[Nix-dev] Hydra and security updates
Nicolas Pierron
nicolas.b.pierron at nbp.name
Sun Jun 4 00:35:46 CEST 2017
On Sat, Jun 3, 2017 at 12:54 AM, Leo Gaspard <leo at gaspard.io> wrote:
> On 06/02/2017 12:05 PM, Domen Kožar wrote:
>>> I see two ways of doing this: either having hydra somehow handle with
>>> special care security updates (hard to do)
>>
>> https://github.com/NixOS/nixpkgs/pull/10851
>
> This looks great!
>
> Unfortunately, it doesn't appear to be close to merging (esp. as it has
> merge conflicts), so I guess that's the best solution that isn't coming
> up right now? So having master and stable always build may be a current
> path forward, not yet as good as this PR but a good stop-gap.
I started a branch at the end of last year, which include these
changes and rebased them on top of the latest master, but I gave up as
I did not got any feedback for getting any Hydra infrastructure in
place to make use of this feature in a testing branch. Having Hydra
infra in place would be among the next step to demonstrate the
usefulness of this approach, and convince more people to help fix the
static-analysis reports.
So currently, this project is held by a dead-lock between people
asking me to demonstrate a large scale example, and having the
infrastructure to doing so.
Most of the time, unpatched dependencies from PR#10851 are coming from
the fact that dependencies are resolved by functions them-self taken
for older generations of the fix-point, breaking the hypothesis on
which PR#10851 is based on. So I started SOS [1] to make Nixpkgs more
declarative. Thus removing some of the function overhead from
packages, which would help fixing a lot of the issues reported by the
static-analysis.
--
Nicolas Pierron
http://www.linkedin.com/in/nicolasbpierron - http://nbp.name/
More information about the nix-dev
mailing list