[Nix-dev] Bash CVE-2014-6271
Shea Levy
shea at shealevy.com
Mon Sep 29 02:12:33 CEST 2014
The dry-run thing is likely due to replaceDependency doing an import
from a derivation, which requires building at evaluation time. There's
not really a good way to work around that, unfortunately.
~Shea
On Mon, Sep 29, 2014 at 12:52:10AM +0200, Ricardo M. Correia wrote:
> On Sun, Sep 28, 2014 at 10:19 AM, Vladimír Čunát <vcunat at gmail.com> wrote:
>
> > On 09/25/2014 03:41 PM, Ricardo M. Correia wrote:
> >
> >> Also, I'm not sure if this is expected, but when I first tried to run
> >> "nixos-rebuild dry-run" with this workaround applied, it started to
> >> download and compile bash even though the man page of nixos-rebuild
> >> specifically says: [...]
> >>
> >
> > IIRC there are two steps -- first build nix, and then do the dry-run (or
> > switch or anything else). Nix also needs its bash replaced, so first you
> > need to build the bash replacement. That is, unless you specify
> > --no-build-nix option.
> >
>
> That's what I thought too after reflecting on it a bit more, but now I'm
> starting to think that there is a real bug.
>
> I just tried to run "nixos-rebuild dry-run" (in preparation for testing
> roconner's performance improvement) and it started to compile rustcMaster!
> (I'm pretty sure that is not a dependency of nix).
> I expected it to do that if I ran "nixos-rebuild switch" or "nixos-rebuild
> boot" because I changed it locally, but I didn't expect it to compile when
> running "nixos-rebuild dry-run".
>
> For reference, I am currently running on
> e2d06c45b4586203a1838098460ec0a5781c8cf8 (from about 3 days ago).
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
More information about the nix-dev
mailing list