> remove those versions, not put them in containers
I don't know how to fix this, but perhaps i can ai it and release something on my github if i manage to cobble something together.
These aren't "services" that anyone has access to, except myself; "clients", UIs, and things like whisper.
IF someone were to pay me, I'd figure it out. I'm friends with maintainers and that isn't my style. archiving is.
to wit, i expend no more energy than necessary maintaining other people's code.
I really do not follow what you are trying to convey here.
If there are vulns, and you are using software from nixpkgs, there are tools to get yourself notified about vulnerable packages.
If you want to run vulnerable software on-demand, you can just boot the machine/vm up when needed? If you want to patch stuff yourself, nix makes it trivial to apply your own patches to already packaged software.
I didn't write, nor do i maintain the software i use. for instance, i have a couple of old, but perfectly working web-UI for stable diffusion and LLM. If i, say, copy the folder to an ubuntu 24.04 server install, there's a real good chance it won't load at all. I can't fix that. I mean, i can, but i can't fix it for free. It's cheaper and lazier for me to just maintain the machine/VM for my own purposes.
So in the case of Nix, i am still unsure if, for example, i had a Nix config for some software (say whisper-ctranslate2), is that permanently portable? Is there a way to make it so? Right now, with stuff that needs a GPU, the only guarantee i've found is to either do pcie passthrough and use a CoW VM that does incremental backups to NAS, or, if the publisher provides, a dockerfile / container.
For nearly everything else, i use a rolling release server OS and keep stuff up-to-date. bleeding-edge sci-tech, being publish or perish, doesn't much care about the published code working much past the git push.
For comparison, every time i've tried to use a node.js distribution of a package, there's some blocker because a pulled-in library version is vulnerable, and i'm even less likely to be able to fix that than some C++ or python thing.