[Nix-dev] Hydra and security updates

Leo Gaspard leo at gaspard.io
Thu Jun 1 23:32:23 CEST 2017


Hi all,

I just wanted to point out an issue with hydra: it doesn't make any
distinction between security updates and normal changes.

For example, [1] was released two days ago. Despite the fix landing two
days ago too [2], nixos-unstable still doesn't have the vulnerability fixed.

Granted, in this specific case exploitation seems to go through SELinux,
and SELinux is not (afaik) supported on NixOS. But that doesn't mean
it'll be the same for all upcoming vulnerabilities.

And for what reason? [3] It seems a few tests didn't pass for all this
time. Apart from the fact [4] doesn't look related to the said build
failures (are there ephemeral failures on hydra?), this looks like an
issue we should fix: in my opinion, security fixes should start being
built by hydra as soon as they land in the repo.

I see two ways of doing this: either having hydra somehow handle with
special care security updates (hard to do), or having master and stable
branches *always* build.

The second option looks more reasonable to me, but implies that all
changes go through PRs, and are never merged before *after* hydra has
built and checked them. In my opinion, this would also make our overall
update delivery process faster, given that it would no longer block on
failing tests on master.

What do you think about this? Do you have any better idea for how to
handle urgent security issues?
Leo


[1] http://www.openwall.com/lists/oss-security/2017/05/30/16

[2]
https://github.com/NixOS/nixpkgs/blob/3c0114d4728aff4158730ccaf89cc1d9115c83ee/pkgs/tools/security/sudo/default.nix

[3]
https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents

[4]
https://hydra.nixos.org/api/scmdiff?type=git&rev1=c9e63ded807c492106273a10009a28e848c44b82&rev2=3f688207e7316f624ea975e578dc0aff3a1ff2a9&branch=&uri=https%3A%2F%2Fgithub.com%2FNixOS%2Fnixpkgs.git

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <https://mailman.science.uu.nl/pipermail/nix-dev/attachments/20170601/6315938b/attachment.sig>


More information about the nix-dev mailing list