Seeing as the security fix for Lix is apparently broken, has anyone figured out how apply the new fix?
(reference: Lix | Critical correctness bug in Lix)
I’ve tried switching from lix-module to the nixpkgs package using lixPackageSets.latest.lix.overrideAttrs, but I don’t think I’ve found the correct url for the patch yet (the only one I can find is https://gerrit.lix.systems/changes/lix~3510/revisions/7/patch?download and that fails in just patching version.json, which doesn’t seem correct - there should be more to patch and I also don’t get why the patch fails).
Then I’ve tried adding lix itself as a flake dependency, and using that as the input for lix-module, but I can’t seem to find the proper commit and branch to point at for lix as HEAD is at version 2.94.0-dev, but lix-module expects 2.93 and the lix branch release-2.93 doesn’t seem to have the update).
The simplest fix seems to be to patch the package in nixpkgs, like this, but as mentioned, the following doesn’t work:
nix.package = pkgs.lixPackageSets.latest.lix.overrideAttrs (
_finalAttrs: previousAttrs: {
patches = (previousAttrs.patches or []) ++ [
(pkgs.fetchpatch {
url = "https://gerrit.lix.systems/changes/lix~3510/revisions/7/patch?download";
decode = "base64 -d";
hash = "sha256-3Lh2mvrJlw4TlmWehgYu8n6XypjFD62k0yd+3OsGENU=";
})
];
}
);
Am I just bad at navigating gerrit? 