-
Notifications
You must be signed in to change notification settings - Fork 208
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NIXOS module package #559
Comments
My bad found the flake explanation, I'll go with flake then ;) https://github.com/ArweaveTeam/arweave/tree/master/nix |
I'm reopening because I can't use the module since there's a insecure package in it. The package in question is: "openssl-1.1.1w" the package already lost support from it's maintainer and should have a couple of vulnerabilities. https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html |
https://github.com/ArweaveTeam/arweave/blob/master/nix/arweave.nix#L23 this seems to be the culprit, can it be upgraded without any side effects? |
Related thread from the NixOS discourse here: https://discourse.nixos.org/t/permittedinsecurepackages-not-taking-effect/44449?u=tlater Not only is this still using openssl 1.1.1, but the |
@hlolli I see that you are the person that mostly contributed to the nix setup, just to let you aware ;) |
the c code is written for openssl 1.x and doesn't support 3.x. Use openssl 1.x on your own risk, it's the only way to run arweave today. Alternatively align with @vird and make the c source openssl 3.x compatible https://github.com/ArweaveTeam/arweave/blob/master/apps/arweave/c_src/sha-256.h#L1-L11 |
you can disable this with permittedInsecurePackages = [ "openssl-1.1.1v" "openssl-1.1.1w" ]; |
This was a reason why still openssl 1.x openssl/openssl#19612 |
Would be true if the package wouldn't infer the pkg config. As mentioned on https://discourse.nixos.org/t/permittedinsecurepackages-not-taking-effect/44449/6?u=viniciuspalma |
I'm looking for creating a reproducible environment with NIXOS and arweave binary isn't available yet on the package dependencies channels from nixos.
There's any plan to be included as one official package in nixos?
The text was updated successfully, but these errors were encountered: