[Nix-dev] CVE-2015-7547 stdenv-changing fix merged on master and 15.09

Shea Levy shea at shealevy.com
Tue Feb 16 23:31:36 CET 2016


On 2016-02-16 14:25, Kosyrev Serge wrote:
> roconnor at theorem.ca writes:
>> I am using the following expression which I believe will build a 
>> patched
>> version of glibc locally, and then build a patched NixOS derivation.
>>
>> system.replaceRuntimeDependencies = with pkgs.lib;
>>       [{original = pkgs.glibc; replacement = 
>> pkgs.stdenv.lib.overrideDerivation pkgs.glibc (oldAttr: { patches = 
>> oldAttr.patches ++
>>         [(pkgs.fetchurl { url = 
>> "https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/development/libraries/glibc/cve-2015-7547.patch";
>>                           sha256 = 
>> "0awpc4rp2x27rjpj83ps0rclmn73hsgfv2xxk18k82w4hdxqpp5r";})];
>>        });}
>>       ];
>>
>> I didin't time it, but I think it took around 25 minutes to update 
>> my
>> desktop machine this way.  Good luck everyone.
>
> For those of us who aren't that fluent in Nix idioms -- could you
> provide a quick summary of how you manage to achieve the seemingly
> impossible?
>
> Normally, one would expect that updating glibc would cause a full 
> system
> rebuild, but in your case it's obviously not the case.
>
> And lastly -- is this somehow related to the techniques proposed for
> providing NixOS with security updates?

system.replaceRuntimeDependencies under the hood uses 
pkgs.replaceDependency, you can read details at 
https://github.com/NixOS/nixpkgs/blob/ef3757db635bc361be81049eaaa4b4d3bfd0785d/pkgs/build-support/replace-dependency.nix


More information about the nix-dev mailing list