[Nix-dev] Picocom and /run/lock permissions
Hi, I just installed picocom and ran into a small problem (which I have encountered before on other distributions [0]) to do with lock files in /run/lock. The issue is that picocom is creating its lock files directly in /run/lock, which is only root writeable. Requiring root to run picocom is not really ideal. According to [0] device locks should be in /run/lock/lockdev. This directory would be group writeable, and be owned by group "lock". I would then recompile picocom to use /run/lock/lockdev instead and make sure I belong to the "lock" group. So it seems NixOS is doing the right thing with the permissions, I'm just wondering what the deal is with creating extra directories in the /run/lock directory which can be used by non-root programs, or whether locks should be placed somewhere else in NixOS. Regards, Luke [0] http://lists.freedesktop.org/archives/systemd-devel/2011-March/001823.html ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Openssl and fast security updates
I believe that is a separate delay. Both exist Am 06.06.2014 06:49 schrieb "Michael Raskin" <7c6f4...@mail.ru>: > >Note that we're currently not just waiting for Hydra, but also for the > >delayed appearance on the official cache.nixos.org, which AFAIK can > >take something like a day. > > As far as I understand, this delay is the delay of Hydra building the > entire channel. I.e. fresh Nginx will not go to the cache until > LibreOffice in the same channel is also rebuilt. > > >2014-06-05 22:50 GMT+02:00 Ertugrul Söylemez : > >> On Thu, 5 Jun 2014 21:01:59 +0100 > >> Shell Turner wrote: > >> > >>> So is the argument that it should be possible to update the channel > >>> with the new package definition before the binary cache has finished > >>> building, thus letting people rebuild their systems locally if need > >>> be? That seems reasonable. > >> > >> I think a nice solution would be to add build priorities to Hydra. > When a security update is required quickly, then update the OpenSSL > expression, assign a high build priority to OpenSSL and the common server > packages and let Hydra do the building. Most people will build on weaker > machines, so I think that "waiting for Hydra" is the way to go, even when > you can't watch the actual build process and thus feel that nothing is > happening. > >> > >> All we need is to make sure that Hydra builds those quickly enough. > > > > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Openssl and fast security updates
>Note that we're currently not just waiting for Hydra, but also for the >delayed appearance on the official cache.nixos.org, which AFAIK can >take something like a day. As far as I understand, this delay is the delay of Hydra building the entire channel. I.e. fresh Nginx will not go to the cache until LibreOffice in the same channel is also rebuilt. >2014-06-05 22:50 GMT+02:00 Ertugrul Söylemez : >> On Thu, 5 Jun 2014 21:01:59 +0100 >> Shell Turner wrote: >> >>> So is the argument that it should be possible to update the channel >>> with the new package definition before the binary cache has finished >>> building, thus letting people rebuild their systems locally if need >>> be? That seems reasonable. >> >> I think a nice solution would be to add build priorities to Hydra. When a >> security update is required quickly, then update the OpenSSL expression, >> assign a high build priority to OpenSSL and the common server packages and >> let Hydra do the building. Most people will build on weaker machines, so I >> think that "waiting for Hydra" is the way to go, even when you can't watch >> the actual build process and thus feel that nothing is happening. >> >> All we need is to make sure that Hydra builds those quickly enough. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Openssl and fast security updates
On 06/05/2014 10:50 PM, Ertugrul Söylemez wrote: I think a nice solution would be to add build priorities to Hydra. When a security update is required quickly, then update the OpenSSL expression, assign a high build priority to OpenSSL and the common server packages and let Hydra do the building. Most people will build on weaker machines, so I think that "waiting for Hydra" is the way to go, even when you can't watch the actual build process and thus feel that nothing is happening. Hydra has and uses priorities. Anyway, building OpenSSL itself is very quick, but rebuilding all that (transitively) depends on it is worse. And there are CVE fixes for stdenv stuff sometimes (glibc)... Also, as noted, channel will NOT update until all packages are finished and tests succeed. For a big rebuild that takes days. Some non-deterministic test failures can delay it, too. Vlada smime.p7s Description: S/MIME Cryptographic Signature ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Openssl and fast security updates
