[Nix-dev] nix proposal for security fixes
Lluís Batlle i Rossell
viric at viric.name
Sun Sep 28 12:28:42 CEST 2014
Hello!
It could be nice if we had a nix derivation attribute that allowed the
determination of a store path, overriding the hash mechanisms for it.
Imagine that we have a bash to fix; we could add a line in the bash derivation
attribute set:
forceOut = "whatever store path out"
It'd be nice if nix tools allowed to list (or mark specially on screen)
derivations that have forceOut paths. It should be applied only in case of
security fixes.
An operation like "nix-store --repair" should, then, allow for a global system
update.
Another approach, non intrusive to nixpkgs, would be to allow nix to read such a
list of hash overrides (hash → desiredHash) from nix.conf or so. It'd allow for
anyone who cares to get some protection without waiting hydra.
Of course this makes sense for elf programs or shared objects, and not for
static libs. And hydra should not be using this trick. :)
What do you think? Maybe all this even exists already. :)
Regards,
Lluís.
More information about the nix-dev
mailing list