[Nix-dev] Openssl and fast security updates

Luca Bruno lethalman88 at gmail.com
Thu Jun 5 22:03:33 CEST 2014


No the argument is currently this pull request, where you can force the
system to use a particular package (under some condition) without doing a
full rebuild: https://github.com/NixOS/nixpkgs/pull/2837


On Thu, Jun 5, 2014 at 10:01 PM, Shell Turner <cam.turn at gmail.com> wrote:

> So is the argument that it should be possible to update the channel
> with the new package definition before the binary cache has finished
> building, thus letting people rebuild their systems locally if need
> be? That seems reasonable.
>
> For the moment, though, checking out the release-14.04 branch from git
> and building from that is exactly equivalent.
>
> Shell
>
> On 5 June 2014 20:05, Luca Bruno <lethalman88 at gmail.com> wrote:
> > No, it's not too early. Other distros immediately packaged the new
> version
> > and provided it in their security channel.
> > It's never too early when it concerns security.
> >
> >
> > On Thu, Jun 5, 2014 at 8:04 PM, Peter Simons <simons at cryp.to> wrote:
> >>
> >> Hi Luca,
> >>
> >>  > It takes too much time to deliver the new packages from the nixos
> >>  > channel, and it would take equally long to compile them on production
> >>  > servers.
> >>
> >> that OpenSSL update was committed 5 hours ago. Isn't it a wee bit early
> >> to say that the update takes "too much time"?
> >>
> >> Also, note that you don't have to wait for the channel to update to get
> >> binaries. Running
> >>
> >>  $ nix-build nixos -A system -I nixpkgs=$PWD --dry-run --option
> >> binary-caches http://hydra.nixos.org
> >>
> >> in a checked-out copy of the release-14.04 branch shows that a good
> >> portion of Nixpkgs has been compiled by Hydra already, and compiling the
> >> rest locally is not a serious problem, IMHO.
> >>
> >> I agree that the ability to make quick-and-dirty replacements of core
> >> libraries in a running system would be nice to have. Personally, I doubt
> >> I'd ever bother with that kind of hackery though, because the normal
> >> update channels are quick enough, IMHO.
> >>
> >> Best regards,
> >> Peter
> >>
> >> _______________________________________________
> >> nix-dev mailing list
> >> nix-dev at lists.science.uu.nl
> >> http://lists.science.uu.nl/mailman/listinfo/nix-dev
> >
> >
> >
> >
> > --
> > www.debian.org - The Universal Operating System
> >
> > _______________________________________________
> > nix-dev mailing list
> > nix-dev at lists.science.uu.nl
> > http://lists.science.uu.nl/mailman/listinfo/nix-dev
> >
>



-- 
www.debian.org - The Universal Operating System
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20140605/78e841ad/attachment.html 


More information about the nix-dev mailing list