Note that we're currently not just waiting for Hydra, but also for the delayed appearance on the official cache.nixos.org, which AFAIK can take something like a day. 2014-06-05 22:50 GMT+02:00 Ertugrul Söylemez : > On Thu, 5 Jun 2014 21:01:59 +0100 > Shell Turner wrote: > >> So is the argument that it should be possible to update the channel >> with the new package definition before the binary cache has finished >> building, thus letting people rebuild their systems locally if need >> be? That seems reasonable. > > I think a nice solution would be to add build priorities to Hydra. When a > security update is required quickly, then update the OpenSSL expression, > assign a high build priority to OpenSSL and the common server packages and > let Hydra do the building. Most people will build on weaker machines, so I > think that "waiting for Hydra" is the way to go, even when you can't watch > the actual build process and thus feel that nothing is happening. > > All we need is to make sure that Hydra builds those quickly enough. > > > Greets, > Ertugrul > > -- > Ertugrul Söylemez > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Openssl and fast security updates
On Thu, 5 Jun 2014 21:01:59 +0100 Shell Turner wrote: > So is the argument that it should be possible to update the channel > with the new package definition before the binary cache has finished > building, thus letting people rebuild their systems locally if need > be? That seems reasonable. I think a nice solution would be to add build priorities to Hydra. When a security update is required quickly, then update the OpenSSL expression, assign a high build priority to OpenSSL and the common server packages and let Hydra do the building. Most people will build on weaker machines, so I think that "waiting for Hydra" is the way to go, even when you can't watch the actual build process and thus feel that nothing is happening. All we need is to make sure that Hydra builds those quickly enough. Greets, Ertugrul -- Ertugrul Söylemez ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Openssl and fast security updates
No the argument is currently this pull request, where you can force the system to use a particular package (under some condition) without doing a full rebuild: https://github.com/NixOS/nixpkgs/pull/2837 On Thu, Jun 5, 2014 at 10:01 PM, Shell Turner wrote: > So is the argument that it should be possible to update the channel > with the new package definition before the binary cache has finished > building, thus letting people rebuild their systems locally if need > be? That seems reasonable. > > For the moment, though, checking out the release-14.04 branch from git > and building from that is exactly equivalent. > > Shell > > On 5 June 2014 20:05, Luca Bruno wrote: > > No, it's not too early. Other distros immediately packaged the new > version > > and provided it in their security channel. > > It's never too early when it concerns security. > > > > > > On Thu, Jun 5, 2014 at 8:04 PM, Peter Simons wrote: > >> > >> Hi Luca, > >> > >> > It takes too much time to deliver the new packages from the nixos > >> > channel, and it would take equally long to compile them on production > >> > servers. > >> > >> that OpenSSL update was committed 5 hours ago. Isn't it a wee bit early > >> to say that the update takes "too much time"? > >> > >> Also, note that you don't have to wait for the channel to update to get > >> binaries. Running > >> > >> $ nix-build nixos -A system -I nixpkgs=$PWD --dry-run --option > >> binary-caches http://hydra.nixos.org > >> > >> in a checked-out copy of the release-14.04 branch shows that a good > >> portion of Nixpkgs has been compiled by Hydra already, and compiling the > >> rest locally is not a serious problem, IMHO. > >> > >> I agree that the ability to make quick-and-dirty replacements of core > >> libraries in a running system would be nice to have. Personally, I doubt > >> I'd ever bother with that kind of hackery though, because the normal > >> update channels are quick enough, IMHO. > >> > >> Best regards, > >> Peter > >> > >> ___ > >> nix-dev mailing list > >> nix-dev@lists.science.uu.nl > >> http://lists.science.uu.nl/mailman/listinfo/nix-dev > > > > > > > > > > -- > > www.debian.org - The Universal Operating System > > > > ___ > > nix-dev mailing list > > nix-dev@lists.science.uu.nl > > http://lists.science.uu.nl/mailman/listinfo/nix-dev > > > -- www.debian.org - The Universal Operating System ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Openssl and fast security updates
So is the argument that it should be possible to update the channel with the new package definition before the binary cache has finished building, thus letting people rebuild their systems locally if need be? That seems reasonable. For the moment, though, checking out the release-14.04 branch from git and building from that is exactly equivalent. Shell On 5 June 2014 20:05, Luca Bruno wrote: > No, it's not too early. Other distros immediately packaged the new version > and provided it in their security channel. > It's never too early when it concerns security. > > > On Thu, Jun 5, 2014 at 8:04 PM, Peter Simons wrote: >> >> Hi Luca, >> >> > It takes too much time to deliver the new packages from the nixos >> > channel, and it would take equally long to compile them on production >> > servers. >> >> that OpenSSL update was committed 5 hours ago. Isn't it a wee bit early >> to say that the update takes "too much time"? >> >> Also, note that you don't have to wait for the channel to update to get >> binaries. Running >> >> $ nix-build nixos -A system -I nixpkgs=$PWD --dry-run --option >> binary-caches http://hydra.nixos.org >> >> in a checked-out copy of the release-14.04 branch shows that a good >> portion of Nixpkgs has been compiled by Hydra already, and compiling the >> rest locally is not a serious problem, IMHO. >> >> I agree that the ability to make quick-and-dirty replacements of core >> libraries in a running system would be nice to have. Personally, I doubt >> I'd ever bother with that kind of hackery though, because the normal >> update channels are quick enough, IMHO. >> >> Best regards, >> Peter >> >> ___ >> nix-dev mailing list >> nix-dev@lists.science.uu.nl >> http://lists.science.uu.nl/mailman/listinfo/nix-dev > > > > > -- > www.debian.org - The Universal Operating System > > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Openssl and fast security updates
