[Nix-dev] nix proposal for security fixes

[Lluís Batlle i Rossell]

My 'forceOut' clearly will not work as easy as setting it in a
stdenv.mkDerivation argument, because there may be multiple calls to
mkDerivation for the same derivation name (with different inputs).

The table of correspondences in nix.conf still looks good to me though.

It'd be nice if there were an operation that could list all "bash" (derivation
name) that have been built with a specific src hash. That'd allow to find out
all affected derivations.

Regards,
Lluís

On Sun, Sep 28, 2014 at 12:28:42PM +0200, Lluís Batlle i Rossell wrote:
> Hello!
> 
> It could be nice if we had a nix derivation attribute that allowed the
> determination of a store path, overriding the hash mechanisms for it.
> 
> Imagine that we have a bash to fix; we could add a line in the bash derivation
> attribute set:
>     forceOut = "whatever store path out"
> 
> It'd be nice if nix tools allowed to list (or mark specially on screen)
> derivations that have forceOut paths. It should be applied only in case of
> security fixes.
> 
> An operation like "nix-store --repair" should, then, allow for a global system
> update.
> 
> Another approach, non intrusive to nixpkgs, would be to allow nix to read such a
> list of hash overrides (hash → desiredHash) from nix.conf or so. It'd allow for
> anyone who cares to get some protection without waiting hydra.
> 
> Of course this makes sense for elf programs or shared objects, and not for
> static libs. And hydra should not be using this trick. :)
> 
> What do you think?  Maybe all this even exists already. :)
> 
> Regards,
> Lluís.
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev