[Nix-dev] Openssl and fast security updates

Thomas Strobel ts468 at cam.ac.uk
Fri Jun 6 14:15:28 CEST 2014


On 06/06/2014 07:59 AM, Ertugrul Söylemez wrote:
> On Thu, 05 Jun 2014 23:39:34 +0200
> Vladimír Čunát <vcunat at gmail.com> wrote:
>
>> Hydra has and uses priorities. Anyway, building OpenSSL itself is very 
>> quick, but rebuilding all that (transitively) depends on it is worse. 
>> And there are CVE fixes for stdenv stuff sometimes (glibc)...
> Yes, and the basic idea is that you could have high priority packages like OpenSSL, OpenVPN and nginx.  Whenever Hydra sees a job of higher priority it starts doing it (potentially aborting whatever it is currently doing).  Once all jobs of the same priority are done, it runs the tests of the same priority and updates the channel.  Then it goes to the next highest priority.  That way security updates won't take longer than necessary.
>
> When we use priorities generously we could avoid a lot of delay even in less critical cases.
>
>
> Greets,
> Ertugrul
>

So you would provide a separate channel then which is updated
incrementally, and the original channel is updated once all packages are
being built?

Does the nix package manager allow to measure how many packages it would
have to build for a system's current configuration and for how many
packages there would be binary package available? If so, it would help
to decide whether to wait for Hydra to build the needed packages, or
when to start building the remaining locally.

Best,
Thomas


More information about the nix-dev mailing list