No, it's not too early. Other distros immediately packaged the new version and provided it in their security channel. It's never too early when it concerns security. On Thu, Jun 5, 2014 at 8:04 PM, Peter Simons wrote: > Hi Luca, > > > It takes too much time to deliver the new packages from the nixos > > channel, and it would take equally long to compile them on production > > servers. > > that OpenSSL update was committed 5 hours ago. Isn't it a wee bit early > to say that the update takes "too much time"? > > Also, note that you don't have to wait for the channel to update to get > binaries. Running > > $ nix-build nixos -A system -I nixpkgs=$PWD --dry-run --option > binary-caches http://hydra.nixos.org > > in a checked-out copy of the release-14.04 branch shows that a good > portion of Nixpkgs has been compiled by Hydra already, and compiling the > rest locally is not a serious problem, IMHO. > > I agree that the ability to make quick-and-dirty replacements of core > libraries in a running system would be nice to have. Personally, I doubt > I'd ever bother with that kind of hackery though, because the normal > update channels are quick enough, IMHO. > > Best regards, > Peter > > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > -- www.debian.org - The Universal Operating System ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Openssl and fast security updates
Perhaps there is a case to be made that the hydra.nixos.org -> CloudFront delay is too long. 2014-06-05 20:04 GMT+02:00 Peter Simons : > Hi Luca, > > > It takes too much time to deliver the new packages from the nixos > > channel, and it would take equally long to compile them on production > > servers. > > that OpenSSL update was committed 5 hours ago. Isn't it a wee bit early > to say that the update takes "too much time"? > > Also, note that you don't have to wait for the channel to update to get > binaries. Running > > $ nix-build nixos -A system -I nixpkgs=$PWD --dry-run --option binary-caches > http://hydra.nixos.org > > in a checked-out copy of the release-14.04 branch shows that a good > portion of Nixpkgs has been compiled by Hydra already, and compiling the > rest locally is not a serious problem, IMHO. > > I agree that the ability to make quick-and-dirty replacements of core > libraries in a running system would be nice to have. Personally, I doubt > I'd ever bother with that kind of hackery though, because the normal > update channels are quick enough, IMHO. > > Best regards, > Peter > > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Openssl and fast security updates
Hi Luca, > It takes too much time to deliver the new packages from the nixos > channel, and it would take equally long to compile them on production > servers. that OpenSSL update was committed 5 hours ago. Isn't it a wee bit early to say that the update takes "too much time"? Also, note that you don't have to wait for the channel to update to get binaries. Running $ nix-build nixos -A system -I nixpkgs=$PWD --dry-run --option binary-caches http://hydra.nixos.org in a checked-out copy of the release-14.04 branch shows that a good portion of Nixpkgs has been compiled by Hydra already, and compiling the rest locally is not a serious problem, IMHO. I agree that the ability to make quick-and-dirty replacements of core libraries in a running system would be nice to have. Personally, I doubt I'd ever bother with that kind of hackery though, because the normal update channels are quick enough, IMHO. Best regards, Peter ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Openssl and fast security updates
On 05/06/2014 18:41, Shea Levy wrote: > How about something like http://sprunge.us/eJOD (untested)? I don't have > time to do testing right now. > Ahah, much what I did here: https://github.com/NixOS/nixpkgs/pull/2837 ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Openssl and fast security updates
Luca Bruno writes: > On 05/06/2014 17:49, Shea Levy wrote: >> Pass in the system derivation and use nix-env --set to switch your >> system to the resultant derivation. >> >> I have used it in the past but only for short periods while waiting for >> a rebuild. > Can't it be done in configuration.nix rather than command line? Would it > be possible somehow? I think you can use nixpkgs.config.packageOverrides for that. > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Openssl and fast security updates
