[Nix-dev] Bash CVE-2014-6271
Vladimír Čunát
vcunat at gmail.com
Sun Sep 28 10:19:01 CEST 2014
On 09/25/2014 03:41 PM, Ricardo M. Correia wrote:
> Also, I'm not sure if this is expected, but when I first tried to run
> "nixos-rebuild dry-run" with this workaround applied, it started to
> download and compile bash even though the man page of nixos-rebuild
> specifically says: [...]
IIRC there are two steps -- first build nix, and then do the dry-run (or
switch or anything else). Nix also needs its bash replaced, so first you
need to build the bash replacement. That is, unless you specify
--no-build-nix option.
Still, I agree it's bad that the man page doesn't explain this at all.
Moreover, I think we may only want to trigger nix rebuild when nix
version changes (maybe just major version). I think the purpose was to
get latest nix features in order to be able to evaluate the nixos config
(it tended to need the newest nix features).
Vladimir
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3251 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20140928/160f70c0/attachment.bin
More information about the nix-dev
mailing list