Hi all, I just wanted to point out an issue with hydra: it doesn't make any distinction between security updates and normal changes.
For example, [1] was released two days ago. Despite the fix landing two days ago too [2], nixos-unstable still doesn't have the vulnerability fixed. Granted, in this specific case exploitation seems to go through SELinux, and SELinux is not (afaik) supported on NixOS. But that doesn't mean it'll be the same for all upcoming vulnerabilities. And for what reason? [3] It seems a few tests didn't pass for all this time. Apart from the fact [4] doesn't look related to the said build failures (are there ephemeral failures on hydra?), this looks like an issue we should fix: in my opinion, security fixes should start being built by hydra as soon as they land in the repo. I see two ways of doing this: either having hydra somehow handle with special care security updates (hard to do), or having master and stable branches *always* build. The second option looks more reasonable to me, but implies that all changes go through PRs, and are never merged before *after* hydra has built and checked them. In my opinion, this would also make our overall update delivery process faster, given that it would no longer block on failing tests on master. What do you think about this? Do you have any better idea for how to handle urgent security issues? Leo [1] http://www.openwall.com/lists/oss-security/2017/05/30/16 [2] https://github.com/NixOS/nixpkgs/blob/3c0114d4728aff4158730ccaf89cc1d9115c83ee/pkgs/tools/security/sudo/default.nix [3] https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents [4] https://hydra.nixos.org/api/scmdiff?type=git&rev1=c9e63ded807c492106273a10009a28e848c44b82&rev2=3f688207e7316f624ea975e578dc0aff3a1ff2a9&branch=&uri=https%3A%2F%2Fgithub.com%2FNixOS%2Fnixpkgs.git
signature.asc
Description: OpenPGP digital signature
_______________________________________________ nix-dev mailing list [email protected] https://mailman.science.uu.nl/mailman/listinfo/nix-dev
