[25.05] ci/default: adjustments for removal of Nix 2.3

[wolfgangwalther]

Very partial backport of #428076 - only the changes to ci/default.nix as discussed in #428076 (comment).

[wolfgangwalther]

The lib tests are failing because of insecure Nix 2.3. That's because I had not removed nixVersions.minimum from the lib tests. Soon, after the next pinned update, Nix 2.3 will not be available anymore in that pin. Thus, we can't test lib tests with Nix 2.3 anymore.

I'll adjust the first commit and also backport the change to lib/tests.

[wolfgangwalther]

I'm not sure why, yet, but the "check cherry picks" job always gets cancelled. Mid-job. Never seen that before. What's concerning: The required status checks still seem to succeed.

Will have to investigate whether that happens elsewhere, too, or just in this PR...

[wolfgangwalther]

Will have to investigate whether that happens elsewhere, too, or just in this PR...

It seems to work fine for automated backports, but it also "failed" in #432854, #432790, maybe more.

That's... bad. The automated backports are where we don't need this job, but there it runs. The manually created backports we need it, but it doesn't...

[wolfgangwalther]

Surprise:

The job has exceeded the maximum execution time of 3m0s

Not sure why this wasn't visible on this PR, at least initially (it is now). Maybe I just overlooked it. So the fix is simple - allow this job to run longer!

[philiptaron]

I'm going to run the lib tests.

[github-actions]

This report is automatically generated by the PR / Check / cherry-pick CI workflow.

Some of the commits in this PR require the author's and reviewer's attention.

Please follow the backporting guidelines and cherry-pick with the -x flag.
This requires changes to the unstable master and staging branches first, before backporting them.

Occasionally, it is not possible to cherry-pick exactly the same patch.
This most frequently happens when resolving merge conflicts or when updating minor versions of packages which have already advanced to the next major on unstable.
If you need to merge this PR despite the warnings, please dismiss this review shortly before merging.

Warning

Difference between c6efa35 and original cc3d229 may warrant inspection.

Show diff

@@ Metadata
 Author: Wolfgang Walther <walther@technowledgy.de>
 
  ## Commit message ##
-    nixVersions.minimum: drop
+    lib/tests: don't test with Nix 2.3 anymore
 
-    The concept of this alias becomes questionable once we move past 2.18,
-    where Lix was forked. We should probably move to a feature-detection
-    based approach for lib/minver.nix eventually, too.
+    The `nixVersions.minimum` alias has been removed on unstable, so the
+    TODO is not needed anymore.
+
+    The lib tests can't be run with Nix 2.3 anymore, because this version is
+    not available on unstable anymore - and thus also not in the pinned
+    nixpkgs that CI is run with.
+
+    (cherry picked from commit cc3d2295b642f3d61faaa7335f79e63b5d10996e)
 
  ## ci/default.nix ##
 @@ ci/default.nix: rec {
@@ lib/tests/release.nix
      nix
      pkgs-nixVersions.latest
    ],
-
- ## pkgs/tools/package-management/nix/default.nix ##
-@@ pkgs/tools/package-management/nix/default.nix: lib.makeExtensible (
- 
-       latest = self.nix_2_30;
- 
--      # The minimum Nix version supported by Nixpkgs
--      # Note that some functionality *might* have been backported into this Nix version,
--      # making this package an inaccurate representation of what features are available
--      # in the actual lowest minver.nix *patch* version.
--      minimum =
--        let
--          minver = import ../../../../lib/minver.nix;
--          major = lib.versions.major minver;
--          minor = lib.versions.minor minver;
--          attribute = "nix_${major}_${minor}";
--          nix = self.${attribute};
--        in
--        if !self ? ${attribute} then
--          throw "The minimum supported Nix version is ${minver} (declared in lib/minver.nix), but pkgs.nixVersions.${attribute} does not exist."
--        else
--          nix;
--
-       # Read ./README.md before bumping a major release
-       stable = addFallbackPathsCheck self.nix_2_28;
-     }
-@@ pkgs/tools/package-management/nix/default.nix: lib.makeExtensible (
-         nix_2_27 = throw "nix_2_27 has been removed. use nix_2_28.";
-         nix_2_25 = throw "nix_2_25 has been removed. use nix_2_28.";
- 
-+        minimum = throw "nixVersions.minimum has been removed. Use a specific version instead.";
-         unstable = throw "nixVersions.unstable has been removed. use nixVersions.latest or the nix flake.";
-       }
-     )

Warning

Difference between f05c8dd and original fa0cba1 may warrant inspection.

Show diff

@@ Metadata
 Author: Wolfgang Walther <walther@technowledgy.de>
 
  ## Commit message ##
-    nix_2_3: drop
+    ci/default: remove insecure Nix 2.3 config
 
-    This has been marked insecure a while ago, as some CVEs have not been
-    backported. Even if *some* CVEs are fixed, we'd need **all** of them to
-    be, to get it back into the cache.
+    Nix 2.3 has been removed on unstable and is not used by CI anymore, thus
+    we don't need the custom config for it anymore.
 
-    Not having it in the cache means, we can not test it in CI. This means
-    we can't make sure to actually support this version to evaluate Nixpkgs.
+    (cherry picked from commit fa0cba1c398faad0b810555daea3bfeb05719a8c)
 
  ## ci/default.nix ##
 @@ ci/default.nix: let
@@ ci/default.nix: let
  
    fmt =
      let
-
- ## doc/release-notes/rl-2511.section.md ##
-@@
- 
- <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- 
-+- `nixVersions.nix_2_3` has been dropped because it was insecure and unmaintained.
-+
-+- The minimum version of Nix required to evaluate Nixpkgs has been raised from 2.3 to 2.18.
-+
- - The `offrss` package was removed due to lack of upstream maintenance since 2012. It's recommended for users to migrate to another RSS reader
- 
- - `base16-builder` node package has been removed due to lack of upstream maintenance.
-
- ## lib/minver.nix ##
-@@
- # Expose the minimum required version for evaluating Nixpkgs
--"2.3.17"
-+"2.18"
-
- ## lib/tests/release.nix ##
-@@
-   # The pkgs used for dependencies for the testing itself
-   # Don't test properties of pkgs.lib, but rather the lib in the parent directory
-   system ? builtins.currentSystem,
--  pkgs ?
--    import ../.. {
--      inherit system;
--      config = {
--        permittedInsecurePackages = [ "nix-2.3.18" ];
--      };
--    }
--    // {
--      lib = throw "pkgs.lib accessed, but the lib tests should use nixpkgs' lib path directly!";
--    },
-+  pkgs ? import ../.. { inherit system; } // {
-+    lib = throw "pkgs.lib accessed, but the lib tests should use nixpkgs' lib path directly!";
-+  },
-   # For testing someone may edit impure.nix to return cross pkgs, use `pkgsBuildBuild` directly so everything here works.
-   pkgsBB ? pkgs.pkgsBuildBuild,
-   nix ? pkgs-nixVersions.stable,
-
- ## pkgs/by-name/ni/nixos-rebuild-ng/package.nix ##
-@@ pkgs/by-name/ni/nixos-rebuild-ng/package.nix: python3Packages.buildPythonApplication rec {
-         with_nix_stable = nixos-rebuild-ng.override {
-           nix = nixVersions.stable;
-         };
--        with_nix_2_3 = nixos-rebuild-ng.override {
--          # oldest / minimum supported version in nixpkgs
--          nix = nixVersions.nix_2_3;
-+        with_nix_2_24 = nixos-rebuild-ng.override {
-+          # oldest supported version in nixpkgs
-+          nix = nixVersions.nix_2_24;
-         };
-         with_lix_latest = nixos-rebuild-ng.override {
-           nix = lixPackageSets.latest.lix;
-
- ## pkgs/tools/package-management/nix/common-autoconf.nix ##
-@@
- }@args:
- assert (hash == null) -> (src != null);
- let
--  atLeast224 = lib.versionAtLeast version "2.24pre";
-   atLeast225 = lib.versionAtLeast version "2.25pre";
- in
- {
-@@ pkgs/tools/package-management/nix/common-autoconf.nix: let
-     ]
-     ++ lib.optional stdenv.hostPlatform.isMusl "fortify";
- 
--    nativeInstallCheckInputs = lib.optionals atLeast224 [
-+    nativeInstallCheckInputs = [
-       git
-       man
-     ];
-@@ pkgs/tools/package-management/nix/common-autoconf.nix: let
-       flex
