While updating home-manager I got a notice that freeimage-unstable-2021-11-01 is marked as unsafe.

Since chances are it’s used by something I never use, I’d like to know what I’m using that depends on it… any idea how to do it?

Also… any idea why I have 4 copies of the freeimage stuff in my /nix/store? (I just run nix-collect-garbage -d and the 4 seem to be actually different):

md5sum /nix/store/*freeimage*/lib/libfreeimage.a
67a0ce1cb5dd562473e27d7c88e8a9bd  /nix/store/6gi6hm57zngqnxb6p5dnxhjjcbr96lrk-freeimage-unstable-2021-11-01/lib/libfreeimage.a
5995e0affbfa28b63da7e997cb4dbe63  /nix/store/09nwykzzksc0zknflsyxyah5b67c2rsn-freeimage-unstable-2021-11-01/lib/libfreeimage.a
67a0ce1cb5dd562473e27d7c88e8a9bd  /nix/store/ikfiv4gpmcpyir7lsj45by653qcnvgyx-freeimage-unstable-2021-11-01/lib/libfreeimage.a
213a408e3c1fbb5dfa4491deebe05984  /nix/store/q2sc85f2hclgwl8m3qdw8rpbs44gzmah-freeimage-unstable-2021-11-01/lib/libfreeimage.a
  • demesisx@infosec.pub
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    10 months ago

    I don’t see anything that jumps out at me. It’s probably depending on an a package that is insecure. Check the logs. They’ll point to exactly what the issue is.

  • Atemu@lemmy.ml
    link
    fedilink
    English
    arrow-up
    1
    ·
    10 months ago

    You have three options:

    1. Take a close look at the stack trace, it should contain the dependant’s definition file somewhere. They’re hard to read, it’s a known issue that isn’t easy to fix.
    2. Roll back your Nixpkgs and figure out which package’s runtime closure depends on the package that is broken in the newer Nixpkgs using why-depends
    3. Trace through the source code yourself (i.e. grep for the broken dep’s name in your explicitly declared deps)
    • gomp@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      10 months ago

      Thanks!

      I guess it should be nix why-depends .nix-profile/bin nixpkgs#freeimage but unfortunately that just spits out the “freeimage is insecure” error (for whatever reason? it’s not like I’m installing the insecure package)

       nix why-depends .nix-profile/bin nixpkgs#freeimage
      error: Package ‘freeimage-unstable-2021-11-01in /nix/store/dzv2jjx429kczqwqklfb8v4mn9phv778-source/pkgs/development/libraries/freeimage/default.nix:72 is marked as insecure, refusing to evaluate.
      [...]
      

      Neither NIXPKGS_ALLOW_INSECURE=1 nix why-depends ... or nix why-depends --option permittedInsecurePackages freeimage-unstable-2021-11-01 ... (which may very well be wrong) seem to bypass the overzealous security check… I ended up updating my working copy of the nixpkgs git repo and running grep -rl freeimage * there.