New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Shipping Security Updates #10851
Shipping Security Updates #10851
Commits on Mar 24, 2016
-
Extract all imports out of pkgsWithOvverrides.
This change add a `packages` argument, such that we can reuse the same function with a different set of packages. Moving `defaultPackages` as argument would be needed for writting tests to ensure that security fixes are applied correctly.
-
-
Move the fix-point from pkgsWithOverridesWithPackages to pkgs, and ad…
…d the unfix prefix to functions.
Commits on Mar 26, 2016
-
Add applyAbiCompatiblePatches function.
This function is in charge of compiling security updates. It does so by taking advantage for the purity of the Nix language. It does not change any of the hashes, even when an identical set of packages is given as argument for the quickfixPackages. The purity of the Nix language offer us a clean way to reason about Nixpkgs as if this was a simple function. Thus, the following property hold true, even when applied to a collection of packages: let f = nixpkgsFun; in fix f == f (f (fix f)); This property is used for building security updates, by using a variant of the first function: let f = nixpkgsFun; g = fixpkgsFun; in g (fix f) Using a fixpkgsFun function which is a function similar to nixpkgsFun, we can generate a similar set of packages while only recompiling the fixed packages. The problem then becomes patching any package which are dependening on the fixed packages. This is what the applyAbiCompatiblePatches functions do. +-------+ | | +---v----+ | +--------+ +--------+ | | | | | | | | pkgs +-----> onefix +-+ +-+ recfix | | | | | | | | | +--------+ +--------+ | | +-----^--+ | | | +--v--v--+ | | | | | abifix +----+ | | +--------+ The loop back on pkgs is the original fix-point on the default set of packages. Then we recompile the patched programs, in the one-fix function call. The rec-fix is a way to probe for recompilations, by comparing the dependencies of one-fix packages, taken from pkgs, with the dependencies of rec-fix packages, taken from the abi-fix packages. The abi-fix packages is a zipping function which takes one-fix packages and rec-fix packages for patching one-fix packages. In practice, it also takes the original set of packages, to ensure that packages have the same package name length, and that other which depend on them can be patched safely.
-
Add a flag for buildfarms, to turn off the abiCompatiblePatches while…
… running the quick-fixes.
-
Add a static analysis to report security issues.
This static analysis unroll the fix-point of Nixpkgs and number each iteration of the fix-point. This numbering is then used to verify the assumption made by the applyAbiCompatiblePatches function of top=level/default.nix. This static analysis reports 2 kinds of errors, and 1 warning. Errors: - Alias Original: A package defined in Nixpkgs is directly defined as a value taken from the fix-point. This can happen for overriden packages. This is a security issue because fixes can be ignored. - Unpatched Inputs: An input which provided in buildInputs or nativeBuildInputs is taken from more than one generation of Nixpkgs. This can be caused by the Alias Original issue, or can be caused by the function which fills the input used in buildInputs. This is a security issue, because fixes of the dependency will not cause this package to be recompiled. Warning: - Static Linking: A package dependent directly on a version of a package which has the same generation as it-self. This is not a security issue, but if this is not expected then this would cause extra recompilation on the buildfarm and add delays until the fixed versions are available.
Commits on Apr 2, 2016
-
Add a test case to verify that security fixes are correctly applied.
The test case create a serie of 5 test packages which are forming a chain. It verifies that: - Hashes are identical if the packages have no need to be recompiled nor patched. - Packages with fixes are recompiled. - Packages with updated dependencies are patched, including the recompiled one. - Hashes are correct and consistent in the final version. - Version numbers are not updated. (abi compatible hypothesis) - Patches carry indirect dependencies modifications. - 2 fixed dependencies can be updates at once.
-
Add test cases to ensure that the onefix, and abifix are keeping the …
…same hashes if there is no fixes.
-
-
Security Static Analysis: forceNativeDrv and lowPrio are not changing…
… the evaluation depth of the derivations.