[Nix-dev] Hotfixing glibc

Herwig Hochleitner hhochleitner at gmail.com
Wed Feb 17 19:07:01 CET 2016


2016-02-17 18:46 GMT+01:00 Shea Levy <shea at shealevy.com>:

> Details are at
> https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/replace-dependency.nix,
> but basically yes it goes into all dependents and copies them over to a new
> output with references updated, based on the same hash scanning logic that
> is used by the runtime reference mechanism. It is true that this will fail
> to find any references that are opaque in some way to the reference scan,
> but
>
a) these in practice have basically never happened and
>
Well, during normal operation, those wouldn't be noticable, if the package
had the reference in plaintext aswell, whereas replaceDependency will break
them, but

> b) after this process, you can garbage collect the entire old setup
> including the old glibc, and then any code paths that depend on opaque
> references will then fail instead of going through the insecure code path.
>
this is valid reasoning. Still, replaceDependencies will duplicate all
dependents, which, in the case of glibc, is basically the whole system,
true?
I'm not saying that this is nessecarily a bad thing, because it will force
the proper restart cycles when upgrading, but still, why not treat it as an
impurity in the build, that didn't show up in the store hash?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160217/1dfce7d7/attachment.html 


More information about the nix-dev mailing list