error: Package ‘libgit2-0.27.10’ is marked as insecure, refusing to evaluate

[bergkvist]

Describe the bug
I just ran a nix-collect-garbage and nix-channel --update - and now I'm not able to use pkgs.julia, due to libgit2-0.27.10 being marked as insecure.

nixpkgs/pkgs/top-level/all-packages.nix

Lines 14997 to 15009 in 6691b1b

	libgit2_0_27 = libgit2.overrideAttrs (oldAttrs: rec {
	version = "0.27.10";
	src = fetchFromGitHub {
	owner = "libgit2";
	repo = "libgit2";
	rev = "v${version}";
	sha256 = "09jz2fzv0zl5058s0g1cpnw87a2rgg8wnjwlygi18i2n9nn6m0ad";
	};
	meta.knownVulnerabilities = [
	"CVE-2020-12278"
	"CVE-2020-12279"
	];
	});

To Reproduce
Steps to reproduce the behavior:

nix-channel --add https://releases.nixos.org/nixpkgs/nixpkgs-21.11pre293818.afdb5675a18 pkgs-afdb5675a18
nix-channel --update
nix-shell -p "(import <pkgs-afdb5675a18> {}).julia" --show-trace

error: while evaluating the attribute 'buildInputs' of the derivation 'shell' at /nix/store/aq31nd8qsv1m6c41zpnp2kirlpn7ipvs-nixpkgs-21.11pre293818.afdb5675a18/nixpkgs/pkgs/stdenv/generic/make-derivation.nix:201:11:
while evaluating the attribute 'LD_LIBRARY_PATH' of the derivation 'julia-1.0.4' at /nix/store/0vj8971cc8k2gzf131760xn41pjxa9d5-pkgs-21.11pre293818.afdb5675a18/pkgs/pkgs/stdenv/generic/make-derivation.nix:201:11:
while evaluating 'makeSearchPathOutput' at /nix/store/0vj8971cc8k2gzf131760xn41pjxa9d5-pkgs-21.11pre293818.afdb5675a18/pkgs/lib/strings.nix:164:5, called from /nix/store/0vj8971cc8k2gzf131760xn41pjxa9d5-pkgs-21.11pre293818.afdb5675a18/pkgs/pkgs/development/compilers/julia/1.0.nix:163:63:
while evaluating 'makeSearchPath' at /nix/store/0vj8971cc8k2gzf131760xn41pjxa9d5-pkgs-21.11pre293818.afdb5675a18/pkgs/lib/strings.nix:144:5, called from /nix/store/0vj8971cc8k2gzf131760xn41pjxa9d5-pkgs-21.11pre293818.afdb5675a18/pkgs/lib/strings.nix:164:11:
while evaluating anonymous function at /nix/store/0vj8971cc8k2gzf131760xn41pjxa9d5-pkgs-21.11pre293818.afdb5675a18/pkgs/lib/strings.nix:145:32, called from undefined position:
while evaluating the attribute 'handled' at /nix/store/0vj8971cc8k2gzf131760xn41pjxa9d5-pkgs-21.11pre293818.afdb5675a18/pkgs/pkgs/stdenv/generic/check-meta.nix:301:7:
while evaluating 'handleEvalIssue' at /nix/store/0vj8971cc8k2gzf131760xn41pjxa9d5-pkgs-21.11pre293818.afdb5675a18/pkgs/pkgs/stdenv/generic/check-meta.nix:188:38, called from /nix/store/0vj8971cc8k2gzf131760xn41pjxa9d5-pkgs-21.11pre293818.afdb5675a18/pkgs/pkgs/stdenv/generic/check-meta.nix:302:14:
Package ‘libgit2-0.27.10’ in /nix/store/0vj8971cc8k2gzf131760xn41pjxa9d5-pkgs-21.11pre293818.afdb5675a18/pkgs/pkgs/top-level/all-packages.nix:14986 is marked as insecure, refusing to evaluate.


Known issues:
 - CVE-2020-12278
 - CVE-2020-12279

You can install it anyway by allowing this package, using the
following methods:

a) To temporarily allow all insecure packages, you can use an environment
   variable for a single invocation of the nix tools:

     $ export NIXPKGS_ALLOW_INSECURE=1

b) for `nixos-rebuild` you can add ‘libgit2-0.27.10’ to
   `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
   like so:

     {
       nixpkgs.config.permittedInsecurePackages = [
         "libgit2-0.27.10"
       ];
     }

c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
   ‘libgit2-0.27.10’ to `permittedInsecurePackages` in
   ~/.config/nixpkgs/config.nix, like so:

     {
       permittedInsecurePackages = [
         "libgit2-0.27.10"
       ];
     }

Notify maintainers

Julia maintainers: @raskin @rob @garrison

Metadata

• system: "x86_64-linux"
• host os: Linux 5.10.30-1-MANJARO, Manjaro Linux, noversion
• multi-user?: no
• sandbox: yes
• version: nix-env (Nix) 2.3.10
• channels(tobias): "nixpkgs-21.11pre293818.afdb5675a18, pkgs-21.11pre293818.afdb5675a18, pkgs-afdb5675a18-21.11pre293818.afdb5675a18"
• nixpkgs: /home/tobias/.nix-defexpr/channels/nixpkgs

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute:
# a list of nixos modules affected by the problem
module:

[samuela]

This sucks, but unfortunately I'm not sure if there's a quick fix for us. I would suggest using the more recent julia_16-bin package. julia itself points to an outdated (but LTS) version of julia right now.

[bergkvist]

Given that julia_16-bin currently seems to be the only non-broken julia version, would it make sense to change pkgs.julia to alias this version instead?

[bergkvist]

That said, julia_16-bin is not currently supported on MacOS

[samuela]

Given that julia_16-bin currently seems to be the only non-broken julia version, would it make sense to change pkgs.julia to alias this version instead?

There was some discussion around this. I tend to agree, but this was above my paygrade.

That said, julia_16-bin is not currently supported on MacOS

I've been trying to remedy this (#123394). There's some weirdness where the julia test suite fails in the nix build sandbox on macOS, but not linux.

[samuela]

I would add that julia_10-bin is not broken IIUC, but it's also so out of date that I'm not sure many people will find it relevant.

[vcunat]

This issue doesn't apply anymore.