-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Leo Gaspard <[email protected]> writes: > I just wanted to point out an issue with hydra: it doesn't make any > distinction between security updates and normal changes. > > For example, [1] was released two days ago. Despite the fix landing two > days ago too [2], nixos-unstable still doesn't have the vulnerability > fixed. nixos-unstable frequently lags behind for quite some time, and has no guarantees about how quickly it'll receive security patches. You may be interested in nixos-unstable-small, which received the security update much faster. While it is fun and nice to think through various solutions to making our unstable channel get security updates faster, I believe three things that make it somewhat less critical: 1. The stable and ecommended version of NixOS to run is NixOS 17.03, which also received the patch quite quickly. 2. There are strategies in place that can side-step the long rebuild process if required, however they're typically not necessary. On a "the world is burning" scale problem, nixos has seen a full rebuild from nothing to channel published in 24 hours. This is part of my inclination of not really loving PR#10851, it is complicated and goes around the normal proceses, even when we can easily deploy fairly quickly. Most distributions have much more than 24 hours to be notified of an issue and prepare a release, via the embargoed announcements on the - -distro mailing list. Unfortunately that list is not accepting new distro members at this time: https://github.com/NixOS/nixpkgs/issues/14819 3. The much larger, more difficult problem is organizing _around_ the security updates and getting them done regularly. These big scary bugs are important yes, but so are the dozens of little bugs that get patched weekly in various projects. Many of these are currently going unpatched. For several months, I organized a weekly bug roundup that handled most of these. When my bug source dried up, I decided to step away for a time. I think I'm ready to start again, but need to do some research. Regarding Hydra building PRs, that was an experiment to see how much hardware and resources it would take. The integration with GitHub was not as secure as we'd like, and wasn't suitable for merging with the official hydra. There have been a few attempts at fixing it. If you'd like to talk about it and take a crack, I'd be happy to talk with you! Best, Graham -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAlkynPoACgkQBhIdNm/p Q1yIlw/8DkAEebiHjA+WCLDI6EIkqU0DW/xJDgklQOhILb6tyI/v9E5ip4yhHMrK K9mjNexHTZSMLZJnFZExuznOAKFOro8YaflWu0RQl/gI3ZMXN+deTstM6S/ETFw6 5k4IYQVk/QBud3JpCUKgEPT1xi9q/CakNtdKMG7Mqxbvp1TljUwre8zk9qfHf1d1 mAWJC7Xhte3cuVzD5yMxnRJJVNhzxS1c7E2XSiSBlpJE3NZbBlr41CDTP63ASPIG N/aslCw7Jj1RK6mxEHpWRXBQ8C88V17eUFrdB/pYggxmawhlQjSsEJSQ3DN4oib/ 7bdvje0EGQGlusEycYQmDlVrMYrWSmKwKGqjF5oQgWxiYq9oTU5SU1dGfsFk8Xqc DBOW1d2wc+9rdfuZbTbSaooJZOU5ACRyDEjxJYAqTdl4kbDXtGcQGUC14PFbGZWm 71Bl3bJE626Q2ioGPTBfhnmnqRcLkHX9kcYIFVV7G15zD23Ekf6VNHBdqnAf7szg S0qriB+gh4fE8o63IhhCaTP0rwONZd7HoEVXCRa8FmkEypA+Vr9lCowBeik3DPHi xSKTmOYg8Wr/RnemcwH1Jp1IFsGMy/ZgNKG9SqEv2PS8ocqPpK3j3QjBe0cw+Kyv Jc9poZJOJdM8a6RxEn/Nq3Pd7bGod9AbP/O5OsE+60tnYLo30+4= =XNPZ -----END PGP SIGNATURE----- _______________________________________________ nix-dev mailing list [email protected] https://mailman.science.uu.nl/mailman/listinfo/nix-dev
