[Nix-dev] Bash CVE-2014-6271

roconnor at theorem.ca roconnor at theorem.ca
Mon Sep 29 23:39:38 CEST 2014 

I noticed dry-run building stuff, but I'm using replaceDependency.

ReplaceDepenency does the unusual step of importing a .nix file that is 
generated by a runCommand expression which I believe is indirectly calling 
nix-build via the exportReferencesGraph feature.  This is why I think 
dry-run causes nix-build commands with replaceDependency; evaluation of 
the nix-expression's import requires running nix-build.

That is my theory anyway.

On Mon, 29 Sep 2014, Ricardo M. Correia wrote:

> Shea: I wasn't even using replaceDependency... and dry-run started compiling/downloading anyway, like if I had done a switch.
> Isn't this happening to anyone else who is using a recent commit from the unstable/master channel?
> 
> On Mon, Sep 29, 2014 at 2:12 AM, Shea Levy <shea at shealevy.com> wrote:
>       The dry-run thing is likely due to replaceDependency doing an import
>       from a derivation, which requires building at evaluation time. There's
>       not really a good way to work around that, unfortunately.
>
>       ~Shea
>
>       On Mon, Sep 29, 2014 at 12:52:10AM +0200, Ricardo M. Correia wrote:
>       > On Sun, Sep 28, 2014 at 10:19 AM, Vladimír Čunát <vcunat at gmail.com> wrote:
>       >
>       > > On 09/25/2014 03:41 PM, Ricardo M. Correia wrote:
>       > >
>       > >> Also, I'm not sure if this is expected, but when I first tried to run
>       > >> "nixos-rebuild dry-run" with this workaround applied, it started to
>       > >> download and compile bash even though the man page of nixos-rebuild
>       > >> specifically says: [...]
>       > >>
>       > >
>       > > IIRC there are two steps -- first build nix, and then do the dry-run (or
>       > > switch or anything else). Nix also needs its bash replaced, so first you
>       > > need to build the bash replacement. That is, unless you specify
>       > > --no-build-nix option.
>       > >
>       >
>       > That's what I thought too after reflecting on it a bit more, but now I'm
>       > starting to think that there is a real bug.
>       >
>       > I just tried to run "nixos-rebuild dry-run" (in preparation for testing
>       > roconner's performance improvement) and it started to compile rustcMaster!
>       > (I'm pretty sure that is not a dependency of nix).
>       > I expected it to do that if I ran "nixos-rebuild switch" or "nixos-rebuild
>       > boot" because I changed it locally, but I didn't expect it to compile when
>       > running "nixos-rebuild dry-run".
>       >
>       > For reference, I am currently running on
>       > e2d06c45b4586203a1838098460ec0a5781c8cf8 (from about 3 days ago).
> 
> > _______________________________________________
> > nix-dev mailing list
> > nix-dev at lists.science.uu.nl
> > http://lists.science.uu.nl/mailman/listinfo/nix-dev
> 
> 
> 
>

-- 
Russell O'Connor                                      <http://r6.ca/>
``All talk about `theft,''' the general counsel of the American Graphophone
Company wrote, ``is the merest claptrap, for there exists no property in
ideas musical, literary or artistic, except as defined by statute.''

More information about the nix-dev mailing list