[Nix-dev] CVE-2015-7547 stdenv-changing fix merged on master and 15.09
Shea Levy
shea at shealevy.com
Tue Feb 16 23:31:36 CET 2016
On 2016-02-16 14:25, Kosyrev Serge wrote:
> roconnor at theorem.ca writes:
>> I am using the following expression which I believe will build a
>> patched
>> version of glibc locally, and then build a patched NixOS derivation.
>>
>> system.replaceRuntimeDependencies = with pkgs.lib;
>> [{original = pkgs.glibc; replacement =
>> pkgs.stdenv.lib.overrideDerivation pkgs.glibc (oldAttr: { patches =
>> oldAttr.patches ++
>> [(pkgs.fetchurl { url =
>> "https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/development/libraries/glibc/cve-2015-7547.patch";
>> sha256 =
>> "0awpc4rp2x27rjpj83ps0rclmn73hsgfv2xxk18k82w4hdxqpp5r";})];
>> });}
>> ];
>>
>> I didin't time it, but I think it took around 25 minutes to update
>> my
>> desktop machine this way. Good luck everyone.
>
> For those of us who aren't that fluent in Nix idioms -- could you
> provide a quick summary of how you manage to achieve the seemingly
> impossible?
>
> Normally, one would expect that updating glibc would cause a full
> system
> rebuild, but in your case it's obviously not the case.
>
> And lastly -- is this somehow related to the techniques proposed for
> providing NixOS with security updates?
system.replaceRuntimeDependencies under the hood uses
pkgs.replaceDependency, you can read details at
https://github.com/NixOS/nixpkgs/blob/ef3757db635bc361be81049eaaa4b4d3bfd0785d/pkgs/build-support/replace-dependency.nix
More information about the nix-dev
mailing list