On 2016-02-16 14:25, Kosyrev Serge wrote: > [email protected] writes: >> I am using the following expression which I believe will build a >> patched >> version of glibc locally, and then build a patched NixOS derivation. >> >> system.replaceRuntimeDependencies = with pkgs.lib; >> [{original = pkgs.glibc; replacement = >> pkgs.stdenv.lib.overrideDerivation pkgs.glibc (oldAttr: { patches = >> oldAttr.patches ++ >> [(pkgs.fetchurl { url = >> "https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/development/libraries/glibc/cve-2015-7547.patch";; >> sha256 = >> "0awpc4rp2x27rjpj83ps0rclmn73hsgfv2xxk18k82w4hdxqpp5r";})]; >> });} >> ]; >> >> I didin't time it, but I think it took around 25 minutes to update >> my >> desktop machine this way. Good luck everyone. > > For those of us who aren't that fluent in Nix idioms -- could you > provide a quick summary of how you manage to achieve the seemingly > impossible? > > Normally, one would expect that updating glibc would cause a full > system > rebuild, but in your case it's obviously not the case. > > And lastly -- is this somehow related to the techniques proposed for > providing NixOS with security updates?
system.replaceRuntimeDependencies under the hood uses pkgs.replaceDependency, you can read details at https://github.com/NixOS/nixpkgs/blob/ef3757db635bc361be81049eaaa4b4d3bfd0785d/pkgs/build-support/replace-dependency.nix _______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
