While updating home-manager I got a notice that freeimage-unstable-2021-11-01
is marked as unsafe.
Since chances are it’s used by something I never use, I’d like to know what I’m using that depends on it… any idea how to do it?
Also… any idea why I have 4 copies of the freeimage stuff in my /nix/store
? (I just run nix-collect-garbage -d
and the 4 seem to be actually different):
❱ md5sum /nix/store/*freeimage*/lib/libfreeimage.a
67a0ce1cb5dd562473e27d7c88e8a9bd /nix/store/6gi6hm57zngqnxb6p5dnxhjjcbr96lrk-freeimage-unstable-2021-11-01/lib/libfreeimage.a
5995e0affbfa28b63da7e997cb4dbe63 /nix/store/09nwykzzksc0zknflsyxyah5b67c2rsn-freeimage-unstable-2021-11-01/lib/libfreeimage.a
67a0ce1cb5dd562473e27d7c88e8a9bd /nix/store/ikfiv4gpmcpyir7lsj45by653qcnvgyx-freeimage-unstable-2021-11-01/lib/libfreeimage.a
213a408e3c1fbb5dfa4491deebe05984 /nix/store/q2sc85f2hclgwl8m3qdw8rpbs44gzmah-freeimage-unstable-2021-11-01/lib/libfreeimage.a
I don’t see anything that jumps out at me. It’s probably depending on an a package that is insecure. Check the logs. They’ll point to exactly what the issue is.
You have three options:
- Take a close look at the stack trace, it should contain the dependant’s definition file somewhere. They’re hard to read, it’s a known issue that isn’t easy to fix.
- Roll back your Nixpkgs and figure out which package’s runtime closure depends on the package that is broken in the newer Nixpkgs using
why-depends
- Trace through the source code yourself (i.e. grep for the broken dep’s name in your explicitly declared deps)
Why-depends can help you out. https://nixos.org/manual/nix/stable/command-ref/new-cli/nix3-why-depends.html
I don’t remember if you can use it directly on a derivation or not, so you might have to track down the relevant package.
Edit: forgot to mention you can give it /run/current-system for the first argument to only see what’s currently loaded from the store.
Thanks!
I guess it should be
nix why-depends .nix-profile/bin nixpkgs#freeimage
but unfortunately that just spits out the “freeimage is insecure” error (for whatever reason? it’s not like I’m installing the insecure package)❱ nix why-depends .nix-profile/bin nixpkgs#freeimage error: Package ‘freeimage-unstable-2021-11-01’ in /nix/store/dzv2jjx429kczqwqklfb8v4mn9phv778-source/pkgs/development/libraries/freeimage/default.nix:72 is marked as insecure, refusing to evaluate. [...]
Neither
NIXPKGS_ALLOW_INSECURE=1 nix why-depends ...
ornix why-depends --option permittedInsecurePackages freeimage-unstable-2021-11-01 ...
(which may very well be wrong) seem to bypass the overzealous security check… I ended up updating my working copy of the nixpkgs git repo and runninggrep -rl freeimage *
there.