[Nix-dev] CVE-2015-7547 stdenv-changing fix merged on master and 15.09
Kosyrev Serge
_deepfire at feelingofgreen.ru
Tue Feb 16 20:29:52 CET 2016
roconnor at theorem.ca writes:
> I am using the following expression which I believe will build a patched
> version of glibc locally, and then build a patched NixOS derivation.
>
> system.replaceRuntimeDependencies = with pkgs.lib;
> [{original = pkgs.glibc; replacement = pkgs.stdenv.lib.overrideDerivation pkgs.glibc (oldAttr: { patches = oldAttr.patches ++
> [(pkgs.fetchurl { url = "https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/development/libraries/glibc/cve-2015-7547.patch";
> sha256 = "0awpc4rp2x27rjpj83ps0rclmn73hsgfv2xxk18k82w4hdxqpp5r";})];
> });}
> ];
>
> I didin't time it, but I think it took around 25 minutes to update my
> desktop machine this way. Good luck everyone.
For those of us who aren't that fluent in Nix idioms -- could you
provide a quick summary of how you manage to achieve the seemingly
impossible?
Normally, one would expect that updating glibc would cause a full system
rebuild, but in your case it's obviously not the case.
And lastly -- is this somehow related to the techniques proposed for
providing NixOS with security updates?
--
с уважениeм / respectfully,
Косырев Сергей
More information about the nix-dev
mailing list