This is a follow-up from When does staging hit release channels? - #2 by primeos
Context
How I tried and failed
I’ve gone on doing the following in my codebase:
nixpkgs = import sources.nixpkgs {
config = {
packageOverrides = pkgs: {
git = pkgs.git.overrideAttrs (oldAttrs: rec { version = "2.29.3"; });
};
};
};
pkgs-20-03 = import sources.nixpkgs-20-03 {
config = {
packageOverrides = pkgs: {
git = pkgs.git.overrideAttrs (oldAttrs: rec { version = "2.25.5"; });
};
};
};
nixpkgs = import sources.nixpkgs-unstable {
config = {
packageOverrides = pkgs: {
git = pkgs.git.overrideAttrs (oldAttrs: rec { version = "2.30.2"; });
};
};
};
But it’s been maybe some 4-5 hours, and at the end:
$ which git
/nix/store/7n6jihgn1pm696jcg5zlh4gqc9rbs8ip-git-2.29.3/bin/git
$ git --version
git version 2.29.2
This output from nix-store -q --graph $(nix-instantiate shell.nix) make me believe the tarballs for the vulnerable versions are feeding my derivations which merely have the patched versions in their names:
"/nix/store/d4b8sdb2m458fgkl860f51kqkwhm385w-git-2.29.2.tar.xz.drv" -> "/nix/store/nqif47iiq56zk5m7q5bgrfxqbkf2har8-git-2.29.3.drv" [color = "red"];
Aside from taking 4-5h to build, this got my disk down some 40GB, which would likely overflow the company’s cachix subscription and force my colleagues to spend hours building too.
Halp?
Are folks patching? How are they doing it? What did I get wrong?