openexr: change default version from 2 to 3

[autra]

Followup of #366939 to try to remove openexr v2 completely.

TODO:

• imagemagick: imagemagick: move to openexr_3 #375163
• opencv: opencv: switch to openexr_3 #375774
• vigra vigra: unstable-2022-01-11 -> 1.12.1 #375773
• hugin hugin: switch to openexr_3 #375893
• olive-editor
• ansel
• art
• color-transformation-language
• darktable
• libjxl
• swayimg
• gdal: gdal : openexr is EOL. Use openexr_3 instead #366916
• gst_all_1.gst-plugins-bad
• opencolorio
• openscenegraph
• kdePackages.kimageformats
• krita: krita: switch to openexr_3 #375828
• luminance-hdr luminance-hdr: switch to openexr_3 #375839, but upstream does not support openexr_3 yet: Support OpenEXR 3.x LuminanceHDR/LuminanceHDR#244. This doesn't look good, although there is a patch to try if we want to keep it alive a bit longer.
• kio-extras, kio-extras-kf5: kio-extras, kio-extras-kf5: switch to openexr_3 #375854
• blender (already overridden in all-packages.nix)
• cinelerra: cinelerra: 2.3-unstable-2024-03-20 -> 2.3-unstable-2025-01-25 #376805
• curv curv: switch to openexr_3 #376251
• djv
• exrtools: seems to work already)
• gmic-qt: will be fixed by opencv MR
• gmic: will be fixed by opencv MR
• gwyddion
• ilmbase -> to remove in this PR
• libyafaray -> Done in this MR to avoid override
• nzportable: openexr is referenced in nzportable's copy of fteqw, but the logs says "OpenExr not found" even on master. So something is wrong with this package build, but it's unrelated to this PR.
• openexrid-unstable
• pbrt: they have vendored an old version of openexr. What to do?
• synfigstudio: blocked by opencv
• vips vips: move to openexr_3 #375166
• osl
• haskell-modules/hackage-packages.nix
• alembic
• freeimage: an outdated unstable version marked as insecure is currently packaged... I might just not care ;-)
• gegl
• libdevil libdevil: move to openexr_3 #375386
• pfstools
• openimageio (override in all-package.nix)
• osl (override in all-packages.nix)

NOTE: check all-packages.nix because some package uses overrides for openexr

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[autra]

@LeSuisse I've made a TODO list for all possible impacted packages (some are already on openexr_3).

Should we backport everything according to you?

[LeSuisse]

Thanks <3 (I allowed myself to edit your post to mention some already existing PR)

Yep we should backport everything that do not cause a behavior change since there are some unfixed security issues potentially impacting OpenEXR 2.

[autra]

(I allowed myself to edit your post to mention some already existing PR)

Please do!

[ShamrockLee]

There should be an entry in top-level/aliases.nix that throws an error upon accessing openexr_2 about the deprecation.

[autra]

And for ilmbase as well, as it is part of the same source tree and will get removed as well, right?

[autra]

nzportable: openexr is referenced in nzportable's copy of fteqw, but the logs says "OpenExr not found" even on master. So something is wrong with this package build, but it's unrelated to this PR.

@pluiedev as you're listed as maintainer of nzportable, just a heads-up: it declares to use openexr, but the configure phase of fteqw on master says it is not found.

[autra]

pbrt

This one is peculiar, because they use their own version of openexr (a fork) that they have vendored through a submodule... which is of course vastly outdated, and probably very vulnerable too. I plan on opening an upstream issue, but should we mark pbrt as insecure?

[autra]

Note : targeting master, because once #375774 is merged, I expect we will be below the threshold.