How to prevent students from accidentally adding nix packages?

rmartinsc · October 13, 2023, 5:11pm

I am using Replit to manage a classroom of new programmers learning Python, and it is working quite well, but there is one problem that keeps occurring: students are accidentally adding nix packages which often end up causing their Replits to crash with nix errors when they try to run their code!

One way that I know such packages are being added is if they go to the Console tab and instead of starting the python repl by entering the python command they immediately start entering python code. If they enter a statement like import math then they get prompted to install an imagemagick package. Often they end up going through with installing the package instead of cancelling.

I am able to get into their replit.nix files and remove the erroneously added packages, but it’s confusing and frustrating for the students, and I wonder if there is a way to prevent these packages from being added in the first place. Is there a way to lock the replit.nix file? How can I make this work better for my students?

NateDhaliwal · October 14, 2023, 7:03am

Hi @rmartinsc , welcome to the forums!
Your stdents should be using poetry add to install packages, not the replit.nix file.

UMARismyname · October 14, 2023, 10:42am

From what I’ve seen in the forum the nix mess also happens because they use the Shell instead of the Console, possibly because the Shell’s scrollback doesn’t clear until you refresh. If you turn on Explorer, there’s improvements to the Console so you don’t have to do that.

NuclearPasta0 · October 14, 2023, 7:41pm

One solution is to only use the prybar python template, though I think the program has to be run once before any python code can be entered into the console.
IPython is an alternative to prybar, with more features.

rmartinsc · October 16, 2023, 2:37pm

My students aren’t even supposed to be installing packages at all at this stage. The problem is they are doing it by accident and it causes all sorts of confusion for them.

NateDhaliwal · October 16, 2023, 10:54pm

Hi @rmartinsc , could you send the code of the student? The replit.nix file?
How are they installing it by accident?

rmartinsc · October 17, 2023, 7:19pm

It’s not any code they are writing in code files that causes it, and they are not directly editing the replit.nix file. Instead, what seems to be happening is that they are using the Console/Shell tabs, and in some circumstances if they enter invalid commands they are prompted to install new nix packages. If they proceed instead of cancelling, the package gets added, and sometimes can’t actually be built, which causes errors when they try to run their code.

Here is an example Shell session that I have personally seen happen:

First, the user enters an import statement before entering the python REPL:

~/05-lecture$ import math
import: command not installed. Multiple versions of this command were found in Nix.
Select one to run (or press Ctrl-C to cancel):
> 
imagemagick6_light.out
imagemagick_light.out
imagemagick6.out
imagemagick6Big.out
imagemagickBig.out
imagemagick7.out
graphicsmagick-imagemagick-compat.out

If they don’t cancel, then they get this:

~/05-lecture$ import math
import: command not installed. Multiple versions of this command were found in Nix.
Select one to run (or press Ctrl-C to cancel):
Adding imagemagick6_light to replit.nix
success
error:
       … in the condition of the assert statement

         at /nix/store/4va5hjb3sdk8pnpn3dsnkdg65fw28jgv-nixpkgs-23.05-src/lib/customisation.nix:214:23:

          213|             outputSpecified = true;
          214|             drvPath = assert condition; drv.${outputName}.drvPath;
             |                       ^
          215|             outPath = assert condition; drv.${outputName}.outPath;

       … while evaluating the attribute 'handled'

         at /nix/store/4va5hjb3sdk8pnpn3dsnkdg65fw28jgv-nixpkgs-23.05-src/pkgs/stdenv/generic/check-meta.nix:447:7:

          446|       # or, alternatively, just output a warning message.
          447|       handled =
             |       ^
          448|         {

       (stack trace truncated; use '--show-trace' to show the full trace)

       error: Package ‘imagemagick-6.9.12-68’ in /nix/store/4va5hjb3sdk8pnpn3dsnkdg65fw28jgv-nixpkgs-23.05-src/pkgs/applications/graphics/ImageMagick/6.x.nix:118 is marked as insecure, refusing to evaluate.


       Known issues:
        - CVE-2018-16328
        - CVE-2018-16329
        - CVE-2019-13136
        - CVE-2019-17547
        - CVE-2020-25663
        - CVE-2020-27768
        - CVE-2021-3596
        - CVE-2021-3596
        - CVE-2021-3596
        - CVE-2021-3610
        - CVE-2021-20244
        - CVE-2021-20244
        - CVE-2021-20310
        - CVE-2021-20311
        - CVE-2021-20312
        - CVE-2021-20313
        - CVE-2022-0284
        - CVE-2022-2719

       You can install it anyway by allowing this package, using the
       following methods:

       a) To temporarily allow all insecure packages, you can use an environment
          variable for a single invocation of the nix tools:

            $ export NIXPKGS_ALLOW_INSECURE=1

        Note: For `nix shell`, `nix build`, `nix develop` or any other Nix 2.4+
        (Flake) command, `--impure` must be passed in order to read this
        environment variable.

       b) for `nixos-rebuild` you can add ‘imagemagick-6.9.12-68’ to
          `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
          like so:

            {
              nixpkgs.config.permittedInsecurePackages = [
                "imagemagick-6.9.12-68"
              ];
            }

       c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
          ‘imagemagick-6.9.12-68’ to `permittedInsecurePackages` in
          ~/.config/nixpkgs/config.nix, like so:

            {
              permittedInsecurePackages = [
                "imagemagick-6.9.12-68"
              ];
            }
Failed to install nixpkgs.imagemagick6_light.out.
import: command not found
Detected change in environment, reloading shell...
nix error: building nix env: exit status 1
Output has been trimmed to the last 20 lines
       b) for `nixos-rebuild` you can add ‘imagemagick-6.9.12-68’ to
          `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
          like so:

            {
              nixpkgs.config.permittedInsecurePackages = [
                "imagemagick-6.9.12-68"
              ];
            }

       c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
          ‘imagemagick-6.9.12-68’ to `permittedInsecurePackages` in
          ~/.config/nixpkgs/config.nix, like so:

            {
              permittedInsecurePackages = [
                "imagemagick-6.9.12-68"
              ];
            }

~/05-lecture$

After this, the replit.nix file looks like this, and they can’t run their code any more because the nix package can’t be installed:

{ pkgs }: {
  deps = [
    pkgs.imagemagick6_light
  ];
}

It’s easily fixed by simply removing the nix package reference from the replit.nix file, but I wish there was a way to somehow disable the nix package suggestion feature in the Shell so we don’t get into this situation.

QwertyQwerty88 · October 17, 2023, 8:09pm

@rmartinsc did you try UMAR’s solution?