diff --git a/ci/default.nix b/ci/default.nix index 2bae87eca0587..c75de0ff2b9ad 100644 --- a/ci/default.nix +++ b/ci/default.nix @@ -17,13 +17,7 @@ let else nixpkgs; - pkgs = import nixpkgs' { - inherit system; - config = { - permittedInsecurePackages = [ "nix-2.3.18" ]; - }; - overlays = [ ]; - }; + pkgs = import nixpkgs' { inherit system; }; fmt = let @@ -128,8 +122,7 @@ rec { parse = pkgs.lib.recurseIntoAttrs { latest = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.latest; }; lix = pkgs.callPackage ./parse.nix { nix = pkgs.lix; }; - # TODO: Raise nixVersions.minimum to 2.24 and flip back to it. - minimum = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.nix_2_24; }; + nix_2_24 = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.nix_2_24; }; }; shell = import ../shell.nix { inherit nixpkgs system; }; tarball = import ../pkgs/top-level/make-tarball.nix { diff --git a/doc/release-notes/rl-2511.section.md b/doc/release-notes/rl-2511.section.md index 6cd94f4835319..7cd35f74fa9e3 100644 --- a/doc/release-notes/rl-2511.section.md +++ b/doc/release-notes/rl-2511.section.md @@ -14,6 +14,10 @@ +- `nixVersions.nix_2_3` has been dropped because it was insecure and unmaintained. + +- The minimum version of Nix required to evaluate Nixpkgs has been raised from 2.3 to 2.18. + - The `offrss` package was removed due to lack of upstream maintenance since 2012. It's recommended for users to migrate to another RSS reader - `base16-builder` node package has been removed due to lack of upstream maintenance. diff --git a/lib/minver.nix b/lib/minver.nix index cb9c6ee3156f8..c9fc45354d2e1 100644 --- a/lib/minver.nix +++ b/lib/minver.nix @@ -1,2 +1,2 @@ # Expose the minimum required version for evaluating Nixpkgs -"2.3.17" +"2.18" diff --git a/lib/tests/release.nix b/lib/tests/release.nix index 5a1752010745f..3eb62912ffc45 100644 --- a/lib/tests/release.nix +++ b/lib/tests/release.nix @@ -2,21 +2,14 @@ # The pkgs used for dependencies for the testing itself # Don't test properties of pkgs.lib, but rather the lib in the parent directory system ? builtins.currentSystem, - pkgs ? - import ../.. { - inherit system; - config = { - permittedInsecurePackages = [ "nix-2.3.18" ]; - }; - } - // { - lib = throw "pkgs.lib accessed, but the lib tests should use nixpkgs' lib path directly!"; - }, + pkgs ? import ../.. { inherit system; } // { + lib = throw "pkgs.lib accessed, but the lib tests should use nixpkgs' lib path directly!"; + }, # For testing someone may edit impure.nix to return cross pkgs, use `pkgsBuildBuild` directly so everything here works. pkgsBB ? pkgs.pkgsBuildBuild, nix ? pkgs-nixVersions.stable, nixVersions ? [ - pkgs-nixVersions.minimum + pkgs-nixVersions.nix_2_24 nix pkgs-nixVersions.latest ], diff --git a/pkgs/by-name/ni/nixos-rebuild-ng/package.nix b/pkgs/by-name/ni/nixos-rebuild-ng/package.nix index e7aa5f3d3ff4f..b52193d33d354 100644 --- a/pkgs/by-name/ni/nixos-rebuild-ng/package.nix +++ b/pkgs/by-name/ni/nixos-rebuild-ng/package.nix @@ -121,9 +121,9 @@ python3Packages.buildPythonApplication rec { with_nix_stable = nixos-rebuild-ng.override { nix = nixVersions.stable; }; - with_nix_2_3 = nixos-rebuild-ng.override { - # oldest / minimum supported