-       jq
-     ]
--    ++ lib.optionals enableDocumentation (
--      if atLeast224 then
--        [
--          (lib.getBin lowdown-unsandboxed)
--          mdbook
--          mdbook-linkcheck
--        ]
--      else
--        [
--          libxslt
--          libxml2
--          docbook_xsl_ns
--          docbook5
--        ]
--    )
-+    ++ lib.optionals enableDocumentation [
-+      (lib.getBin lowdown-unsandboxed)
-+      mdbook
-+      mdbook-linkcheck
-+    ]
-     ++ lib.optionals stdenv.hostPlatform.isLinux [
-       util-linuxMinimal
-     ];
-@@ pkgs/tools/package-management/nix/common-autoconf.nix: let
-       gtest
-       libarchive
-       lowdown
--    ]
--    ++ lib.optionals atLeast224 [
-       libgit2
-       toml11
-       rapidcheck
-@@ pkgs/tools/package-management/nix/common-autoconf.nix: let
- 
-     propagatedBuildInputs = [
-       boehmgc
--    ]
--    ++ lib.optionals atLeast224 [
-       nlohmann_json
-     ];
- 
-@@ pkgs/tools/package-management/nix/common-autoconf.nix: let
-           chmod u+w $out/lib/*.so.*
-           patchelf --set-rpath $out/lib:${lib.getLib stdenv.cc.cc}/lib $out/lib/libboost_thread.so.*
-         ''}
--      ''
--      +
--        # On all versions before c9f51e87057652db0013289a95deffba495b35e7, which
--        # removes config.nix entirely and is not present in 2.3.x, we need to
--        # patch around an issue where the Nix configure step pulls in the build
--        # system's bash and other utilities when cross-compiling.
--        lib.optionalString (stdenv.buildPlatform != stdenv.hostPlatform && !atLeast224) ''
--          mkdir tmp/
--          substitute corepkgs/config.nix.in tmp/config.nix.in \
--            --subst-var-by bash ${bash}/bin/bash \
--            --subst-var-by coreutils ${coreutils}/bin \
--            --subst-var-by bzip2 ${bzip2}/bin/bzip2 \
--            --subst-var-by gzip ${gzip}/bin/gzip \
--            --subst-var-by xz ${xz}/bin/xz \
--            --subst-var-by tar ${gnutar}/bin/tar \
--            --subst-var-by tr ${coreutils}/bin/tr
--          mv tmp/config.nix.in corepkgs/config.nix.in
--        '';
-+      '';
- 
-     configureFlags = [
-       "--with-store-dir=${storeDir}"
-@@ pkgs/tools/package-management/nix/common-autoconf.nix: let
-     ++ lib.optionals stdenv.hostPlatform.isLinux [
-       "--with-sandbox-shell=${busybox-sandbox-shell}/bin/busybox"
-     ]
--    ++ lib.optionals (atLeast224 && stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isStatic) [
-+    ++ lib.optionals (stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isStatic) [
-       "--enable-embedded-sandbox-shell"
-     ]
-     ++
-@@ pkgs/tools/package-management/nix/common-autoconf.nix: let
-       # RISC-V support in progress https://github.com/seccomp/libseccomp/pull/50
-       "--disable-seccomp-sandboxing"
-     ]
--    ++ lib.optionals (atLeast224 && stdenv.cc.isGNU && !enableStatic) [
-+    ++ lib.optionals (stdenv.cc.isGNU && !enableStatic) [
-       "--enable-lto"
-     ];
- 
-@@ pkgs/tools/package-management/nix/common-autoconf.nix: let
-     installFlags = [ "sysconfdir=$(out)/etc" ];
- 
-     doInstallCheck = true;
--    installCheckTarget = if atLeast224 then "installcheck" else null;
-+    installCheckTarget = "installcheck";
- 
-     # socket path becomes too long otherwise
-     preInstallCheck =
-@@ pkgs/tools/package-management/nix/common-autoconf.nix: let
-         export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES
-       ''
-       # See https://github.com/NixOS/nix/issues/5687
--      + lib.optionalString (atLeast224 && stdenv.hostPlatform.isDarwin) ''
-+      + lib.optionalString (stdenv.hostPlatform.isDarwin) ''
-         echo "exit 99" > tests/gc-non-blocking.sh
-       '' # TODO: investigate why this broken
--      + lib.optionalString (atLeast224 && stdenv.hostPlatform.system == "aarch64-linux") ''
-+      + lib.optionalString (stdenv.hostPlatform.system == "aarch64-linux") ''
-         echo "exit 0" > tests/functional/flakes/show.sh
-       ''
-       + ''
-@@ pkgs/tools/package-management/nix/common-autoconf.nix: let
-         export MANPATH=$man/share/man:$MANPATH
-       '';
- 
--    separateDebugInfo = stdenv.hostPlatform.isLinux && (atLeast224 -> !enableStatic);
-+    separateDebugInfo = stdenv.hostPlatform.isLinux && !enableStatic;
- 
-     enableParallelBuilding = true;
- 
-
- ## pkgs/tools/package-management/nix/default.nix ##
-@@ pkgs/tools/package-management/nix/default.nix: lib.makeExtensible (
-   self:
-   (
-     {
--      nix_2_3 =
--        (commonAutoconf {
--          version = "2.3.18";
--          hash = "sha256-jBz2Ub65eFYG+aWgSI3AJYvLSghio77fWQiIW1svA9U=";
--          patches = [
--            patch-monitorfdhup
--          ];
--          self_attribute_name = "nix_2_3";
--          knownVulnerabilities = [
--            "CVE-2024-38531"
--            "CVE-2024-47174"
--            "CVE-2025-46415"
--            "CVE-2025-46416"
--            "CVE-2025-52991"
--            "CVE-2025-52992"
--            "CVE-2025-52993"
--          ];
--          maintainers = with lib.maintainers; [ flokli ];
--          teams = [ ];
--        }).overrideAttrs
--          {
--            # https://github.com/NixOS/nix/issues/10222
--            # spurious test/add.sh failures
--            enableParallelChecking = false;
--          };
--
-       nix_2_24 = commonAutoconf {
-         version = "2.24.15";
-         hash = "sha256-GHqFHLxvRID2IEPUwIfRMp8epYQMFcvG9ogLzfWRbPc=";
-
- ## pkgs/tools/package-management/nix/update-all.sh ##
-@@ pkgs/tools/package-management/nix/update-all.sh: nix_versions=$(nix eval --impure --json --expr "with import ./. { config.allowAl
- 
- for name in $nix_versions; do
-     minor_version=${name#nix_*_}
--    if [[ "$name" = "nix_2_3" ]]; then # not maintained by the nix team
--        continue
--    fi
- 
-     nix-update --override-filename "$SCRIPT_DIR/default.nix" --version-regex "(2\\.${minor_version}\..+)" --build --commit "nixVersions.$name"
- done
-@@ pkgs/tools/package-management/nix/update-all.sh: stable_version_trimmed=${stable_version_full%.*}
- 
- for name in $nix_versions; do
-     minor_version=${name#nix_*_}
--    if [[ "$name" = "nix_2_3" ]]; then # not maintained by the nix team
--        continue
--    fi
-     if [[ "$name" = "nix_${stable_version_trimmed//./_}" ]]; then
-         curl https://releases.nixos.org/nix/nix-$stable_version_full/fallback-paths.nix > "$NIXPKGS_DIR/nixos/modules/installer/tools/nix-fallback-paths.nix"
-         # nix-update will commit the file if it has changed
-
- ## pkgs/top-level/aliases.nix ##
-@@ pkgs/top-level/aliases.nix: mapAliases {

[...truncated...]

Hint: The full diffs are also available in the runner logs with slightly better highlighting.

[wolfgangwalther]

I'm going to run the lib tests.

CI already did:

PR / Build / x86_64-linux: shell, docs, lib, tarball (pull_request_target)Successful in 2m 

The diff is not helpful, because it's so big compared to the original commit. Better review this on its own.

[philiptaron]

They succeeded for me, too.