[Nix-dev] Transparent Security Updates

Nicolas Pierron nicolas.b.pierron at gmail.com
Sun Mar 20 13:51:48 CET 2016 

On Tue, Feb 16, 2016 at 4:55 PM, Shea Levy <shea at shealevy.com> wrote:
> # nix-store -r /nix/store/…-glibc-2.21
> --option binary-caches https://code.nathan7.eu/hydra --option
> binary-cache-public-keys colossus.nathan7.eu:…
>
> Obviously this assumes you trust his hydra to be providing a real
> result!

I hope this is not an official statement, and even then this is still awful!

We should not suggest to the few number of users who are reading our
mailing list to type such commands, ever!

On Tue, Feb 16, 2016 at 7:29 PM, Kosyrev Serge
<_deepfire at feelingofgreen.ru> wrote:
> roconnor at theorem.ca writes:
>> I am using the following expression which I believe will build a patched
>> version of glibc locally, and then build a patched NixOS derivation.
>>
>> system.replaceRuntimeDependencies = with pkgs.lib;
>>       [{original = pkgs.glibc; replacement = …; });} ];
>>
>> I didin't time it, but I think it took around 25 minutes to update my
>> desktop machine this way.  Good luck everyone.
>
> For those of us who aren't that fluent in Nix idioms -- could you
> provide a quick summary of how you manage to achieve the seemingly
> impossible?
>
> […]
>
> And lastly -- is this somehow related to the techniques proposed for
> providing NixOS with security updates?

No, this is not related.  The solution proposed at NixCon [1][2] aims
at making this transparent, which once complete implies that:
 - You would no longer have to copy&pasta anything.
 - You won't have to watch the mailing list for security issues and
instructions.
 - This will work for NixOps, NixOS and for nix-env, nix-build and
nix-shell commands.
 - Hydra will build and distribute fixes on top of the existing channels.
 - You should never have to trust an unknown remote for getting binaries.

There is already a draft of the transparent security update [3], but
this work is more than likely to bit-rot quickly.  To work-around this
bit-rot issues, I currently re-creating this work in smaller patches,
to make them easier to review, and to get them accepted faster.
Unfortunately, without dedication from both me and the reviewers, we
are more likely to never land this changes.

Currently this work is being addressed in [3], and I am creating
various pull request to address each bit independently.  Currently I
am working on redoing the work Mathnerd314 did [4], in a way where we
can all have a clear understanding of all the implications [5].

[1] https://www.youtube.com/watch?v=RhcKXS00zEE
[2] https://nbp.github.io/slides/NixCon/2015.ShippingSecurityUpdates/index.html
[3] https://github.com/NixOS/nixpkgs/pull/10851
[4] https://github.com/NixOS/nixpkgs/pull/9400
[5] https://github.com/NixOS/nixpkgs/pull/14000

-- 
Nicolas Pierron
http://www.linkedin.com/in/nicolasbpierron - http://nbp.name/Re:
[Nix-dev] CVE-2015-7547 stdenv-changing fix merged on master and 15.09

More information about the nix-dev mailing list