Skip to content

Refactor tests to load flake inputs with flake-compat #1580

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Oct 30, 2025
Merged

Refactor tests to load flake inputs with flake-compat #1580

merged 6 commits into from
Oct 30, 2025

Conversation

@Mic92
Copy link
Member

@Mic92 Mic92 commented Aug 17, 2025

Description of changes
Things done
  • Tested the changes in your own NixOS Configuration
  • Tested the changes end-to-end by using your fork of nixos-hardware and
    importing it via <nixos-hardware> or Flake input

@Mic92 Mic92 requested a review from fgaz as a code owner August 17, 2025 09:24
@Mic92 Mic92 force-pushed the private-flake branch 5 times, most recently from 6eb557c to 9cd60f4 Compare August 17, 2025 10:02
@Mic92
Refactor tests to load flake inputs with flake-compat
4bafcc2 
This makes `nix fmt` just works and we no longer have to override flake
inputs.
@Mic92
Remove insecure broadcom-sta driver from hardware profiles
b09586b 
The broadcom-sta driver package is marked as insecure due to CVE-2019-9501
and CVE-2019-9502 (heap buffer overflow vulnerabilities allowing remote code
execution). The driver is also unmaintained and incompatible with modern
Linux kernel security mitigations.

Removed broadcom_sta from extraModulePackages and the corresponding "wl" kernel module.

This resolves test failures where Nixpkgs refuses to evaluate configurations
containing this insecure package.
@Mic92 Mic92 enabled auto-merge October 30, 2025 12:05
@Mic92
nix-eval-job: disable eval-cache
3beac24 
in ci, there is no cache, so it's just overhead and prints warnings.
@Mic92 Mic92 added this pull request to the merge queue Oct 30, 2025
@Mic92 Mic92 mentioned this pull request Oct 30, 2025
Merged
2 tasks
Merged via the queue into master with commit 43ffe9a Oct 30, 2025
2 checks passed
@Mic92 Mic92 deleted the private-flake branch October 30, 2025 12:40
@masrlinu
Copy link

masrlinu commented Nov 2, 2025

@Mic92, you removed wifi from my MacBook Air 6.2. I prefer having an insecure wifi driver than having no internet at all. So I manually added the lines

  #insecure wifi
  boot.kernelModules = ["wl"];
  boot.extraModulePackages = [config.boot.kernelPackages.broadcom_sta];
  nixpkgs.config.allowInsecurePredicate = pkg:
    builtins.elem (lib.getName pkg) [
      "broadcom-sta" # aka “wl”
    ];

to my nix-configuration.

Is your plan to completely disable internet on these computers, or do you have a better solution?

@Mic92
Copy link
Member Author

Mic92 commented Nov 11, 2025

@Mic92, you removed wifi from my MacBook Air 6.2. I prefer having an insecure wifi driver than having no internet at all. So I manually added the lines

  #insecure wifi
  boot.kernelModules = ["wl"];
  boot.extraModulePackages = [config.boot.kernelPackages.broadcom_sta];
  nixpkgs.config.allowInsecurePredicate = pkg:
    builtins.elem (lib.getName pkg) [
      "broadcom-sta" # aka “wl”
    ];

to my nix-configuration.

Is your plan to completely disable internet on these computers, or do you have a better solution?

No, but I had to remove it to fix evaluation of these modules. We can have an option that is not enabled by default to fix it though.

@masrlinu
Copy link

masrlinu commented Nov 11, 2025

With these lines:

  #insecure wifi
  boot.kernelModules = ["wl"];
  boot.extraModulePackages = [config.boot.kernelPackages.broadcom_sta];
  nixpkgs.config.allowInsecurePredicate = pkg:
    builtins.elem (lib.getName pkg) [
      "broadcom-sta" # aka “wl”
    ];

I get no evaluation error. We can add that and keep the wl/Broadcom module enabled.
Exploitability requires an attacker in immediate Wi-Fi range — not a remote Internet attack — so risk is low for my trusted family/neighbors; full code execution would need much more than just being nearby.

@Mic92
Copy link
Member Author

Mic92 commented Nov 11, 2025

Do you want to add this? It would be better to override the broadcom package instead of nixpkgs.config.allowInsecurePredicate since some people and CI us using nixpkgs.pkgs instances:

  boot.extraModulePackages = [
    (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: {
      meta = oldAttrs.meta // {
        knownVulnerabilities = [];
      };
    }))
  ];

@masrlinu
Copy link

masrlinu commented Nov 12, 2025

Yes, I updated my configuration. It works on my MacBook Air 6.2, thank you :-)

@Mic92
Copy link
Member Author

Mic92 commented Nov 12, 2025

Okay. Please make a pull request.

@masrlinu
Copy link

masrlinu commented Nov 12, 2025

Yes, I’ll do that. It will be my first NixOS pull request.
I’m planning to enable the Broadcom driver by default and add an option to disable it for people who use an external Wi-Fi stick. Does that sound okay?
Should I apply this change only to my tested MacBook Air 6, or also to all other devices where you disabled the Broadcom driver in this commit ?

masrlinu added a commit to masrlinu/nixos-hardware that referenced this pull request Nov 13, 2025
@masrlinu
broadcom-wl: enable WiFi/Bluetooth driver as discussed in PR NixOS#1580
868a9bc
@masrlinu masrlinu mentioned this pull request Nov 13, 2025
Open
2 tasks
@masrlinu
Copy link

masrlinu commented Nov 13, 2025

✔️ All done 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fgaz fgaz Awaiting requested review from fgaz fgaz is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Mic92 @masrlinu @tcurdt