[Nix-dev] Bash CVE-2014-6271

Ricardo M. Correia rcorreia at wizy.org
Mon Sep 29 02:23:58 CEST 2014 

Shea: I wasn't even using replaceDependency... and dry-run started
compiling/downloading anyway, like if I had done a switch.

Isn't this happening to anyone else who is using a recent commit from the
unstable/master channel?

On Mon, Sep 29, 2014 at 2:12 AM, Shea Levy <shea at shealevy.com> wrote:

> The dry-run thing is likely due to replaceDependency doing an import
> from a derivation, which requires building at evaluation time. There's
> not really a good way to work around that, unfortunately.
>
> ~Shea
>
> On Mon, Sep 29, 2014 at 12:52:10AM +0200, Ricardo M. Correia wrote:
> > On Sun, Sep 28, 2014 at 10:19 AM, Vladimír Čunát <vcunat at gmail.com>
> wrote:
> >
> > > On 09/25/2014 03:41 PM, Ricardo M. Correia wrote:
> > >
> > >> Also, I'm not sure if this is expected, but when I first tried to run
> > >> "nixos-rebuild dry-run" with this workaround applied, it started to
> > >> download and compile bash even though the man page of nixos-rebuild
> > >> specifically says: [...]
> > >>
> > >
> > > IIRC there are two steps -- first build nix, and then do the dry-run
> (or
> > > switch or anything else). Nix also needs its bash replaced, so first
> you
> > > need to build the bash replacement. That is, unless you specify
> > > --no-build-nix option.
> > >
> >
> > That's what I thought too after reflecting on it a bit more, but now I'm
> > starting to think that there is a real bug.
> >
> > I just tried to run "nixos-rebuild dry-run" (in preparation for testing
> > roconner's performance improvement) and it started to compile
> rustcMaster!
> > (I'm pretty sure that is not a dependency of nix).
> > I expected it to do that if I ran "nixos-rebuild switch" or
> "nixos-rebuild
> > boot" because I changed it locally, but I didn't expect it to compile
> when
> > running "nixos-rebuild dry-run".
> >
> > For reference, I am currently running on
> > e2d06c45b4586203a1838098460ec0a5781c8cf8 (from about 3 days ago).
>
> > _______________________________________________
> > nix-dev mailing list
> > nix-dev at lists.science.uu.nl
> > http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20140929/970dd3e5/attachment.html

More information about the nix-dev mailing list