[Nix-dev] Improving security updates
Vladimír Čunát
vcunat at gmail.com
Tue Apr 14 12:39:51 CEST 2015
On 04/11/2015 01:13 AM, Roger Qiu wrote:
> The page https://nixos.org/wiki/Security_Updates isn't very user
> friendly. It requires too much of the user (treats servers like pets and
> not like cattle):
>
> 1. Monitor package vulnerabilities.
> 2. Manually override the packages that have vulnerabilities. Rebuild.
> 3. Manually remove the the override when it no longer needs it. Rebuild.
>
> Multiply that by each server.
>
> It really should be automatic or at least through one command that is
> prompted. Secondly I'd prefer step 3 to not be required. Once its
> overridden, and if/when the channel catches up it shouldn't cause
> another change.
IMO it's all work that has to be done by some humans in the end. Sure,
they can use tools (like nixpkgs monitor for 1); and they can e.g.
commit this into a separate nixpkgs branch containing the manual
overrides atop some other channel, so others can "just use" this branch.
But there's a question whether some people will do this work. It seems
to me there aren't too many vulnerabilities for which people prefer
doing such extra work instead of e.g. waiting a few days for the -small
channel (perhaps I'm wrong). I always see some vulnerabilities on
nixpkgs monitor that don't get fixed in any way for many weeks or
months; they probably aren't too important, and I'm trying to fix those
looking dangerous from time to time, but still...
Step 3 requires changing of hashes in paths (at least until intensional
store).
Vladimir
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3251 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150414/b154d33e/attachment.bin
More information about the nix-dev
mailing list