[Nix-dev] Hydra and security updates

Leo Gaspard leo at gaspard.io
Sat Jun 3 00:59:22 CEST 2017


On 06/02/2017 06:54 PM, Frank wrote:
> Op 1-6-2017 om 23:32 schreef Leo Gaspard:
>> Hi all,
>>
>> I just wanted to point out an issue with hydra: it doesn't make any
>> distinction between security updates and normal changes.
> 
> Why is this an issue? Security-updates are just as likely to introduce
> bugs as every other update.

If I have to choose between having a security vulnerability and having
some installer tests that don't build (as these seem to be the source of
most test failures)... I know what I'd rather have (especially given
install images aren't generated from every commit of nixpkgs), don't you
think?

If the only change is a security patch as released by the vendor, I
think it may even be worth it to short-circuit all the tests in some
cases, as a flawed system is (in my mind at least) strictly worse than a
buggy system (except if the buggy system is rm -Rf /* ; but well, that
kind of security patch wouldn't live a second on oss-security)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <https://mailman.science.uu.nl/pipermail/nix-dev/attachments/20170603/516de09b/attachment.sig>


More information about the nix-dev mailing list