0.6.3
Any advice is appreciated, thanks!
The text was updated successfully, but these errors were encountered: