freeimage-unstable insecure

[luc-spec]

Preface -- I'm brand new to Nix with ROS. Maybe this is widely known and I'm just catching on.

My system:

• nixos-unstable
• flakes enabled [x]

I tried running nix develop github:lopsided98/nix-ros-overlay#example-turtlebot3-gazebo

> nix develop --impure github:lopsided98/nix-ros-overlay#example-turtlebot3-gazebo
do you want to allow configuration setting 'extra-substituters' to be set to 'https://ros.cachix.org' (y/N)?
do you want to permanently mark this value as untrusted (y/N)?
warning: ignoring untrusted flake configuration setting 'extra-substituters'.
Pass '--accept-flake-config' to trust it
do you want to allow configuration setting 'extra-trusted-public-keys' to be set to 'ros.cachix.org-1:dSyZxI8geDCJrwgvCOHDoAfOm5sV1wCPjBkKL+38Rvo=' (y/N)?
do you want to permanently mark this value as untrusted (y/N)?
warning: ignoring untrusted flake configuration setting 'extra-trusted-public-keys'.
Pass '--accept-flake-config' to trust it
error:
       … while calling the 'derivationStrict' builtin
         at <nix/derivation-internal.nix>:34:12:
           33|
           34|   strict = derivationStrict drvAttrs;
             |            ^
           35|

       … while evaluating derivation 'nix-shell'
         whose name attribute is located at /nix/store/l3amk5lsakpc93him5kry24kax23sn4h-source/pkgs/stdenv/generic/make-derivation.nix:336:7

       … while evaluating attribute 'buildInputs' of derivation 'nix-shell'
         at /nix/store/l3amk5lsakpc93him5kry24kax23sn4h-source/pkgs/stdenv/generic/make-derivation.nix:383:7:
          382|       depsHostHost                = elemAt (elemAt dependencies 1) 0;
          383|       buildInputs                 = elemAt (elemAt dependencies 1) 1;
             |       ^
          384|       depsTargetTarget            = elemAt (elemAt dependencies 2) 0;

       (stack trace truncated; use '--show-trace' to show the full, detailed trace)

       error: Package ‘freeimage-unstable-2021-11-01’ in /nix/store/l3amk5lsakpc93him5kry24kax23sn4h-source/pkgs/development/libraries/freeimage/default.nix:72 is marked as insecure, refusing to evaluate.


       Known issues:
        - CVE-2021-33367
        - CVE-2021-40262
        - CVE-2021-40263
        - CVE-2021-40264
        - CVE-2021-40265
        - CVE-2021-40266
        - CVE-2023-47992
        - CVE-2023-47993
        - CVE-2023-47994
        - CVE-2023-47995
        - CVE-2023-47996

       You can install it anyway by allowing this package, using the
       following methods:

       a) To temporarily allow all insecure packages, you can use an environment
          variable for a single invocation of the nix tools:

            $ export NIXPKGS_ALLOW_INSECURE=1

          Note: When using `nix shell`, `nix build`, `nix develop`, etc with a flake,
                then pass `--impure` in order to allow use of environment variables.

       b) for `nixos-rebuild` you can add ‘freeimage-unstable-2021-11-01’ to
          `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
          like so:

            {
              nixpkgs.config.permittedInsecurePackages = [
                "freeimage-unstable-2021-11-01"
              ];
            }

       c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
          ‘freeimage-unstable-2021-11-01’ to `permittedInsecurePackages` in
          ~/.config/nixpkgs/config.nix, like so:

            {
              permittedInsecurePackages = [
                "freeimage-unstable-2021-11-01"
              ];
            }

My workaround is intentionally moving past the insecure package with NIXPKGS_ALLOW_INSECURE=1 nix develop --impure github:lopsided98/nix-ros-overlay#example-turtlebot3-gazebo.

Even then, I get this error:

