I plan on merging this on Monday unless I hear from others about Issues.

@infinisil Hi! this breaks master's build
42d0012#commitcomment-145046128

@spiage could you provide a link to your system's flake.nix? I don't see an "a7" in https://github.com/spiage/nixos-config/blob/main/flake.nix

well, I was not ready to open this machine's config, but OK, give me 2 minutes

It's reproducible by adding an insecure package to a nixos config. Maybe we should revert for now?

{
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs";
  };

  outputs =
    { nixpkgs, ... }:
    {
      nixosConfigurations.test = nixpkgs.lib.nixosSystem {
        modules = [
          (
            { modulesPath, pkgs, ... }:
            {
              imports = [ "${modulesPath}/profiles/minimal.nix" ];

              boot.loader.grub.enable = false;
              fileSystems."/".device = "nodev";
              nixpkgs.hostPlatform = "x86_64-linux";
              system.stateVersion = "24.05";

              nixpkgs.config = {
                warnUndeclaredOptions = true;
                #permittedInsecurePackages = [ "electron" ];
                #allowInsecurePredicate = _: false;
              };

              environment.systemPackages = [ pkgs.electron_27-bin ];

              # custom config here
            }
          )
        ];
      };
    };
}

I'm using yandex-browser
and it have this lines

It's reproducible by adding an insecure package to a nixos config. Maybe we should revert for now?

Yeah, unless the fix is super simple. FWIW, I have an unfree package in my flake and no issues.

if it is my local problem I can use any walkthrough if you give me =)

Basically I didn't notice that the config.foo or ... constructions would no longer work, and it would either have to be replaced with a check on options.foo.isDefined or by explicitly setting the default

Basically I didn't notice that the config.foo or ... constructions would no longer work, and it would either have to be replaced with a check on options.foo.isDefined or by explicitly setting the default

That's pretty hefty search-and-replace, and definitely a breaking change for external users. Setting the default is the least impactful option, as I see it, especially if there's a common and obvious default. Do you agree?

@spiage could you provide a link to your system's flake.nix? I don't see an "a7" in https://github.com/spiage/nixos-config/blob/main/flake.nix

I am very ashamed to show it, but here is the config
https://github.com/spiage/nixos-config-a7

Basically I didn't notice that the config.foo or ... constructions would no longer work, and it would either have to be replaced with a check on options.foo.isDefined or by explicitly setting the default

That's pretty hefty search-and-replace, and definitely a breaking change for external users. Setting the default is the least impactful option, as I see it, especially if there's a common and obvious default. Do you agree?

Yes, I think setting default would be safer, but I don't have enough time to test right now. I'm okay with reverting for now and making a new PR with some test cases added.

I'm ready to help with tests if you need it =)

Thanks for the super-fast report @spiage! I'm going to merge @eclairevoyant's revert and you'll be on your way.

I have 10 minutes lag to react =)
https://github.com/spiage/nixos-config-a7/blob/1a5eb091e24f253eb2a48c620e142e89704d66f3/nu.sh#L7

It's ok after revert

Version 15449 -> 15450:
  nixos-system-a7: 24.11.20240805.6be7a53 → 24.11.20240805.fb7d848
  source: +14.1 KiB

@eclairevoyant, I'd love to get this PR rolling again. What do you see as the set of steps to get it in without causing a hullabaloo?

I need to find free time to write some tests 😩

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/community-team-updates/56458/11