Marc Weber wrote: > Excerpts from Yury G. Kudryashov's message of Sat Aug 20 16:18:27 +0200 > 2011: >> We have quite a few *.packages variables in NixOS: udev.packages, >> hal.packages, dbus.packages etc. > >> I see only one reason for separating these packages from system.packages: > > system.packages? Am I outdated or are you talking about > environment.systemPackages? Yes, you're right. >> programs/config files/... supplied by these packages are likely to be >> executed/readed by a daemon running under root priveledges. > >> I propose to merge these variables into one variable (say, >> security.packages). If nobody objects, I'll start working on this.
> What exactly are you trying to do? My goal is to avoid the situation when someone adds a package to dbus.packages but not to udev.packages. > Eg in the "dbus" case I had the > understanding that services.dbus.packages is a list of packages > providing dbus services. Because the relation between services and > packages providing service configurations is n:m I don't see > that your solution is going to improve anything? > > I mean if a package provides two services having security.packages will > not allow you to use one only (Not sure if you need this feature at > all). Using dbus.packages does not allow me to achieve this goal as well. Theoretically, one can create a package that will symlink only one of these packages, and add this package (with one symlink) to security.packages. >> Also I'd like to change the way /var/setuid-wrappers list is generated. >> I propose the following way: packages in nixpkgs advertise that they need >> given binary to be wrapped as setuid. For each package in >> security.packages, we create all wrappers requested by these packages. > Which will change "opt-in" to "opt-in automatically if condition" where > condition means something like "package has been added to > environment.systemPackages" ? Condition is "package has been added to security.packages, i.e. marked as a trusted package". Advantages are: * No more broken wrappers in /var/setuid-wrappers. E.g., I have no wodim in systemPackages but I have /var/setuid- wrappers/wodim. * If someone changes a package in nixpkgs so that the location of a binary is changes, he sees that he should change 'suid request' accordingly. -- Yury G. Kudryashov, mailto: [email protected] _______________________________________________ nix-dev mailing list [email protected] https://mail.cs.uu.nl/mailman/listinfo/nix-dev
