Timely updates for NixOS

bernat · June 17, 2023, 4:37pm

Hey!

OpenSSL 1.1.1u was released two weeks ago to fix some vulnerabilities. It was backported to 22.11 with [Backport staging-22.11] openssl_1_1: 1.1.1t -> 1.1.1u by github-actions[bot] · Pull Request #235017 · NixOS/nixpkgs · GitHub but since then, it is still in staging. This is just an example, but vulnerabilities take time to reach users, even without taking a detour to staging.

I don’t really have a solution but I was wondering if there is some work in-progress to deal with this?

vcunat · June 17, 2023, 5:08pm

I’m not aware. One full rebuild iteration takes normally roughly a week, and each of them fixes CVEs. We’re now supporting three separate branches for about a month or two, so a lag of three weeks is normal to happen, I’m afraid. Right now 22.11 has the lowest priority of the three AFAIK.

BTW, there’s replaceRuntimeDependencies as well, e.g. see OpenSSL 3.0.7 update (2022-11-01) FAQ

bernat · June 17, 2023, 5:13pm

Thanks! The tool mentioned to track how far is the PR in a release is quite useful!

RaitoBezarius · June 17, 2023, 8:00pm

There’s also a labeltracker as an RSS feed: Pull requests labeled `1.severity: security' in NixOS/nixpkgs and Issues labeled `1.severity: security' in NixOS/nixpkgs which you can subscribe too.

I am working with the author and ideally the new infra team or nix-community, so we can promote it a bit better.

But work in this area definitely requires help.

vcunat · June 18, 2023, 4:13pm

So, for this particular case, let’s do 22.11 rebuild now. You can follow:

github.com/NixOS/nixpkgs

staging-next-22.11 - iteration 10 - 2023-06-18

NixOS:release-22.11 ← NixOS:staging-next-22.11

opened 04:10PM - 18 Jun 23 UTC

vcunat

+193 -102

- workflow docs: https://nixos.org/manual/nixpkgs/stable/#submitting-changes-sta…ble-release-branches - important job: https://hydra.nixos.org/job/nixpkgs/staging-next-22.11/unstable#tabs-constituents - jobset: https://hydra.nixos.org/jobset/nixpkgs/staging-next-22.11 - nix-review reports: https://malob.github.io/nix-review-tools-reports/ - previous staging-next-22.11 PR: https://github.com/NixOS/nixpkgs/pull/233045 - - - ##### Significant breakages (will be edited in future)

iFreilicht · June 18, 2023, 6:06pm

For those interested, this is what it currently shows for the backport PR linked in the OP: Nixpkgs PR #235017 ("[Backport staging-22.11] openssl_1_1: 1.1.1t -> 1.1.1u") progress

nbp · June 19, 2023, 10:13am

Sounds like it is about time to revive https://github.com/NixOS/nixpkgs/pull/10851 …

When I created this branch, people told me that this was not worth the complexity because security updates were shipping the next day.

vcunat · June 19, 2023, 10:16am

I expect it’s still the same for the bulk of people fixing security issues in nixpkgs, but certainly it’s good to link that work.

2xsaiko · June 19, 2023, 3:47pm

Even if security updates were shipping the next day via Hydra, not everyone has the same resources to build that many packages. Your work would additionally make it viable to apply for example bugfix patches to often used library packages that aren’t likely to land in either upstream or nixpkgs any time soon, without having to wait days for every single update to build. It’s sad to hear that that is the reason why you’ve stopped working on it and I hope you reconsider.