[Nix-dev] Improving security updates
James Cook
james.cook at utoronto.ca
Sun Apr 12 23:43:11 CEST 2015
On 12 April 2015 at 11:57, Nicolas Pierron <nicolas.b.pierron at gmail.com> wrote:
> On Sun, Apr 12, 2015 at 7:45 PM, James Cook <james.cook at utoronto.ca> wrote:
>>>> Side questions:
>>>> - Why does stdenv.mkDerivation need to be clever? Why not just blindly
>>>> apply all the fixes to every package?
>>>
>>> The substitution is not as simple as doing a "mapAttrs", as this would
>>> lead to infinite loops, and would imply that you have to download all
>>> the binary version of the fixed packages.
>>
>> I don't understand the infinite loop part. Don't we want something
>> like the following?
>>
>> pkgs.wget = applyFixesFrom fixes pkgsBeforeFixes.wget
>> pkgs.foobar = applyFixesFrom fixes pkgsBeforeFixes.foobar
>> ...
>
> No we don't want something which is independent of the dependencies.
> And, in your previous expression, if pkgsBeforeFixes.wget depends on a
> library which it-self depend on a vulnerable library, then we want
> this one to be fixed as well.
>
> Because of the previous reason, making the transformation independent
> would imply that all packages would have to be build, which is exactly
> what we want to avoid as this is either not working / time consuming
> (otherwise hydra would have done it).
Right, that makes sense. Thanks for the explanation.
James
More information about the nix-dev
mailing list