Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tt-rss: make code immutable #55300

Closed
telotortium opened this issue Feb 6, 2019 · 7 comments · Fixed by #133133
Closed

tt-rss: make code immutable #55300

telotortium opened this issue Feb 6, 2019 · 7 comments · Fixed by #133133

Comments

@telotortium
Copy link
Contributor

Currently, the tt-rss service copies all its code from the Nix store into /var/lib/tt-rss upon startup. Thus, the installation's code can be overwritten by the tt_rss user itself, and be edited by users outside of the Nix store (although changes to the wrong directories will be overwritten upon service restart). This should be changed to make the code immutable as much as possible. See this recent thread on containerizing a TT-RSS installation: https://discourse.tt-rss.org/t/overhaul-ttrss-needs-a-data-directory/1922/19
@telotortium telotortium mentioned this issue Feb 6, 2019
Merged
10 tasks
telotortium added a commit to telotortium/nixpkgs that referenced this issue Feb 6, 2019
@telotortium
Remove option config.services.tt-rss.checkForUpdates (forced to false)
eab69d9 
Force this option to false. Leaving this as true (currently the default)
is dangerous. If the TT-RSS installation upgrades itself to a newer
version requiring a schema update, the installation will break the next
time the TT-RSS systemd service is restarted.

Ideally, the installation itself should be immutable (see
NixOS#55300).
@stale
Copy link

stale bot commented Jun 3, 2020

Thank you for your contributions.

This has been automatically marked as stale because it has had no activity for 180 days.

If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.

Here are suggestions that might help resolve this more quickly:

  1. Search for maintainers and people that previously touched the related code and @ mention them in a comment.
  2. Ask on the NixOS Discourse.
  3. Ask on the #nixos channel on irc.freenode.net.

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jun 3, 2020
@aanderse
Copy link
Member

aanderse commented Jun 3, 2020

I would say this issue is still relevant... to the point where if it isn't fixed we should consider removing tt-rss and letting the user manually install it themselves.

@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jun 3, 2020
@ajs124
Copy link
Member

ajs124 commented Jun 3, 2020

Before you remove it, we have a ttrss module that does this.
It seems largely incompatible with what's currently in nixpkgs though and I don't know if @dasJ or I will have time to upstream it any time soon.

@aanderse
Copy link
Member

@ajs124 @dasJ I look forward to seeing it whenever that may be 😄

@dasJ
Copy link
Member

dasJ commented Jun 11, 2020
edited
Loading

@aanderse If you want to have a look, I posted it here: https://gist.github.com/dasJ/2c19e7dbde17daef11afd1ba0703c4a1

This used to be the upstream module, but I modified so heavily I couldn't just open a simple PR :/
Changes:

  • Almost entirely served from the store (except locks, cache, and feed-icons which are writable)
  • Dropped support for stuff I don't need like PostgreSQL and passwords stored in nix
  • A lot less options where I don't see any point in changing them
  • AppArmor support (just drop everything related to it, it uses our non-upstream AA module)
  • Proper systemd sandboxing (rougly nixos/systemd-sandbox: A generic sandboxing module #87661)
  • Uses our own MariaDB module

@stale
Copy link

stale bot commented Dec 9, 2020

I marked this as stale due to inactivity. → More info

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Dec 9, 2020
symphorien added a commit to symphorien/nixpkgs that referenced this issue Aug 8, 2021
@symphorien
nixos/tt-rss: make all php files read only
48619f7 
Fixes: NixOS#55300
@symphorien symphorien mentioned this issue Aug 8, 2021
Merged
11 tasks
@symphorien
Copy link
Member

Implemented in #133133

@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Aug 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

nixos/tt-rss: make all php files read only symphorien/nixpkgs
5 participants
@ajs124 @telotortium @dasJ @aanderse @symphorien