victorhooi/gist:239956c970a8e84375b239a7ad1633fe Secret

## gistfile1.txt
❯ nix run ./#build-switch --show-trace
warning: Git tree '/Users/foobar/nixos-config' is dirty
Running build-switch for aarch64-darwin
Starting build...
warning: Git tree '/Users/foobar/nixos-config' is dirty
error:
       … while calling the 'derivationStrict' builtin
         at <nix/derivation-internal.nix>:9:12:
            8|
            9|   strict = derivationStrict drvAttrs;
             |            ^
           10|


       … while evaluating derivation 'darwin-system-24.11.20240828.71e91c4+darwin4.ac5694a'
         whose name attribute is located at /nix/store/887hpp8a2i99n9jjwcvz6qkhhhqsvzkg-source/pkgs/stdenv/generic/make-derivation.nix:336:7


       … while evaluating attribute 'activationScript' of derivation 'darwin-system-24.11.20240828.71e91c4+darwin4.ac5694a'
         at /nix/store/fphf962hz5269am1hd3m3dd48pf4ljfj-source/modules/system/default.nix:95:7:
           94|
           95|       activationScript = cfg.activationScripts.script.text;
             |       ^
           96|       activationUserScript = cfg.activationScripts.userScript.text;


       (stack trace truncated; use '--show-trace' to show the full trace)


       error: Package ‘olm-3.2.16’ in /nix/store/887hpp8a2i99n9jjwcvz6qkhhhqsvzkg-source/pkgs/development/libraries/olm/default.nix:26 is marked as insecure, refusing to evaluate.


       Known issues:
        - The libolm end‐to‐end encryption library used in many Matrix
       clients and Jitsi Meet has been deprecated upstream, and relies
       on a cryptography library that has known side‐channel issues and
       disclaims that its implementations are not cryptographically secure
       and should not be used when cryptographic security is required.


       It is not known that the issues can be exploited over the network in
       practical conditions. Upstream has stated that the library should
       not be used going forwards, and there are no plans to move to a
       another cryptography implementation or otherwise further maintain
       the library at all.


       You should make an informed decision about whether to override this
       security warning, especially if you critically rely on end‐to‐end
       encryption. If you don’t care about that, or don’t use the Matrix
       functionality of a multi‐protocol client depending on libolm,
       then there should be no additional risk.


       Some clients are investigating migrating away from libolm to maintained
       libraries without known vulnerabilities.


       For further information, see:


       * The CVE records for the known vulnerabilities:


         * CVE-2024-45191
         * CVE-2024-45192
         * CVE-2024-45193


       * The libolm deprecation notice:
         <https://gitlab.matrix.org/matrix-org/olm/-/blob/6d4b5b07887821a95b144091c8497d09d377f985/README.md#important-libolm-is-now-deprecated>


       * The warning from the cryptography code used by libolm:
         <https://gitlab.matrix.org/matrix-org/olm/-/blob/6d4b5b07887821a95b144091c8497d09d377f985/lib/crypto-algorithms/README.md>


       * The blog post disclosing the details of the known vulnerabilities:
         <https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library/>


       * The announcement in This Week in Matrix from the Matrix.org
         project lead:
         <https://matrix.org/blog/2024/08/16/this-week-in-matrix-2024-08-16/#dept-of-encryption-closed-lock-with-key>


       * A (likely incomplete) aggregation of client tracking issue links:
         <https://github.com/NixOS/nixpkgs/pull/334638#issuecomment-2289025802>


       You can install it anyway by allowing this package, using the
       following methods:


       a) To temporarily allow all insecure packages, you can use an environment
          variable for a single invocation of the nix tools:


            $ export NIXPKGS_ALLOW_INSECURE=1


          Note: When using `nix shell`, `nix build`, `nix develop`, etc with a flake,
                then pass `--impure` in order to allow use of environment variables.


       b) for `nixos-rebuild` you can add ‘olm-3.2.16’ to
          `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
          like so:


            {
              nixpkgs.config.permittedInsecurePackages = [
                "olm-3.2.16"
              ];
            }


       c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
          ‘olm-3.2.16’ to `permittedInsecurePackages` in
          ~/.config/nixpkgs/config.nix, like so:


