After studying pkgs/build-support/replace-dependency.nix I'm prepraring a
preliminary patch for it that should make the computation a zillion times
faster.
The dry-run thing not being a dry run is still a bit of a mystery to me,
but replace-dependency.nix does do things that are a little strange such
as "builtins.unsafeDiscardStringContext".
On Thu, 25 Sep 2014, Ricardo M. Correia wrote:
On Wed, Sep 24, 2014 at 11:34 PM, Peter Simons <[email protected]> wrote:
If you are worried about Bash CVE-2014-6271 (you should) and don't want
to wait for Hydra to re-build the world, then check out
https://github.com/NixOS/nixpkgs/pull/4257#issuecomment-56727114
to see how to replace the bash binary in your running system without
triggering re-builds.
This does appear to work (thanks!), but I'm having some issues with it.
Namely, when I run "nixos-rebuild dry-run" on my laptop, instead of taking 3
seconds to finish, now it takes more than 65 minutes (!). It seems to be CPU-bound during
the
whole time. Also, take into account my laptop a relatively fast CPU - a
quad-core i7.
My Hydra server also took around 65 minutes to evaluate the expressions of the
4 machines in my network (I believe usually it doesn't take more than a couple
of minutes).
In my laptop, this is the process which seems to be taking 100% CPU during the
whole time:
root 16031 83.6 5.8 507344 471848 pts/1 R+ 14:16 49:29
/nix/store/fxik1nhqc4dkb72wl5cgb4fxxxlcrlfz-nix-1.7/bin/nix-instantiate
--add-root
/tmp/nix-build.jHT5_9/derivation --indirect -A system <nixpkgs/nixos>
I know this feature is just a temporary workaround, but it's also a bad user
experience. From a user perspective, it seemed like the process simply got
stuck in an infinite
loop.
In contrast, compare this to apt-get, which doesn't take more than a couple of
minutes to install a security fix...
Also, I'm not sure if this is expected, but when I first tried to run "nixos-rebuild
dry-run" with this workaround applied, it started to download and compile bash even
though the man page of nixos-rebuild specifically says:
dry-run
Simply show what store paths would be built or downloaded by any of
the operations above.
Still, thanks for this feature because even though it's slow, it's still a lot
better than waiting for everything to rebuild!
--
Russell O'Connor <http://r6.ca/>
``All talk about `theft,''' the general counsel of the American Graphophone
Company wrote, ``is the merest claptrap, for there exists no property in
ideas musical, literary or artistic, except as defined by statute.''
_______________________________________________
nix-dev mailing list
[email protected]
http://lists.science.uu.nl/mailman/listinfo/nix-dev
