[Nix-dev] Hydra and security updates

Graham Christensen graham at grahamc.com
Sat Jun 3 13:26:49 CEST 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Leo Gaspard <leo at gaspard.io> writes:

> I just wanted to point out an issue with hydra: it doesn't make any
> distinction between security updates and normal changes.
>
> For example, [1] was released two days ago. Despite the fix landing two
> days ago too [2], nixos-unstable still doesn't have the vulnerability
> fixed.

nixos-unstable frequently lags behind for quite some time, and has no
guarantees about how quickly it'll receive security patches. You may be
interested in  nixos-unstable-small, which received the security update
much faster.

While it is fun and nice to think through various solutions to making
our unstable channel get security updates faster, I believe three
things that make it somewhat less critical:

1. The stable and ecommended version of NixOS to run is NixOS 17.03,
which also received the patch quite quickly.

2. There are strategies in place that can side-step the long rebuild
process if required, however they're typically not necessary. On a "the
world is burning" scale problem, nixos has seen a full rebuild from
nothing to channel published in 24 hours.

This is part of my inclination of not really loving PR#10851, it is
complicated and goes around the normal proceses, even when we can easily
deploy fairly quickly.

Most distributions have much more than 24 hours to be notified of an
issue and prepare a release, via the embargoed announcements on the
- -distro mailing list. Unfortunately that list is not accepting new
distro members at this time:
https://github.com/NixOS/nixpkgs/issues/14819

3. The much larger, more difficult problem is organizing _around_ the
security updates and getting them done regularly. These big scary bugs
are important yes, but so are the dozens of little bugs that get patched
weekly in various projects. Many of these are currently going unpatched.
For several months, I organized a weekly bug roundup that handled most
of these. When my bug source dried up, I decided to step away for a
time. I think I'm ready to start again, but need to do some research.

Regarding Hydra building PRs, that was an experiment to see how much
hardware and resources it would take. The integration with GitHub was
not as secure as we'd like, and wasn't suitable for merging with the
official hydra. There have been a few attempts at fixing it. If you'd
like to talk about it and take a crack, I'd be happy to talk with you!

Best,
Graham
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAlkynPoACgkQBhIdNm/p
Q1yIlw/8DkAEebiHjA+WCLDI6EIkqU0DW/xJDgklQOhILb6tyI/v9E5ip4yhHMrK
K9mjNexHTZSMLZJnFZExuznOAKFOro8YaflWu0RQl/gI3ZMXN+deTstM6S/ETFw6
5k4IYQVk/QBud3JpCUKgEPT1xi9q/CakNtdKMG7Mqxbvp1TljUwre8zk9qfHf1d1
mAWJC7Xhte3cuVzD5yMxnRJJVNhzxS1c7E2XSiSBlpJE3NZbBlr41CDTP63ASPIG
N/aslCw7Jj1RK6mxEHpWRXBQ8C88V17eUFrdB/pYggxmawhlQjSsEJSQ3DN4oib/
7bdvje0EGQGlusEycYQmDlVrMYrWSmKwKGqjF5oQgWxiYq9oTU5SU1dGfsFk8Xqc
DBOW1d2wc+9rdfuZbTbSaooJZOU5ACRyDEjxJYAqTdl4kbDXtGcQGUC14PFbGZWm
71Bl3bJE626Q2ioGPTBfhnmnqRcLkHX9kcYIFVV7G15zD23Ekf6VNHBdqnAf7szg
S0qriB+gh4fE8o63IhhCaTP0rwONZd7HoEVXCRa8FmkEypA+Vr9lCowBeik3DPHi
xSKTmOYg8Wr/RnemcwH1Jp1IFsGMy/ZgNKG9SqEv2PS8ocqPpK3j3QjBe0cw+Kyv
Jc9poZJOJdM8a6RxEn/Nq3Pd7bGod9AbP/O5OsE+60tnYLo30+4=
=XNPZ
-----END PGP SIGNATURE-----


More information about the nix-dev mailing list