version in nixpkgs - nix = nixVersions.nix_2_3; + with_nix_2_24 = nixos-rebuild-ng.override { + # oldest supported version in nixpkgs + nix = nixVersions.nix_2_24; }; with_lix_latest = nixos-rebuild-ng.override { nix = lixPackageSets.latest.lix; diff --git a/pkgs/tools/package-management/nix/common-autoconf.nix b/pkgs/tools/package-management/nix/common-autoconf.nix index 894380f71cf04..fed7eb3ac0a97 100644 --- a/pkgs/tools/package-management/nix/common-autoconf.nix +++ b/pkgs/tools/package-management/nix/common-autoconf.nix @@ -21,7 +21,6 @@ }@args: assert (hash == null) -> (src != null); let - atLeast224 = lib.versionAtLeast version "2.24pre"; atLeast225 = lib.versionAtLeast version "2.25pre"; in { @@ -116,7 +115,7 @@ let ] ++ lib.optional stdenv.hostPlatform.isMusl "fortify"; - nativeInstallCheckInputs = lib.optionals atLeast224 [ + nativeInstallCheckInputs = [ git man ]; @@ -129,21 +128,11 @@ let flex jq ] - ++ lib.optionals enableDocumentation ( - if atLeast224 then - [ - (lib.getBin lowdown-unsandboxed) - mdbook - mdbook-linkcheck - ] - else - [ - libxslt - libxml2 - docbook_xsl_ns - docbook5 - ] - ) + ++ lib.optionals enableDocumentation [ + (lib.getBin lowdown-unsandboxed) + mdbook + mdbook-linkcheck + ] ++ lib.optionals stdenv.hostPlatform.isLinux [ util-linuxMinimal ]; @@ -161,8 +150,6 @@ let gtest libarchive lowdown - ] - ++ lib.optionals atLeast224 [ libgit2 toml11 rapidcheck @@ -182,8 +169,6 @@ let propagatedBuildInputs = [ boehmgc - ] - ++ lib.optionals atLeast224 [ nlohmann_json ]; @@ -202,24 +187,7 @@ let chmod u+w $out/lib/*.so.* patchelf --set-rpath $out/lib:${lib.getLib stdenv.cc.cc}/lib $out/lib/libboost_thread.so.* ''} - '' - + - # On all versions before c9f51e87057652db0013289a95deffba495b35e7, which - # removes config.nix entirely and is not present in 2.3.x, we need to - # patch around an issue where the Nix configure step pulls in the build - # system's bash and other utilities when cross-compiling. - lib.optionalString (stdenv.buildPlatform != stdenv.hostPlatform && !atLeast224) '' - mkdir tmp/ - substitute corepkgs/config.nix.in tmp/config.nix.in \ - --subst-var-by bash ${bash}/bin/bash \ - --subst-var-by coreutils ${coreutils}/bin \ - --subst-var-by bzip2 ${bzip2}/bin/bzip2 \ - --subst-var-by gzip ${gzip}/bin/gzip \ - --subst-var-by xz ${xz}/bin/xz \ - --subst-var-by tar ${gnutar}/bin/tar \ - --subst-var-by tr ${coreutils}/bin/tr - mv tmp/config.nix.in corepkgs/config.nix.in - ''; + ''; configureFlags = [ "--with-store-dir=${storeDir}" @@ -233,7 +201,7 @@ let ++ lib.optionals stdenv.hostPlatform.isLinux [ "--with-sandbox-shell=${busybox-sandbox-shell}/bin/busybox" ] - ++ lib.optionals (atLeast224 && stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isStatic) [ + ++ lib.optionals (stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isStatic) [ "--enable-embedded-sandbox-shell" ] ++ @@ -250,7 +218,7 @@ let # RISC-V support in progress https://github.com/seccomp/libseccomp/pull/50 "--disable-seccomp-sandboxing" ] - ++ lib.optionals (atLeast224 && stdenv.cc.isGNU && !enableStatic) [ + ++ lib.optionals (stdenv.cc.isGNU && !enableStatic) [ "--enable-lto" ]; @@ -275,7 +243,7 @@ let installFlags = [ "sysconfdir=$(out)/etc" ]; doInstallCheck = true; - installCheckTarget = if atLeast224 then "installcheck" else null; + installCheckTarget = "installcheck"; # socket path becomes too long otherwise preInstallCheck = @@ -288,10 +256,10 @@ let export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES '' # See https://github.com/NixOS/nix/issues/5687 - + lib.optionalString (atLeast224 && stdenv.hostPlatform.isDarwin) '' + + lib.optionalString (stdenv.hostPlatform.isDarwin) '' echo "exit 99" > tests/gc-non-blocking.sh '' # TODO: investigate why this broken - + lib.optionalString (atLeast224 && stdenv.hostPlatform.system == "aarch64-linux") '' + + lib.optionalString (stdenv.hostPlatform.system == "aarch64-linux") '' echo "exit 0" > tests/functional/flakes/show.sh '' + '' @@ -299,7 +267,7 @@ let export MANPATH=$man/share/man:$MANPATH ''; - separateDebugInfo = stdenv.hostPlatform.isLinux && (atLeast224 -> !enableStatic); + separateDebugInfo = stdenv.hostPlatform.isLinux && !enableStatic; enableParallelBuilding = true; diff --git a/pkgs/tools/package-management/nix/default.nix b/pkgs/tools/package-management/nix/default.nix index 19e86764f9009..db149bf8b3e4e 100644 --- a/pkgs/tools/package-management/nix/default.nix +++ b/pkgs/tools/package-management/nix/default.nix @@ -151,32 +151,6 @@ lib.makeExtensible ( self: ( { - nix_2_3 = - (commonAutoconf { - version = "2.3.18"; - hash = "sha256-jBz2Ub65eFYG+aWgSI3AJYvLSghio77fWQiIW1svA9U="; - patches = [ - patch-monitorfdhup - ]; - self_attribute_name = "nix_2_3"; - knownVulnerabilities = [ - "CVE-2024-38531" - "CVE-2024-47174" - "CVE-2025-46415" - "CVE-2025-46416" - "CVE-2025-52991" - "CVE-2025-52992" - "CVE-2025-52993" - ]; - maintainers = with lib.maintainers; [ flokli ]; - teams = [ ]; - }).overrideAttrs - { - # https://github.com/NixOS/nix/issues/10222 - # spurious test/add.sh failures - enableParallelChecking = false; - }; - nix_2_24 = commonAutoconf { version = "2.24.15"; hash = "sha256-GHqFHLxvRID2IEPUwIfRMp8epYQMFcvG9ogLzfWRbPc="; @@ -233,23 +207,6 @@ lib.makeExtensible ( latest = self.nix_2_30; - # The minimum Nix version supported by Nixpkgs - # Note that some functionality *might* have been backported into this Nix version, - # making this package an inaccurate representation of what features are available - # in the actual lowest minver.nix *patch* version. - minimum = - let - minver = import ../../../../lib/minver.nix; - major = lib.versions.major minver; - minor = lib.versions.minor minver; - attribute = "nix_${major}_${minor}"; - nix = self.${attribute}; - in - if !self ? ${attribute} then - throw "The minimum supported Nix version is ${minver} (declared in lib/minver.nix), but pkgs.nixVersions.${attribute} does not exist." - else - nix; - # Read ./README.md before bumping a major release stable = addFallbackPathsCheck self.nix_2_28; } @@ -269,6 +226,7 @@ lib.makeExtensible ( nix_2_27 = throw "nix_2_27 has been removed. use nix_2_28."; nix_2_25 = throw "nix_2_25 has been removed. use nix_2_28."; + minimum = throw "nixVersions.minimum has been removed. Use a specific version instead."; unstable = throw "nixVersions.unstable has been removed. use nixVersions.latest or the nix flake."; } ) diff --git