Skip to content

Commit

Permalink
postgresql_12: mark as insecure
Browse files Browse the repository at this point in the history
It will be EOL in about a week[1] and should've never reached 24.11.
However, I messed up and missed the freeze deadline, so we can't do
breaking stuff like this, hence we'll mark it as insecure and right
after branchoff it will be removed from unstable.

During that discussion I also got the feedback that it's easy for people
who just do `services.postgresql.enable = true;` to miss their version
getting EOL since there's no warning by the selection logic based on the
state version. Also added that. It's kinda noisy, but I expect it to be
pretty effective for people who are prone to miss the EOL otherwise.

For 25.11 I'd like to make sure we remove postgresql_13 before. To make
it harder for us to miss the deadline, the postgres team will receive a
ping before feature freeze[2].

[1] https://endoflife.date/postgresql
[2] Implemented in NixOS#352905
  • Loading branch information
Ma27 committed Nov 2, 2024
1 parent 70c41d3 commit 91aaa13
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 1 deletion.
11 changes: 10 additions & 1 deletion nixos/modules/services/databases/postgresql.nix
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ let
optionalString
types
versionAtLeast
warn
;

cfg = config.services.postgresql;
Expand Down Expand Up @@ -484,10 +485,18 @@ in

services.postgresql.package = let
mkThrow = ver: throw "postgresql_${ver} was removed, please upgrade your postgresql version.";
mkWarn = ver: warn ''
The postgresql package is not pinned and selected automatically by
`systemd.stateVersion`. Right now this is `pkgs.postgresql_${ver}`, the
oldest postgresql version available and thus the next that will be
removed when EOL.
See also https://endoflife.date/postgresql
'';
base = if versionAtLeast config.system.stateVersion "24.11" then pkgs.postgresql_16
else if versionAtLeast config.system.stateVersion "23.11" then pkgs.postgresql_15
else if versionAtLeast config.system.stateVersion "22.05" then pkgs.postgresql_14
else if versionAtLeast config.system.stateVersion "21.11" then pkgs.postgresql_13
else if versionAtLeast config.system.stateVersion "21.11" then mkWarn "13" pkgs.postgresql_13
else if versionAtLeast config.system.stateVersion "20.03" then mkThrow "11"
else if versionAtLeast config.system.stateVersion "17.09" then mkThrow "9_6"
else mkThrow "9_5";
Expand Down
5 changes: 5 additions & 0 deletions pkgs/servers/sql/postgresql/generic.nix
Original file line number Diff line number Diff line change
Expand Up @@ -335,6 +335,11 @@ let
# In fact, I tried to test the result in a VM-test, but as soon as JIT was used to optimize
# a query, postgres would coredump with `Illegal instruction`.
broken = jitSupport && !stdenv.hostPlatform.canExecute stdenv.buildPlatform;

# Should've never been in 24.11, but we missed the freeze.
knownVulnerabilties = lib.optionals (olderThan "13") [
"PostgreSQL 12 is EOL and receives no more security fixes"
];
};
});

Expand Down

0 comments on commit 91aaa13

Please sign in to comment.