[Nix-dev] Openssl and fast security updates

[Mathijs Kwik]

Michael Raskin <7c6f434c at mail.ru> writes:

>>>>Calculating the transitive closure for all nixos modules / services run by
>>>>systemd is one way to prioritize.  A populatiry contest could be added to
>>>>that.
>>>
>>> Maybe having a channel which is a subset of the main channel and
>>> includes at least ssh, apache, nginx, postgresql, mysql, and some ftp
>>> server would be a nice start?
>>
>>How are people supposed to use that channel?
>>I don't think I can _add_ a secondary channel which provides a
>>conflicting source (nixos). Switching back and forth doesn't sound
>>easy.
>>
>>Also, this would just make your system start to build all the additional
>>packages (not built by this new channel) by itself. No matter how much
>>stuff gets pre-built, a channel always contains a specific nixpkgs
>>version, so with or without binary archives, a nixos-rebuild _will_
>>build everything for that release.
>
> This will be a channel for server systems. You will checkout master and
> do a rebuild, and this channel would provide you with prebuilt packages 
> for most of your server needs.

So server systems need to start following a channel that does not run
lengthy tests?

And I think people don't usually use local git repos on their servers.
The nixpkgs/nixos tree gets provided by the channel.

I just want to run `nix-channel --update && nixos-rebuild switch` on my
server. Not supply it with a local git checkout that I need to keep up
to date and do custom rebuilds against.

I do see what you are aiming for, but I don't think there's a clean way
to combine it with the default workflow (nicely tested channel which
provides nixpkgs/nixos sources and binaries). If there's a way to be
able to add _both_ channels, this would be great.