On 04/11/2015 01:13 AM, Roger Qiu wrote:
The page https://nixos.org/wiki/Security_Updates isn't very user friendly. It requires too much of the user (treats servers like pets and not like cattle):1. Monitor package vulnerabilities. 2. Manually override the packages that have vulnerabilities. Rebuild. 3. Manually remove the the override when it no longer needs it. Rebuild. Multiply that by each server. It really should be automatic or at least through one command that is prompted. Secondly I'd prefer step 3 to not be required. Once its overridden, and if/when the channel catches up it shouldn't cause another change.
IMO it's all work that has to be done by some humans in the end. Sure, they can use tools (like nixpkgs monitor for 1); and they can e.g. commit this into a separate nixpkgs branch containing the manual overrides atop some other channel, so others can "just use" this branch.
But there's a question whether some people will do this work. It seems to me there aren't too many vulnerabilities for which people prefer doing such extra work instead of e.g. waiting a few days for the -small channel (perhaps I'm wrong). I always see some vulnerabilities on nixpkgs monitor that don't get fixed in any way for many weeks or months; they probably aren't too important, and I'm trying to fix those looking dangerous from time to time, but still...
Step 3 requires changing of hashes in paths (at least until intensional store).
Vladimir
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