error: builder for '/nix/store/0biqj4535x1mx5jlhxcdx3p2kpr79jbx-ros-noetic-angles-1.9.13-r1.drv' failed with exit code 2;
       last 25 log lines:
       > install flags: -j24 SHELL=/nix/store/izpf49b74i15pcr9708s3xdwyqs4jxwl-bash-5.2p32/bin/bash install
       > Install the project...
       > -- Install configuration: "Release"
       > -- Installing: /nix/store/djwm5lcvmr7i4idxi70wkn4d3fnp2hv4-ros-noetic-angles-1.9.13-r1/lib/pkgconfig/angles.pc
       > -- Installing: /nix/store/djwm5lcvmr7i4idxi70wkn4d3fnp2hv4-ros-noetic-angles-1.9.13-r1/share/angles/cmake/anglesConfig.cmake
       > -- Installing: /nix/store/djwm5lcvmr7i4idxi70wkn4d3fnp2hv4-ros-noetic-angles-1.9.13-r1/share/angles/cmake/anglesConfig-version.cmake
       > -- Installing: /nix/store/djwm5lcvmr7i4idxi70wkn4d3fnp2hv4-ros-noetic-angles-1.9.13-r1/share/angles/package.xml
       > -- Installing: /nix/store/djwm5lcvmr7i4idxi70wkn4d3fnp2hv4-ros-noetic-angles-1.9.13-r1/include/angles
       > -- Installing: /nix/store/djwm5lcvmr7i4idxi70wkn4d3fnp2hv4-ros-noetic-angles-1.9.13-r1/include/angles/angles.h
       > + cd /build/geometry_angles_utils-release-release-noetic-angles-1.9.13-1
       > + mkdir -p /nix/store/djwm5lcvmr7i4idxi70wkn4d3fnp2hv4-ros-noetic-angles-1.9.13-r1/lib/python3.12/site-packages
       > + /nix/store/0kg70swgpg45ipcz3pr2siidq9fn6d77-coreutils-9.5/bin/env PYTHONPATH=/nix/store/djwm5lcvmr7i4idxi70wkn4d3fnp2hv4-ros-noetic-angles-1.9.13-r1/lib/python3.12/site-packages:/build/geometry_angles_utils-release-release-noetic-angles-1.9.13-1/build/lib/python3.12/site-packages:/nix/store/8crha7cgp6fdsm6y0kw0bhkcd5hg99zg-ros-noetic-catkin-0.8.10-r1/lib/python3.12/site-packages:/nix/store/d2wfllsi0nlk7x87yv6jlv3swd4inpw3-python3.12-catkin_pkg-1.0.0/lib/python3.12/site-packages:/nix/store/22d4sr968zx6l3sl7xrzcq4z18frqb7m-python3.12-python-dateutil-2.9.0.post0/lib/python3.12/site-packages:/nix/store/rgfl07w7jjb0mmxgifzyca6g6fh6cq36-python3.12-six-1.16.0/lib/python3.12/site-packages:/nix/store/h3i0acpmr8mrjx07519xxmidv8mpax4y-python3-3.12.5/lib/python3.12/site-packages:/nix/store/j7n6ylah9qpfa89nc4g4rkvm1mfd9ins-python3.12-docutils-0.21.2/lib/python3.12/site-packages:/nix/store/b051ph4hq93g1qkliadxfsg4l2hg7ig1-python3.12-pyparsing-3.1.2/lib/python3.12/site-packages:/nix/store/l7idy2qiiv0v0b6khfjvz3l5k6mnm47l-python3.12-setuptools-72.1.0/lib/python3.12/site-packages:/nix/store/293x651b1sv2w9nvi8mxh5av2rcyp18j-python3.12-empy-4.1/lib/python3.12/site-packages:/nix/store/x8y4a2f512dsj2f5m4k2wv6nfpj7q2v7-python3.12-nose-1.3.7/lib/python3.12/site-packages:/nix/store/wdz280kh1012anpyaj0fln9n18px01w1-python3.12-coverage-7.5.3/lib/python3.12/site-packages CATKIN_BINARY_DIR=/build/geometry_angles_utils-release-release-noetic-angles-1.9.13-1/build /nix/store/h3i0acpmr8mrjx07519xxmidv8mpax4y-python3-3.12.5/bin/python /build/geometry_angles_utils-release-release-noetic-angles-1.9.13-1/setup.py build --build-base /build/geometry_angles_utils-release-release-noetic-angles-1.9.13-1/build install --root=/ --prefix=/nix/store/djwm5lcvmr7i4idxi70wkn4d3fnp2hv4-ros-noetic-angles-1.9.13-r1 --install-scripts=/nix/store/djwm5lcvmr7i4idxi70wkn4d3fnp2hv4-ros-noetic-angles-1.9.13-r1/bin
       > Traceback (most recent call last):
       >   File "/build/geometry_angles_utils-release-release-noetic-angles-1.9.13-1/setup.py", line 3, in <module>
       >     from distutils.core import setup
       > ModuleNotFoundError: No module named 'distutils'
       > CMake Error at catkin_generated/safe_execute_install.cmake:4 (message):
       >
       >   execute_process(/build/geometry_angles_utils-release-release-noetic-angles-1.9.13-1/build/catkin_generated/python_distutils_install.sh)
       >   returned error code
       > Call Stack (most recent call first):
       >   cmake_install.cmake:65 (include)
       >
       >
       > make: *** [Makefile:100: install] Error 1
       For full logs, run 'nix log /nix/store/0biqj4535x1mx5jlhxcdx3p2kpr79jbx-ros-noetic-angles-1.9.13-r1.drv'.
error: 1 dependencies of derivation '/nix/store/1fmvk0qxadxn49lkav169grg3fi0y1j4-ros-env.drv' failed to build
error: 1 dependencies of derivation '/nix/store/0wfq64ji5b70yk3wblad9w9d20c16mng-nix-shell-env.drv' failed to build

Is there a better workaround (i.e. removing or updating freeimage-unstable-2021-11-01, the package with the CVEs)?

[lopsided98]

Gazebo depends on freeimage, and freeimage is unmaintained and has unpatched CVEs. There's not much that I can do about it unless upstream gets rid of the freeimage dependency.

The other issue is due to the upgrade to Python 3.12, which removes distutils from the standard library and is fixed by #506.

[lopsided98]

It turns out there are a lot more packages that depend on distutils, so I'll have to figure out some way to dealing with them in bulk.