this post was submitted on 21 Feb 2024
14 points (100.0% liked)

Nix / NixOS

1732 readers
10 users here now

Main links

Videos

founded 1 year ago
MODERATORS
erlingur@programming.dev
ballmerpeaking@programming.dev
WhiteBlackGoose@programming.dev
14
What depends on a specific package? (lemmy.ml)
submitted 8 months ago by gomp@lemmy.ml to c/nix@programming.dev
6 comments fedilink hide all child comments
 

While updating home-manager I got a notice that freeimage-unstable-2021-11-01 is marked as unsafe.

Since chances are it's used by something I never use, I'd like to know what I'm using that depends on it... any idea how to do it?

Also.. any idea why I have 4 copies of the freeimage stuff in my /nix/store? (I just run nix-collect-garbage -d and the 4 seem to be actually different):

❱ md5sum /nix/store/*freeimage*/lib/libfreeimage.a
67a0ce1cb5dd562473e27d7c88e8a9bd  /nix/store/6gi6hm57zngqnxb6p5dnxhjjcbr96lrk-freeimage-unstable-2021-11-01/lib/libfreeimage.a
5995e0affbfa28b63da7e997cb4dbe63  /nix/store/09nwykzzksc0zknflsyxyah5b67c2rsn-freeimage-unstable-2021-11-01/lib/libfreeimage.a
67a0ce1cb5dd562473e27d7c88e8a9bd  /nix/store/ikfiv4gpmcpyir7lsj45by653qcnvgyx-freeimage-unstable-2021-11-01/lib/libfreeimage.a
213a408e3c1fbb5dfa4491deebe05984  /nix/store/q2sc85f2hclgwl8m3qdw8rpbs44gzmah-freeimage-unstable-2021-11-01/lib/libfreeimage.a
top 6 comments
sorted by: hot top controversial new old
[–] demesisx@infosec.pub 10 points 8 months ago* (last edited 8 months ago)

I don’t see anything that jumps out at me. It’s probably depending on an a package that is insecure. Check the logs. They’ll point to exactly what the issue is.

[–] degen@midwest.social 7 points 8 months ago* (last edited 8 months ago) (1 children)

Why-depends can help you out. https://nixos.org/manual/nix/stable/command-ref/new-cli/nix3-why-depends.html

I don't remember if you can use it directly on a derivation or not, so you might have to track down the relevant package.

Edit: forgot to mention you can give it /run/current-system for the first argument to only see what's currently loaded from the store.

[–] gomp@lemmy.ml 2 points 8 months ago

Thanks!

I guess it should be nix why-depends .nix-profile/bin nixpkgs#freeimage but unfortunately that just spits out the "freeimage is insecure" error (for whatever reason? it's not like I'm installing the insecure package)

❱ nix why-depends .nix-profile/bin nixpkgs#freeimage
error: Package ‘freeimage-unstable-2021-11-01’ in /nix/store/dzv2jjx429kczqwqklfb8v4mn9phv778-source/pkgs/development/libraries/freeimage/default.nix:72 is marked as insecure, refusing to evaluate.
[...]

Neither NIXPKGS_ALLOW_INSECURE=1 nix why-depends ... or nix why-depends --option permittedInsecurePackages freeimage-unstable-2021-11-01 ... (which may very well be wrong) seem to bypass the overzealous security check... I ended up updating my working copy of the nixpkgs git repo and running grep -rl freeimage * there.

[–] Atemu@lemmy.ml 2 points 8 months ago

You have three options:

  1. Take a close look at the stack trace, it should contain the dependant's definition file somewhere. They're hard to read, it's a known issue that isn't easy to fix.
  2. Roll back your Nixpkgs and figure out which package's runtime closure depends on the package that is broken in the newer Nixpkgs using why-depends
  3. Trace through the source code yourself (i.e. grep for the broken dep's name in your explicitly declared deps)
[–] pruneaue@infosec.pub 2 points 8 months ago

Had that error and deduced it was imv after spending some time reading through the trace.
I dont have an actual command for you as i couldnt find one when i was looking ^^

[–] onlinepersona@programming.dev -1 points 3 months ago

I don't know why nix isn't able to output a plan of stuff it has to do, but anyway, what I've done is just install the thing, then nix --query --referrers $storePath. You can do the same with every free-image-unstable you found in your store.

Also, you should be able to grep the .drv files for the store paths of each free-image-unstable and find out what was passed in to build them. My hunch is that the package was an input to other packages that needed to activate or deactivate build options. Maybe one package needed a specific feature and another needed yet another --> multiple builds.

Anti Commercial-AI license