How about something like http://sprunge.us/eJOD (untested)? I don't have time to do testing right now. On Thu, Jun 05, 2014 at 06:21:30PM +0200, Luca Bruno wrote: > On 05/06/2014 17:49, Shea Levy wrote: > > Pass in the system derivation and use nix-env --set to switch your > > system to the resultant derivation. > > > > I have used it in the past but only for short periods while waiting for > > a rebuild. > I'd like to propose a system.securityUpdates = [ pkg1 pkg2 ... ] which > will be taken in account by system.build.toplevel automatically, > so that security updates can be easily specified in configuration.nix, > instead of messing with the command line. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Openssl and fast security updates
On 06/05/2014 06:21 PM, Luca Bruno wrote: > I'd like to propose a system.securityUpdates = [ pkg1 pkg2 ... ] which > will be taken in account by system.build.toplevel automatically, > so that security updates can be easily specified in configuration.nix, > instead of messing with the command line. Sounds nice. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Openssl and fast security updates
On 05/06/2014 17:49, Shea Levy wrote: > Pass in the system derivation and use nix-env --set to switch your > system to the resultant derivation. > > I have used it in the past but only for short periods while waiting for > a rebuild. I'd like to propose a system.securityUpdates = [ pkg1 pkg2 ... ] which will be taken in account by system.build.toplevel automatically, so that security updates can be easily specified in configuration.nix, instead of messing with the command line. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Openssl and fast security updates
On 05/06/2014 17:49, Shea Levy wrote: > Pass in the system derivation and use nix-env --set to switch your > system to the resultant derivation. > > I have used it in the past but only for short periods while waiting for > a rebuild. Can't it be done in configuration.nix rather than command line? Would it be possible somehow? ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Openssl and fast security updates
Pass in the system derivation and use nix-env --set to switch your system to the resultant derivation. I have used it in the past but only for short periods while waiting for a rebuild. On Thu, Jun 05, 2014 at 05:44:01PM +0200, Luca Bruno wrote: > On 05/06/2014 17:16, Shea Levy wrote: > > See the replaceDependency function in nixpkgs: > > > > https://github.com/NixOS/nixpkgs/blob/80a60810ca7e59360e8babf47c4d967f108c1e46/pkgs/top-level/all-packages.nix#L407-L409 > Also, replaceDependency seems to work with a single drv, but then how to > apply the new openssl to all the drvs in pkgs? > Other than just linking it in the mailing list, are you using it in > reality Shea? > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Openssl and fast security updates
On 05/06/2014 17:16, Shea Levy wrote: > See the replaceDependency function in nixpkgs: > > https://github.com/NixOS/nixpkgs/blob/80a60810ca7e59360e8babf47c4d967f108c1e46/pkgs/top-level/all-packages.nix#L407-L409 Also, replaceDependency seems to work with a single drv, but then how to apply the new openssl to all the drvs in pkgs? Other than just linking it in the mailing list, are you using it in reality Shea? ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Openssl and fast security updates
On 05/06/2014 17:16, Shea Levy wrote: > See the replaceDependency function in nixpkgs: > > https://github.com/NixOS/nixpkgs/blob/80a60810ca7e59360e8babf47c4d967f108c1e46/pkgs/top-level/all-packages.nix#L407-L409 This deserves a note in the wiki, with a practical example on how to add it, and how to remove it once it gets in the channel. I will try it and try to create a page about it. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Openssl and fast security updates
See the replaceDependency function in nixpkgs: https://github.com/NixOS/nixpkgs/blob/80a60810ca7e59360e8babf47c4d967f108c1e46/pkgs/top-level/all-packages.nix#L407-L409 On Thu, Jun 05, 2014 at 05:09:52PM +0200, Luca Bruno wrote: > This is the second time since I'm using nixos there's a need for a > really important security update. > It takes too much time to deliver the new packages from the nixos > channel, and it would take equally long to compile them on production > servers. > Are there any plans to overcome this drawback? Is there any quick fix > documented anywhere for updating a package without recompiling the world? > I'd like to open an issue about this, security is important and such > updates must be delivered soon, not after several days. > > Best regards, > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] Openssl and fast security updates
This is the second time since I'm using nixos there's a need for a really important security update. It takes too much time to deliver the new packages from the nixos channel, and it would take equally long to compile them on production servers. Are there any plans to overcome this drawback? Is there any quick fix documented anywhere for updating a package without recompiling the world? I'd like to open an issue about this, security is important and such updates must be delivered soon, not after several days. Best regards, ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] Online nix code cross reference
With a friend we've setup a nixos instance for running opengrok on several linux branches, similar to lxr.linux.no . In addition, I've also added the nix source code. You can find it here: http://lxr.devzen.net/source/xref/nix/ Best regards, ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev