hydron: drop

This package was marked as vulnerable in <https://github.com/NixOS/nixpkgs/pull/255959>, almost a year ago and over a year after the project was archived upstream. The package and module are unusable without bypassing a security warning in 23.05, 23.11, and 24.05. Given that the package is intended as an organizer for potentially‐untrusted media files, the vulnerability is critical and leads to remote code execution, and there is basically no prospect of upstream releasing a fix, remove the package and module entirely for 24.11.
2025-04-14 16:57:48 +00:00 · 2024-08-03 19:40:15 +01:00 · 2024-08-03 19:40:15 +01:00 · 7ec755257a
commit 7ec755257a
parent 90ee91b6d6
7 changed files with 5 additions and 206 deletions
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@ -327,7 +327,7 @@ in
      hdfs = 295;
      mapred = 296;
      hadoop = 297;
-      hydron = 298;
+      #hydron = 298; # removed 2024-08-03
      cfssl = 299;
      cassandra = 300;
      qemu-libvirtd = 301;
@ -637,7 +637,7 @@ in
      hdfs = 295;
      mapred = 296;
      hadoop = 297;
-      hydron = 298;
+      #hydron = 298; # removed 2024-08-03
      cfssl = 299;
      cassandra = 300;
      qemu-libvirtd = 301;
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -1495,7 +1495,6 @@
  ./services/web-servers/fcgiwrap.nix
  ./services/web-servers/garage.nix
  ./services/web-servers/hitch/default.nix
-  ./services/web-servers/hydron.nix
  ./services/web-servers/jboss/default.nix
  ./services/web-servers/keter
  ./services/web-servers/lighttpd/cgit.nix
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@ -67,6 +67,7 @@ in
    (mkRemovedOptionModule [ "services" "fprot" ] "The corresponding package was removed from nixpkgs.")
    (mkRemovedOptionModule [ "services" "frab" ] "The frab module has been removed")
    (mkRemovedOptionModule [ "services" "homeassistant-satellite"] "The `services.homeassistant-satellite` module has been replaced by `services.wyoming-satellite`.")
+    (mkRemovedOptionModule [ "services" "hydron" ] "The `services.hydron` module has been removed as the project has been archived upstream since 2022 and is affected by a severe remote code execution vulnerability.")
    (mkRemovedOptionModule [ "services" "ihatemoney" ] "The ihatemoney module has been removed for lack of downstream maintainer")
    (mkRemovedOptionModule [ "services" "kippo" ] "The corresponding package was removed from nixpkgs.")
    (mkRemovedOptionModule [ "services" "mailpile" ] "The corresponding package was removed from nixpkgs.")
--- a/nixos/modules/services/web-servers/hydron.nix
+++ b/nixos/modules/services/web-servers/hydron.nix
@ -1,164 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  cfg = config.services.hydron;
-in with lib; {
-  options.services.hydron = {
-    enable = mkEnableOption "hydron";
-
-    dataDir = mkOption {
-      type = types.path;
-      default = "/var/lib/hydron";
-      example = "/home/okina/hydron";
-      description = "Location where hydron runs and stores data.";
-    };
-
-    interval = mkOption {
-      type = types.str;
-      default = "weekly";
-      example = "06:00";
-      description = ''
-        How often we run hydron import and possibly fetch tags. Runs by default every week.
-
-        The format is described in
-        {manpage}`systemd.time(7)`.
-      '';
-    };
-
-    password = mkOption {
-      type = types.str;
-      default = "hydron";
-      example = "dumbpass";
-      description = "Password for the hydron database.";
-    };
-
-    passwordFile = mkOption {
-      type = types.path;
-      default = "/run/keys/hydron-password-file";
-      example = "/home/okina/hydron/keys/pass";
-      description = "Password file for the hydron database.";
-    };
-
-    postgresArgs = mkOption {
-      type = types.str;
-      description = "Postgresql connection arguments.";
-      example = ''
-        {
-          "driver": "postgres",
-          "connection": "user=hydron password=dumbpass dbname=hydron sslmode=disable"
-        }
-      '';
-    };
-
-    postgresArgsFile = mkOption {
-      type = types.path;
-      default = "/run/keys/hydron-postgres-args";
-      example = "/home/okina/hydron/keys/postgres";
-      description = "Postgresql connection arguments file.";
-    };
-
-    listenAddress = mkOption {
-      type = types.nullOr types.str;
-      default = null;
-      example = "127.0.0.1:8010";
-      description = "Listen on a specific IP address and port.";
-    };
-
-    importPaths = mkOption {
-      type = types.listOf types.path;
-      default = [];
-      example = [ "/home/okina/Pictures" ];
-      description = "Paths that hydron will recursively import.";
-    };
-
-    fetchTags = mkOption {
-      type = types.bool;
-      default = true;