a/pkgs/tools/package-management/nix/update-all.sh b/pkgs/tools/package-management/nix/update-all.sh index a2b459e67e7ff..d84b6f56a47fa 100755 --- a/pkgs/tools/package-management/nix/update-all.sh +++ b/pkgs/tools/package-management/nix/update-all.sh @@ -11,9 +11,6 @@ nix_versions=$(nix eval --impure --json --expr "with import ./. { config.allowAl for name in $nix_versions; do minor_version=${name#nix_*_} - if [[ "$name" = "nix_2_3" ]]; then # not maintained by the nix team - continue - fi nix-update --override-filename "$SCRIPT_DIR/default.nix" --version-regex "(2\\.${minor_version}\..+)" --build --commit "nixVersions.$name" done @@ -25,9 +22,6 @@ stable_version_trimmed=${stable_version_full%.*} for name in $nix_versions; do minor_version=${name#nix_*_} - if [[ "$name" = "nix_2_3" ]]; then # not maintained by the nix team - continue - fi if [[ "$name" = "nix_${stable_version_trimmed//./_}" ]]; then curl https://releases.nixos.org/nix/nix-$stable_version_full/fallback-paths.nix > "$NIXPKGS_DIR/nixos/modules/installer/tools/nix-fallback-paths.nix" # nix-update will commit the file if it has changed diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index bc616ce906401..d31ac7e68d930 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -1435,7 +1435,7 @@ mapAliases { nixFlakes = throw "'nixFlakes' has been renamed to/replaced by 'nixVersions.stable'"; # Converted to throw 2024-10-17 nixStable = nixVersions.stable; # Added 2022-01-24 nixUnstable = throw "nixUnstable has been removed. For bleeding edge (Nix master, roughly weekly updated) use nixVersions.git, otherwise use nixVersions.latest."; # Converted to throw 2024-04-22 - nix_2_3 = nixVersions.nix_2_3; + nix_2_3 = throw "'nix_2_3' has been removed, because it was unmaintained and insecure."; # Converted to throw 2025-07-24 nixfmt-rfc-style = if lib.oldestSupportedReleaseIsAtLeast 2511 then lib.warnOnInstantiate diff --git a/pkgs/top-level/make-tarball.nix b/pkgs/top-level/make-tarball.nix index b1ddef188d93c..1b90e4bfdb66c 100644 --- a/pkgs/top-level/make-tarball.nix +++ b/pkgs/top-level/make-tarball.nix @@ -3,13 +3,7 @@ officialRelease, pkgs ? import nixpkgs.outPath { }, nix ? pkgs.nix, - lib-tests ? import ../../lib/tests/release.nix { - pkgs = import nixpkgs.outPath { - config = { - permittedInsecurePackages = [ "nix-2.3.18" ]; - }; - }; - }, + lib-tests ? import ../../lib/tests/release.nix { inherit pkgs; }, }: pkgs.releaseTools.sourceTarball { diff --git a/pkgs/top-level/release.nix b/pkgs/top-level/release.nix index ca8da7b04d7fd..bc5b83d3db564 100644 --- a/pkgs/top-level/release.nix +++ b/pkgs/top-level/release.nix @@ -113,20 +113,7 @@ let manual = pkgs.nixpkgs-manual.override { inherit nixpkgs; }; metrics = import ./metrics.nix { inherit pkgs nixpkgs; }; - lib-tests = import ../../lib/tests/release.nix { - pkgs = import nixpkgs ( - recursiveUpdate - (recursiveUpdate { - inherit system; - config.allowUnsupportedSystem = true; - } nixpkgsArgs) - { - config.permittedInsecurePackages = nixpkgsArgs.config.permittedInsecurePackages or [ ] ++ [ - "nix-2.3.18" - ]; - } - ); - }; + lib-tests = import ../../lib/tests/release.nix { inherit pkgs; }; pkgs-lib-tests = import ../pkgs-lib/tests { inherit pkgs; }; darwin-tested =