On Tue, 16 Feb 2016, Kosyrev Serge wrote: > [email protected] writes: >> I am using the following expression which I believe will build a patched >> version of glibc locally, and then build a patched NixOS derivation. >> >> system.replaceRuntimeDependencies = with pkgs.lib; >> [{original = pkgs.glibc; replacement = >> pkgs.stdenv.lib.overrideDerivation pkgs.glibc (oldAttr: { patches = >> oldAttr.patches ++ >> [(pkgs.fetchurl { url = >> "https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/development/libraries/glibc/cve-2015-7547.patch";; >> sha256 = >> "0awpc4rp2x27rjpj83ps0rclmn73hsgfv2xxk18k82w4hdxqpp5r";})]; >> });} >> ]; >> >> I didin't time it, but I think it took around 25 minutes to update my >> desktop machine this way. Good luck everyone. > > For those of us who aren't that fluent in Nix idioms -- could you > provide a quick summary of how you manage to achieve the seemingly > impossible? > > Normally, one would expect that updating glibc would cause a full system > rebuild, but in your case it's obviously not the case.
I'll try my best to explain. If you are familiar with how you update a tree structure in functional programming, the techinque is similar to that. To update a leaf in a tree you trace a path from the root of the tree to the leaf, call this path a spine. You can build a new copy of the tree by updating all the nodes along this spine including replacing the leaf with your updated leaf. The result is a root of a new tree where unchanged branches are shared with the old tree. In this case the root is what is built by nixos-rebuild and the tree is the tree of dependencies, and glibc is a leaf that needs to be replaced. Step 1) is to build the orginial unpatch derivation for the system. Usually this is the currently running system, so no work needs to be done, but in principle if you are making other changes to your configuraiton.nix the unpatched system needs to be built. Step 2) Build the patched glibc. This is done the normal way. Step 3) List all the packages that are run-time dependecies of the unpatched system and pick out all those packages that either depend, directly or indirectly on the unpatched glibc. Step 4) for each of those packages make a new derivation whose source is the output of the deriviation, and which runs a command that finds all the hashes that are in that list generated by Step 3 and replaced them with new hashes that are being generated in by Step 4. (Clearly this step is preformed recursively starting at those packaged who directly depend on glibc and then working up to those packages that depended on packages that depend on glibc, etc.) Step 5) Return the new derivation that is has replaced the hashes in the unpatched root. Things to note: (1) There is nothing impure going on. The existing store values are never mutated. (2) This only updates packages that have a runtime depenency on glibc. Anything that statically links glibc (ie. only has a build-time depenency on glibc) are not updated. > And lastly -- is this somehow related to the techniques proposed for > providing NixOS with security updates? I wasn't at the last Nix meeting, so I'm not sure if it is related or not. I hope it is. -- Russell O'Connor <http://r6.ca/> ``All talk about `theft,''' the general counsel of the American Graphophone Company wrote, ``is the merest claptrap, for there exists no property in ideas musical, literary or artistic, except as defined by statute.'' _______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
