Patch makePythonWriter via overlay (upstream #521741), then drop the pypy2.7-* insecure allowance fleet-wide #131

New issue

Open

opened 2026-06-07 23:03:24 +02:00 by dominik.polakovics · 0 comments

dominik.polakovics commented

2026-06-07 23:03:24 +02:00

Owner

This was generated by AI during triage.

Summary

Add a nixpkgs overlay that applies upstream NixOS/nixpkgs#521741 — the one-line ||→&& fix to makePythonWriter's interpreter guard in pkgs/build-support/writers/scripts.nix:1203 (fixes NixOS/nixpkgs#468459). With the overlay in place, eval no longer force-evaluates the pypy2Packages set, so the pypy2.7-* insecure allowance can be removed from every host (the whole point of this issue).

Background

On 26.05 the guard is a tautology:

if pythonPackages != pkgs.pypy2Packages || pythonPackages != pkgs.pypy3Packages then

No pythonPackages can equal both sets, so the || is always true (upstream confirms it should be &&). Evaluating the left operand force-evaluates pypy2Packages; on 26.05 those members are insecure (pypy2.7-setuptools-44.0.0, CVE-2025-47273), so check-meta aborts host eval. The package is never built or installed — only force-evaluated by dead comparison logic.

It reaches every host via the upstream users-groups shell-program-check assertion (nixos/modules/config/users-groups.nix), which maps over [ "fish" "xonsh" "zsh" ] per user and evaluates user.shell == pkgs.fish → forces pkgs.fish (now Rust) → cargoDeps/fetchCargoVendor → fetch-cargo-vendor-util → the buggy writer. No host actually configures fish; the assertion forces it regardless.

Current workaround (already on nb, nas, fw): a nixpkgs.config.allowInsecurePredicate matching pypy2.7-*. This issue replaces that workaround with the real fix.

Why not just wait for upstream

PR #521741 is open but unmerged (targets master, idle since 2026-05-19), issue #468459 is stale, and there is no release-26.05 backport. The fix will not reach our 26.05 channel on its own for the foreseeable future.

Open implementation question (for triage)

makePythonWriter is a rec-scope member of the writers set, so writePython3Bin/fetch-cargo-vendor-util capture the rec-internal reference — a naive pkgs.writers.makePythonWriter override will not take effect. Needs investigation: override/re-import the whole writers attrset, or patch the nixpkgs source. This design call is why it's not auto-agent-ready yet.

Acceptance criteria

Overlay in utils/overlays/ makes writePython3Bin (and friends) stop force-evaluating pypy2Packages, verified by eval passing without any pypy2.7 allowance.
Overlay wired into every nixpkgs instance: bare-metal hosts AND the fw microVM guests with their own nixpkgs (dev, fj-runner-1/2, web-02).
Remove the pypy2.7-* branch from allowInsecurePredicate on nb and nas, and from the fw predicate; drop the obsolete explanatory comments.
Build-verify (not just eval) each affected host on 26.05 — eval alone won't prove the patched writers still build.

Sequencing / dependencies

mail, web-arm, amzebs-01 are still on 25.11 (staged upgrade, #101–#112). Their allowance removal can only happen once they reach 26.05 — either land the overlay now and drop each host's allowance as it crosses over, or do this whole thing as a follow-up after the fleet is on 26.05.
When upstream #521741 merges and (if) backports to release-26.05, this overlay becomes redundant and should be deleted.

References

Upstream bug: NixOS/nixpkgs#468459 · Upstream fix: NixOS/nixpkgs#521741
Diagnosis verified against the live 26.05 nixpkgs and a real nix-instantiate '<nixpkgs/nixos>' -A system host eval (full check-meta trace through the writer guard).

> *This was generated by AI during triage.* ## Summary Add a nixpkgs overlay that applies upstream [NixOS/nixpkgs#521741](https://github.com/NixOS/nixpkgs/pull/521741) — the one-line `||`→`&&` fix to `makePythonWriter`'s interpreter guard in `pkgs/build-support/writers/scripts.nix:1203` (fixes [NixOS/nixpkgs#468459](https://github.com/NixOS/nixpkgs/issues/468459)). With the overlay in place, eval no longer force-evaluates the `pypy2Packages` set, so **the `pypy2.7-*` insecure allowance can be removed from every host** (the whole point of this issue). ## Background On 26.05 the guard is a tautology: ```nix if pythonPackages != pkgs.pypy2Packages || pythonPackages != pkgs.pypy3Packages then ``` No `pythonPackages` can equal both sets, so the `||` is always true (upstream confirms it should be `&&`). Evaluating the left operand force-evaluates `pypy2Packages`; on 26.05 those members are insecure (`pypy2.7-setuptools-44.0.0`, CVE-2025-47273), so `check-meta` aborts host eval. The package is **never built or installed** — only force-evaluated by dead comparison logic. It reaches every host via the upstream `users-groups` shell-program-check assertion (`nixos/modules/config/users-groups.nix`), which maps over `[ "fish" "xonsh" "zsh" ]` per user and evaluates `user.shell == pkgs.fish` → forces `pkgs.fish` (now Rust) → `cargoDeps`/`fetchCargoVendor` → `fetch-cargo-vendor-util` → the buggy writer. No host actually configures fish; the assertion forces it regardless. Current workaround (already on nb, nas, fw): a `nixpkgs.config.allowInsecurePredicate` matching `pypy2.7-*`. This issue replaces that workaround with the real fix. ## Why not just wait for upstream PR #521741 is open but unmerged (targets `master`, idle since 2026-05-19), issue #468459 is stale, and there is **no `release-26.05` backport**. The fix will not reach our 26.05 channel on its own for the foreseeable future. ## Open implementation question (for triage) `makePythonWriter` is a `rec`-scope member of the writers set, so `writePython3Bin`/`fetch-cargo-vendor-util` capture the rec-internal reference — a naive `pkgs.writers.makePythonWriter` override will **not** take effect. Needs investigation: override/re-import the whole `writers` attrset, or patch the nixpkgs source. This design call is why it's not auto-agent-ready yet. ## Acceptance criteria - [ ] Overlay in `utils/overlays/` makes `writePython3Bin` (and friends) stop force-evaluating `pypy2Packages`, verified by eval passing **without** any pypy2.7 allowance. - [ ] Overlay wired into every nixpkgs instance: bare-metal hosts AND the fw microVM guests with their own nixpkgs (dev, fj-runner-1/2, web-02). - [ ] Remove the `pypy2.7-*` branch from `allowInsecurePredicate` on nb and nas, and from the fw predicate; drop the obsolete explanatory comments. - [ ] **Build-verify** (not just eval) each affected host on 26.05 — eval alone won't prove the patched writers still build. ## Sequencing / dependencies - mail, web-arm, amzebs-01 are still on 25.11 (staged upgrade, #101–#112). Their allowance removal can only happen once they reach 26.05 — either land the overlay now and drop each host's allowance as it crosses over, or do this whole thing as a follow-up after the fleet is on 26.05. - When upstream #521741 merges and (if) backports to release-26.05, this overlay becomes redundant and should be deleted. ## References - Upstream bug: NixOS/nixpkgs#468459 · Upstream fix: NixOS/nixpkgs#521741 - Diagnosis verified against the live 26.05 nixpkgs and a real `nix-instantiate '<nixpkgs/nixos>' -A system` host eval (full check-meta trace through the writer guard).

dominik.polakovics added the

needs-triage

enhancement

labels

2026-06-07 23:03:24 +02:00