            {
              permittedInsecurePackages = [
                "olm-3.2.16"
              ];
            }
	❯ nix run ./#build-switch --show-trace
	warning: Git tree '/Users/foobar/nixos-config' is dirty
	Running build-switch for aarch64-darwin
	Starting build...
	warning: Git tree '/Users/foobar/nixos-config' is dirty
	error:
	… while calling the 'derivationStrict' builtin
	at <nix/derivation-internal.nix>:9:12:
	8\|
	9\| strict = derivationStrict drvAttrs;
	\| ^
	10\|


	… while evaluating derivation 'darwin-system-24.11.20240828.71e91c4+darwin4.ac5694a'
	whose name attribute is located at /nix/store/887hpp8a2i99n9jjwcvz6qkhhhqsvzkg-source/pkgs/stdenv/generic/make-derivation.nix:336:7


	… while evaluating attribute 'activationScript' of derivation 'darwin-system-24.11.20240828.71e91c4+darwin4.ac5694a'
	at /nix/store/fphf962hz5269am1hd3m3dd48pf4ljfj-source/modules/system/default.nix:95:7:
	94\|
	95\| activationScript = cfg.activationScripts.script.text;
	\| ^
	96\| activationUserScript = cfg.activationScripts.userScript.text;


	(stack trace truncated; use '--show-trace' to show the full trace)


	error: Package ‘olm-3.2.16’ in /nix/store/887hpp8a2i99n9jjwcvz6qkhhhqsvzkg-source/pkgs/development/libraries/olm/default.nix:26 is marked as insecure, refusing to evaluate.




	Known issues:
	- The libolm end‐to‐end encryption library used in many Matrix
	clients and Jitsi Meet has been deprecated upstream, and relies
	on a cryptography library that has known side‐channel issues and
	disclaims that its implementations are not cryptographically secure
	and should not be used when cryptographic security is required.


	It is not known that the issues can be exploited over the network in
	practical conditions. Upstream has stated that the library should
	not be used going forwards, and there are no plans to move to a
	another cryptography implementation or otherwise further maintain
	the library at all.


	You should make an informed decision about whether to override this
	security warning, especially if you critically rely on end‐to‐end
	encryption. If you don’t care about that, or don’t use the Matrix
	functionality of a multi‐protocol client depending on libolm,
	then there should be no additional risk.


	Some clients are investigating migrating away from libolm to maintained
	libraries without known vulnerabilities.


	For further information, see:


	* The CVE records for the known vulnerabilities:


	* CVE-2024-45191
	* CVE-2024-45192
	* CVE-2024-45193


	* The libolm deprecation notice:
	<https://gitlab.matrix.org/matrix-org/olm/-/blob/6d4b5b07887821a95b144091c8497d09d377f985/README.md#important-libolm-is-now-deprecated>


	* The warning from the cryptography code used by libolm:
	<https://gitlab.matrix.org/matrix-org/olm/-/blob/6d4b5b07887821a95b144091c8497d09d377f985/lib/crypto-algorithms/README.md>


	* The blog post disclosing the details of the known vulnerabilities:
	<https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library/>


	* The announcement in This Week in Matrix from the Matrix.org
	project lead:
	<https://matrix.org/blog/2024/08/16/this-week-in-matrix-2024-08-16/#dept-of-encryption-closed-lock-with-key>


	* A (likely incomplete) aggregation of client tracking issue links:
	<https://github.com/NixOS/nixpkgs/pull/334638#issuecomment-2289025802>




	You can install it anyway by allowing this package, using the
	following methods:


	a) To temporarily allow all insecure packages, you can use an environment
	variable for a single invocation of the nix tools:


	$ export NIXPKGS_ALLOW_INSECURE=1


	Note: When using `nix shell`, `nix build`, `nix develop`, etc with a flake,
	then pass `--impure` in order to allow use of environment variables.


	b) for `nixos-rebuild` you can add ‘olm-3.2.16’ to
	`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
	like so:


	{
	nixpkgs.config.permittedInsecurePackages = [
	"olm-3.2.16"
	];
	}


	c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
	‘olm-3.2.16’ to `permittedInsecurePackages` in
	~/.config/nixpkgs/config.nix, like so:


	{
	permittedInsecurePackages = [
	"olm-3.2.16"
	];
	}