-      description = "Fetch tags for imported images and webm from gelbooru.";
-    };
-  };
-
-  config = mkIf cfg.enable {
-    services.hydron.passwordFile = mkDefault (pkgs.writeText "hydron-password-file" cfg.password);
-    services.hydron.postgresArgsFile = mkDefault (pkgs.writeText "hydron-postgres-args" cfg.postgresArgs);
-    services.hydron.postgresArgs = mkDefault ''
-      {
-        "driver": "postgres",
-        "connection": "user=hydron password=${cfg.password} host=/run/postgresql dbname=hydron sslmode=disable"
-      }
-    '';
-
-    services.postgresql = {
-      enable = true;
-      ensureDatabases = [ "hydron" ];
-      ensureUsers = [
-        { name = "hydron";
-          ensureDBOwnership = true;
-        }
-      ];
-    };
-
-    systemd.tmpfiles.rules = [
-      "d '${cfg.dataDir}' 0750 hydron hydron - -"
-      "d '${cfg.dataDir}/.hydron' - hydron hydron - -"
-      "d '${cfg.dataDir}/images' - hydron hydron - -"
-      "Z '${cfg.dataDir}' - hydron hydron - -"
-
-      "L+ '${cfg.dataDir}/.hydron/db_conf.json' - - - - ${cfg.postgresArgsFile}"
-    ];
-
-    systemd.services.hydron = {
-      description = "hydron";
-      after = [ "network.target" "postgresql.service" ];
-      wantedBy = [ "multi-user.target" ];
-
-      serviceConfig = {
-        User = "hydron";
-        Group = "hydron";
-        ExecStart = "${pkgs.hydron}/bin/hydron serve"
-        + optionalString (cfg.listenAddress != null) " -a ${cfg.listenAddress}";
-      };
-    };
-
-    systemd.services.hydron-fetch = {
-      description = "Import paths into hydron and possibly fetch tags";
-
-      serviceConfig = {
-        Type = "oneshot";
-        User = "hydron";
-        Group = "hydron";
-        ExecStart = "${pkgs.hydron}/bin/hydron import "
-        + optionalString cfg.fetchTags "-f "
-        + (escapeShellArg cfg.dataDir) + "/images " + (escapeShellArgs cfg.importPaths);
-      };
-    };
-
-    systemd.timers.hydron-fetch = {
-      description = "Automatically import paths into hydron and possibly fetch tags";
-      after = [ "network.target" "hydron.service" ];
-      wantedBy = [ "timers.target" ];
-
-      timerConfig = {
-        Persistent = true;
-        OnCalendar = cfg.interval;
-      };
-    };
-
-    users = {
-      groups.hydron.gid = config.ids.gids.hydron;
-
-      users.hydron = {
-        description = "hydron server service user";
-        home = cfg.dataDir;
-        group = "hydron";
-        uid = config.ids.uids.hydron;
-      };
-    };
-  };
-
-  imports = [
-    (mkRenamedOptionModule [ "services" "hydron" "baseDir" ] [ "services" "hydron" "dataDir" ])
-  ];
-
-  meta.maintainers = with maintainers; [ Madouura ];
-}
--- a/pkgs/servers/hydron/default.nix
+++ b/pkgs/servers/hydron/default.nix
@ -1,37 +0,0 @@
-{ lib
-, buildGoModule
-, fetchFromGitHub
-, gitUpdater
-, pkg-config
-, ffmpeg_4
-}:
-
-buildGoModule rec {
-  pname = "hydron";
-  version = "3.3.6";
-
-  src = fetchFromGitHub {
-    owner = "bakape";
-    repo = "hydron";
-    rev = "v${version}";
-    hash = "sha256-Q1pZf5FPQw+pHItcZyOGx0N+iHmz9rW0+ANFsketh6E=";
-  };
-
-  vendorHash = "sha256-hKF2RCGnk/5hNS65vGoDdF1OUPSLe4PDegYlKTeqJDM=";
-  proxyVendor = true;
-
-  nativeBuildInputs = [ pkg-config ];
-  buildInputs = [ ffmpeg_4 ];
-
-  passthru.updateScript = gitUpdater {
-    rev-prefix = "v";
-  };
-
-  meta = with lib; {
-    homepage = "https://github.com/bakape/hydron";
-    description = "High performance media tagger and organizer";
-    license = with licenses; [ lgpl3Plus ];
-    knownVulnerabilities = [ "CVE-2023-4863" ];  # Via https://github.com/chai2010/webp dep
-    maintainers = with maintainers; [ Madouura ];
-  };
-}
--- a/pkgs/top-level/aliases.nix
+++ b/pkgs/top-level/aliases.nix
@ -642,6 +642,8 @@ mapAliases ({
  hll2390dw-cups = throw "The hll2390dw-cups package was dropped since it was unmaintained."; # Added 2024-06-21
  ht-rust = xh; # Added 2021-02-13
  hydra-unstable = hydra_unstable; # added 2022-05-10
+  hydron = throw "hydron has been removed as the project has been archived upstream since 2022 and is affected by a severe remote code execution vulnerability";
+
  hyper-haskell = throw "'hyper-haskell' has been removed. reason: has been broken for a long time and depends on an insecure electron version"; # Added 2024-03-14
  hyper-haskell-server-with-packages = throw "'hyper-haskell-server-with-packages' has been removed. reason: has been broken for a long time"; # Added 2024-03-14

--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -25329,8 +25329,6 @@ with pkgs;

  https-dns-proxy = callPackage ../servers/dns/https-dns-proxy { };

-  hydron = callPackage ../servers/hydron { };
-
  ic-keysmith = callPackage ../tools/security/ic-keysmith { };

  icecream = callPackage ../servers/icecream { };