keydb: drop

The keydb package is broken [1], vulnerable [2], and upstream's last release was in October 2023 [3]. [1] https://hydra.nixos.org/build/311470939/nixlog/2 [2] https://github.com/Snapchat/KeyDB/pull/918 [3] https://github.com/Snapchat/KeyDB/releases
2025-11-08 13:00:14 +01:00
parent b75097f98f
commit 850e8a2b05
4 changed files with 3 additions and 121 deletions
--- a/nixos/modules/services/databases/redis.nix
+++ b/nixos/modules/services/databases/redis.nix
@@ -559,8 +559,7 @@ in
          ];
          RestrictNamespaces = true;
          LockPersonality = true;
-          # we need to disable MemoryDenyWriteExecute for keydb
-          MemoryDenyWriteExecute = cfg.package.pname != "keydb";
+          MemoryDenyWriteExecute = true;
          RestrictRealtime = true;
          RestrictSUIDSGID = true;
          PrivateMounts = true;
--- a/nixos/tests/redis.nix
+++ b/nixos/tests/redis.nix
@@ -10,7 +10,7 @@ let
  mkTestName =
    pkg: "${pkg.pname}_${builtins.replaceStrings [ "." ] [ "" ] (lib.versions.majorMinor pkg.version)}";
  redisPackages = {
-    inherit (pkgs) redis keydb valkey;
+    inherit (pkgs) redis valkey;
  };
  makeRedisTest =
    {
--- a/pkgs/by-name/ke/keydb/package.nix
+++ b/pkgs/by-name/ke/keydb/package.nix
@@ -1,118 +0,0 @@
-{
-  stdenv,
-  lib,
-  fetchFromGitHub,
-  libuuid,
-  curl,
-  pkg-config,
-  withSystemd ? lib.meta.availableOn stdenv.hostPlatform systemd,
-  systemd,
-  tlsSupport ? !stdenv.hostPlatform.isStatic,
-  openssl,
-  jemalloc,
-  which,
-  tcl,
-  tclPackages,
-  ps,
-  getconf,
-  nixosTests,
-}:
-
-stdenv.mkDerivation (finalAttrs: {
-  pname = "keydb";
-  version = "6.3.4";
-
-  src = fetchFromGitHub {
-    owner = "snapchat";
-    repo = "keydb";
-    rev = "v${finalAttrs.version}";
-    hash = "sha256-j6qgK6P3Fv+b6k9jwKQ5zW7XLkKbXXcmHKBCQYvwEIU=";
-  };
-
-  postPatch = ''
-    substituteInPlace deps/lua/src/Makefile \
-      --replace-fail "ar rcu" "${stdenv.cc.targetPrefix}ar rcu"
-    substituteInPlace src/Makefile \
-      --replace-fail "as --64 -g" "${stdenv.cc.targetPrefix}as --64 -g"
-  '';
-
-  nativeBuildInputs = [ pkg-config ];
-  buildInputs = [
-    jemalloc
-    curl
-    libuuid
-  ]
-  ++ lib.optionals tlsSupport [ openssl ]
-  ++ lib.optionals withSystemd [ systemd ];
-
-  makeFlags = [
-    "PREFIX=${placeholder "out"}"
-    "AR=${stdenv.cc.targetPrefix}ar"
-    "RANLIB=${stdenv.cc.targetPrefix}ranlib"
-    "USEASM=${if stdenv.hostPlatform.isx86_64 then "true" else "false"}"
-  ]
-  ++ lib.optionals (!tlsSupport) [ "BUILD_TLS=no" ]
-  ++ lib.optionals withSystemd [ "USE_SYSTEMD=yes" ]
-  ++ lib.optionals (!stdenv.hostPlatform.isx86_64) [ "MALLOC=libc" ];
-
-  enableParallelBuilding = true;
-
-  # darwin currently lacks a pure `pgrep` which is extensively used here
-  doCheck = !stdenv.hostPlatform.isDarwin;
-  nativeCheckInputs = [
-    which
-    tcl
-    ps
-  ]
-  ++ lib.optionals stdenv.hostPlatform.isStatic [ getconf ]
-  ++ lib.optionals tlsSupport [ tclPackages.tcltls ];
-  checkPhase = ''
-    runHook preCheck
-
-    # disable test "Connect multiple replicas at the same time": even
-    # upstream find this test too timing-sensitive
-    substituteInPlace tests/integration/replication.tcl \
-      --replace-fail 'foreach mdl {no yes}' 'foreach mdl {}'
-
-    substituteInPlace tests/support/server.tcl \
-      --replace-fail 'exec /usr/bin/env' 'exec env'
-
-    sed -i '/^proc wait_load_handlers_disconnected/{n ; s/wait_for_condition 50 100/wait_for_condition 50 500/; }' \
-      tests/support/util.tcl
-
-    patchShebangs ./utils/gen-test-certs.sh
-    ${if tlsSupport then "./utils/gen-test-certs.sh" else ""}
-    ./runtest --clients $NIX_BUILD_CORES ${
-      lib.escapeShellArgs (
-        [
-          "--no-latency"
-          "--timeout"
-          "2000"
-          "--tags"
-          "-leaks"
-        ]
-        ++ lib.optional tlsSupport "--tls"
-        # skips flaky test on x86_64
-        ++ lib.optionals stdenv.hostPlatform.isx86_64 [
-          "--skiptest"
-          "Active defrag edge case"
-        ]
-      )
-    }
-
-    runHook postCheck
-  '';
-
-  passthru.tests.redis = nixosTests.redis;
-  passthru.serverBin = "keydb-server";
-
-  meta = {
-    homepage = "https://keydb.dev";
-    description = "Multithreaded Fork of Redis";
-    license = lib.licenses.bsd3;
-    platforms = lib.platforms.all;
-    changelog = "https://github.com/Snapchat/KeyDB/raw/v${finalAttrs.version}/00-RELEASENOTES";
-    teams = [ lib.teams.helsinki-systems ];
-    mainProgram = "keydb-cli";
-  };
-})
--- a/pkgs/top-level/aliases.nix
+++ b/pkgs/top-level/aliases.nix
@@ -761,6 +761,7 @@ mapAliases {
  kbibtex = throw "'kbibtex' has been removed, as it is unmaintained upstream"; # Added 2025-08-30
  kcli = throw "kcli has been removed because it has been marked as broken since at least November 2024."; # Added 2025-09-28
  keepkey_agent = throw "'keepkey_agent' has been renamed to/replaced by 'keepkey-agent'"; # Converted to throw 2025-10-27
+  keydb = throw "'keydb' has been removed as it was broken, vulnerable, and unmaintained upstream"; # Added 2025-11-08
  kgx = throw "'kgx' has been renamed to/replaced by 'gnome-console'"; # Converted to throw 2025-10-27
  khoj = throw "khoj has been removed because it has been marked as broken since at least November 2024."; # Added 2025-10-11
  kmplayer = throw "'kmplayer' has been removed, as it is unmaintained upstream"; # Added 2025-08-30