[Nix-dev] Bash CVE-2014-6271

Shea Levy shea at shealevy.com
Tue Sep 30 01:46:30 CEST 2014 

Yes, this is essentially correct. I'm not sure why it would happen
without replaceDependency though.

On Mon, Sep 29, 2014 at 02:39:38PM -0700, roconnor at theorem.ca wrote:
> I noticed dry-run building stuff, but I'm using replaceDependency.
> 
> ReplaceDepenency does the unusual step of importing a .nix file that is
> generated by a runCommand expression which I believe is indirectly calling
> nix-build via the exportReferencesGraph feature.  This is why I think
> dry-run causes nix-build commands with replaceDependency; evaluation of the
> nix-expression's import requires running nix-build.
> 
> That is my theory anyway.
> 
> On Mon, 29 Sep 2014, Ricardo M. Correia wrote:
> 
> >Shea: I wasn't even using replaceDependency... and dry-run started compiling/downloading anyway, like if I had done a switch.
> >Isn't this happening to anyone else who is using a recent commit from the unstable/master channel?
> >
> >On Mon, Sep 29, 2014 at 2:12 AM, Shea Levy <shea at shealevy.com> wrote:
> >      The dry-run thing is likely due to replaceDependency doing an import
> >      from a derivation, which requires building at evaluation time. There's
> >      not really a good way to work around that, unfortunately.
> >
> >      ~Shea
> >
> >      On Mon, Sep 29, 2014 at 12:52:10AM +0200, Ricardo M. Correia wrote:
> >      > On Sun, Sep 28, 2014 at 10:19 AM, Vladimír Čunát <vcunat at gmail.com> wrote:
> >      >
> >      > > On 09/25/2014 03:41 PM, Ricardo M. Correia wrote:
> >      > >
> >      > >> Also, I'm not sure if this is expected, but when I first tried to run
> >      > >> "nixos-rebuild dry-run" with this workaround applied, it started to
> >      > >> download and compile bash even though the man page of nixos-rebuild
> >      > >> specifically says: [...]
> >      > >>
> >      > >
> >      > > IIRC there are two steps -- first build nix, and then do the dry-run (or
> >      > > switch or anything else). Nix also needs its bash replaced, so first you
> >      > > need to build the bash replacement. That is, unless you specify
> >      > > --no-build-nix option.
> >      > >
> >      >
> >      > That's what I thought too after reflecting on it a bit more, but now I'm
> >      > starting to think that there is a real bug.
> >      >
> >      > I just tried to run "nixos-rebuild dry-run" (in preparation for testing
> >      > roconner's performance improvement) and it started to compile rustcMaster!
> >      > (I'm pretty sure that is not a dependency of nix).
> >      > I expected it to do that if I ran "nixos-rebuild switch" or "nixos-rebuild
> >      > boot" because I changed it locally, but I didn't expect it to compile when
> >      > running "nixos-rebuild dry-run".
> >      >
> >      > For reference, I am currently running on
> >      > e2d06c45b4586203a1838098460ec0a5781c8cf8 (from about 3 days ago).
> >
> >> _______________________________________________
> >> nix-dev mailing list
> >> nix-dev at lists.science.uu.nl
> >> http://lists.science.uu.nl/mailman/listinfo/nix-dev
> >
> >
> >
> >
> 
> -- 
> Russell O'Connor                                      <http://r6.ca/>
> ``All talk about `theft,''' the general counsel of the American Graphophone
> Company wrote, ``is the merest claptrap, for there exists no property in
> ideas musical, literary or artistic, except as defined by statute.''

More information about the nix-dev mailing list