Can't install stremio on NixOS

[rachalaraj]

Nix marked stremio as 'insecure'

"
building the system configuration...
error:
… while calling the 'head' builtin
at /nix/store/k9c0kz0xr27wlz1zpgz09xmpddzg3vj0-nixos/nixos/lib/attrsets.nix:1713:13:
1712| if length values == 1 || pred here (elemAt values 1) (head values) then
1713| head values
| ^
1714| else

   … while evaluating the attribute 'value'
     at /nix/store/k9c0kz0xr27wlz1zpgz09xmpddzg3vj0-nixos/nixos/lib/modules.nix:1118:7:
     1117|     // {
     1118|       value = addErrorContext "while evaluating the option `${showOption loc}':" value;
         |       ^
     1119|       inherit (res.defsFinal') highestPrio;

   … while evaluating the option `system.build.toplevel':

   … while evaluating definitions from `/nix/store/k9c0kz0xr27wlz1zpgz09xmpddzg3vj0-nixos/nixos/nixos/modules/system/activation/top-level.nix':

   … while evaluating the option `system.systemBuilderArgs':

   … while evaluating definitions from `/nix/store/k9c0kz0xr27wlz1zpgz09xmpddzg3vj0-nixos/nixos/nixos/modules/system/activation/top-level.nix':

   … while evaluating the option `environment.sessionVariables':

   … while evaluating definitions from `/nix/store/k9c0kz0xr27wlz1zpgz09xmpddzg3vj0-nixos/nixos/nixos/modules/services/desktop-managers/gnome.nix':

   (stack trace truncated; use '--show-trace' to show the full, detailed trace)

   error: Package ‘qtwebengine-5.15.19’ in /nix/store/k9c0kz0xr27wlz1zpgz09xmpddzg3vj0-nixos/nixos/pkgs/development/libraries/qt-5/modules/qtwebengine.nix:446 is marked as insecure, refusing to evaluate.


   Known issues:
    - qt5 qtwebengine is unmaintained upstream since april 2025.
   It is based on chromium 87.0.4280.144, and supposedly patched up to 135.0.7049.95 which is outdated.

   Security issues are frequently discovered in chromium.
   The following list of CVEs was fixed in the life cycle of chromium 138 and likely also affects qtwebengine:
   - CVE-2025-8879
   - CVE-2025-8880
   - CVE-2025-8901
   - CVE-2025-8881
   - CVE-2025-8882
   - CVE-2025-8576
   - CVE-2025-8577
   - CVE-2025-8578
   - CVE-2025-8579
   - CVE-2025-8580
   - CVE-2025-8581
   - CVE-2025-8582
   - CVE-2025-8583
   - CVE-2025-8292
   - CVE-2025-8010
   - CVE-2025-8011
   - CVE-2025-7656
   - CVE-2025-6558 (known to be exploited in the wild)
   - CVE-2025-7657
   - CVE-2025-6554
   - CVE-2025-6555
   - CVE-2025-6556
   - CVE-2025-6557

   The actual list of CVEs affecting qtwebengine is likely much longer,
   as this list is missing issues fixed in chromium 136/137 and even more
   issues are continuously discovered and lack upstream fixes in qtwebengine.


   You can install it anyway by allowing this package, using the
   following methods:

   a) To temporarily allow all insecure packages, you can use an environment
      variable for a single invocation of the nix tools:

        $ export NIXPKGS_ALLOW_INSECURE=1

      Note: When using `nix shell`, `nix build`, `nix develop`, etc with a flake,
            then pass `--impure` in order to allow use of environment variables.

   b) for `nixos-rebuild` you can add ‘qtwebengine-5.15.19’ to
      `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
      like so:

        {
          nixpkgs.config.permittedInsecurePackages = [
            "qtwebengine-5.15.19"
          ];
        }

   c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
      ‘qtwebengine-5.15.19’ to `permittedInsecurePackages` in
      ~/.config/nixpkgs/config.nix, like so:

        {
          permittedInsecurePackages = [
            "qtwebengine-5.15.19"
          ];
        }

Command 'nix-build '<nixpkgs/nixos>' --attr config.system.build.toplevel --no-out-link' returned non-zero exit status 1.
"