[Nix-dev] What about introducing security.packages?
Marc Weber
marco-oweber at gmx.de
Sat Aug 20 17:18:35 CEST 2011
Excerpts from Yury G. Kudryashov's message of Sat Aug 20 16:18:27 +0200 2011:
> We have quite a few *.packages variables in NixOS: udev.packages,
> hal.packages, dbus.packages etc.
> I see only one reason for separating these packages from system.packages:
system.packages? Am I outdated or are you talking about
environment.systemPackages?
> programs/config files/... supplied by these packages are likely to be
> executed/readed by a daemon running under root priveledges.
> I propose to merge these variables into one variable (say,
> security.packages). If nobody objects, I'll start working on this.
What exactly are you trying to do? Eg in the "dbus" case I had the
understanding that services.dbus.packages is a list of packages
providing dbus services. Because the relation between services and
packages providing service configurations is n:m I don't see
that your solution is going to improve anything?
I mean if a package provides two services having security.packages will
not allow you to use one only (Not sure if you need this feature at
all).
> Also I'd like to change the way /var/setuid-wrappers list is generated.
> I propose the following way: packages in nixpkgs advertise that they need
> given binary to be wrapped as setuid. For each package in security.packages,
> we create all wrappers requested by these packages.
Which will change "opt-in" to "opt-in automatically if condition" where
condition means something like "package has been added to
environment.systemPackages" ?
I'm not objecting here. Just trying to understand the difference.
Marc Weber
More information about the nix-dev
mailing list