Cache not working

I’ve added the following to my flake.nix:

    flox.url = "github:flox/flox";
    flox.inputs.nixpkgs.follows = "nixpkgs";

and config:

  nix = {
    settings = {
      substituters = [
        "https://cache.flox.dev"
      ];
      trusted-public-keys = [
        "flox-cache-public-1:7F4OyH7ZCnFhcze3fJdfyXYLQw/aV7GEed86nQ7IsOs="
      ];
    };
  };

  nixpkgs.overlays = [
    inputs.flox.overlays.default
  ];

  environment.systemPackages = with pkgs; [
    flox
    flox-cli
  ];

And yet it still builds several packages from scratch, taking over an hour to install. Am I missing something?

I’m using 23.11 stable.

Flox will need to rebuild any unfree package from source but over an hour is certainly alarming. will look into it!

I see you are using the overlay for the flox packages.
In that case you will replace basically the entire package set underneath the flox packages, meaining the binary cache won’t resolve (unless you use the exact same nixpkgs revision we use in the flake which did not get updated recently I think).

Meaning you’ll at least need to rebuild the nix package, download a rust toolchain, compile rust dependencies etc… which can be a lengthy process.

I would propose using the flake outputs directly, i.e. use inputs.flox.packages.<your-system>.flox instead of the overlay to benefit from the binary cache.
If it is still observing this slowdown, please leave a note, because that would be indeed unexpected assuming the binary cache works correctly.

1 Like

Excellent, thank you, that seems like it’s working, but now I’m seeing a different, likely unrelated error. The flox packages appear to be importing an insecure version of nix. When I added them I see the following:

       error: Package ‘nix-2.17.1’ in /nix/store/9jy6z2zx4klcpvw74zjgam01p3aba91m-source/pkgs/tools/package-management/nix/com…                                                                                                   
┃                                                                                                                                                                                                                                   
┃                                                                                                                                                                                                                                   
┃        Known issues:                                                                                                                                                                                                              
┃         - CVE-2024-27297                                                                                                                                                                                                          
┃                                                                                                                                                                                                                                   
┃        You can install it anyway by allowing this package, using the                                                                                                                                                              
┃        following methods:                                                                                                                                                                                                         
┃                                                                                                                                                                                                                                   
┃        a) To temporarily allow all insecure packages, you can use an environment                                                                                                                                                  
┃           variable for a single invocation of the nix tools:                                                                                                                                                                      
┃                                                                                                                                                                                                                                   
┃             $ export NIXPKGS_ALLOW_INSECURE=1                                                                                                                                                                                     
┃                                                                                                                                                                                                                                   
┃           Note: When using `nix shell`, `nix build`, `nix develop`, etc with a flake,                                                                                                                                             
┃                 then pass `--impure` in order to allow use of environment variables.                                                                                                                                              
┃                                                                                                                                                                                                                                   
┃        b) for `nixos-rebuild` you can add ‘nix-2.17.1’ to                                                                                                                                                                         
┃           `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,                                                                                                                                                    
┃           like so:                                                                                                                                                                                                                
┃                                                                                                                                                                                                                                   
┃             {                                                                                                                                                                                                                     
┃               nixpkgs.config.permittedInsecurePackages = [                                                                                                                                                                        
┃                 "nix-2.17.1"                                                                                                                                                                                                      
┃               ];                                                                                                                                                                                                                  
┃             }                                                                                                                                                                                                                     
┃                                                                                                                                                                                                                                   
┃        c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add                                                                                                                                            
┃           ‘nix-2.17.1’ to `permittedInsecurePackages` in                                                                                                                                                                          
┃           ~/.config/nixpkgs/config.nix, like so:                                                                                                                                                                                  
┃                                                                                                                                                                                                                                   
┃             {                                                                                                                                                                                                                     
┃               permittedInsecurePackages = [                                                                                                                                                                                       
┃                 "nix-2.17.1"                                                                                                                                                                                                      
┃               ];                                                                                                                                                                                                                  
┃             }

There was a recent CVE for the nix version used by flox. I saw some chat about carrying a patch for that, but I’m not sure if it’s happened yet so we’re looking into it. I think you can follow the instructions about adding it to nixpkgs.config.permittedInsecurePackages with the natural caveats

If you drop the flox.inputs.nixpkgs.follows = "nixpkgs";, the warning about insecure should go away.

Thanks @ghudgins and @mkenigs, I’m up and running again!

3 Likes