Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NIXOS module package #559

Open
viniciuspalma opened this issue Apr 29, 2024 · 10 comments
Open

NIXOS module package #559

viniciuspalma opened this issue Apr 29, 2024 · 10 comments

Comments

@viniciuspalma
Copy link

I'm looking for creating a reproducible environment with NIXOS and arweave binary isn't available yet on the package dependencies channels from nixos.

There's any plan to be included as one official package in nixos?

  • If not I would interested in provide one for the community.
@viniciuspalma
Copy link
Author

My bad found the flake explanation, I'll go with flake then ;) https://github.com/ArweaveTeam/arweave/tree/master/nix

@viniciuspalma
Copy link
Author

I'm reopening because I can't use the module since there's a insecure package in it.

The package in question is: "openssl-1.1.1w" the package already lost support from it's maintainer and should have a couple of vulnerabilities.

https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html

@viniciuspalma
Copy link
Author

https://github.com/ArweaveTeam/arweave/blob/master/nix/arweave.nix#L23 this seems to be the culprit, can it be upgraded without any side effects?

@TLATER
Copy link

TLATER commented Apr 30, 2024

Related thread from the NixOS discourse here: https://discourse.nixos.org/t/permittedinsecurepackages-not-taking-effect/44449?u=tlater

Not only is this still using openssl 1.1.1, but the flake.lock hasn't been updated in years, so there are probably a lot of vulnerabilities around if you actually use the flake for this. Changing that will probably break things, someone from the project will need to be explicit about whether the flake is still intended to be supported.

@viniciuspalma
Copy link
Author

@hlolli I see that you are the person that mostly contributed to the nix setup, just to let you aware ;)

@hlolli
Copy link
Contributor

hlolli commented Apr 30, 2024

the c code is written for openssl 1.x and doesn't support 3.x. Use openssl 1.x on your own risk, it's the only way to run arweave today. Alternatively align with @vird and make the c source openssl 3.x compatible https://github.com/ArweaveTeam/arweave/blob/master/apps/arweave/c_src/sha-256.h#L1-L11

@hlolli
Copy link
Contributor

hlolli commented Apr 30, 2024

you can disable this with

permittedInsecurePackages = [ "openssl-1.1.1v" "openssl-1.1.1w" ];

@vird
Copy link
Collaborator

vird commented Apr 30, 2024

This was a reason why still openssl 1.x openssl/openssl#19612

@viniciuspalma
Copy link
Author

you can disable this with

permittedInsecurePackages = [ "openssl-1.1.1v" "openssl-1.1.1w" ];

Would be true if the package wouldn't infer the pkg config. As mentioned on https://discourse.nixos.org/t/permittedinsecurepackages-not-taking-effect/44449/6?u=viniciuspalma

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants