-
-
Notifications
You must be signed in to change notification settings - Fork 12.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
musl: 1.1.11 -> 1.1.15, add security patch. #21023
Conversation
@dtzWill, thanks for your PR! By analyzing the history of the files in this pull request, we identified @thoughtpolice, @wkennington and @obadz to be potential reviewers. |
Well I tried checking the bootstrap tools on Linux, but with or without this change I'm unable to evaluate 'test' attribute:
Quick investigation suggests this is due to 5c6234a, although maybe I'm invoking things wrong under the new system. Anyway, looks like 'dist' seems to work for both x86_64-linux and i686-linux, with the contained 'busybox' binary seemingly working fine. |
The evaluation errors above are resolved in #21189 . Rebasing onto that gets |
@dtzWill, sorry for commenting on an old thread but what was the reason for adding |
It's not related to the CVE, but was added as part of upgrading to 1.1.14 as originally done in another PR: https://github.com/NixOS/nixpkgs/pull/16217/files#diff-6419c747d225d6615bb68bce4fcf42ecR23 . Removing that flag doesn't seem to change behavior of normal build (it decides to not build any wrappers) I'll see what happens when cross-compiling. Are you looking to enable and install the wrapper? |
Well I was mistaken my current big evaluation rebuilds compilers and binutils and all sorts of things... but only musl the once! Was hoping I could tease out a reason for the change in terms of breakage but seems to be fine for me :). I think the idea is that we'll provide our own cc-wrapper (or gcc-cross-wrapper) anyway and so musl shouldn't bother. Hope that helps at least explain the history and reasoning of the change. |
Thanks for looking into this @dtzWill. It's no huge deal, but I would vote for leaving off --disable-gcc-wrapper and letting musl build musl-gcc. It's handy for building static binaries. When I commented that line out locally and nix-env installed musl, I did get musl-gcc. |
Hmm, my tree (including some of the expression for musl) has some differences that would explain the difference no worries. I mean sounds good to me either way, I don't have a particular preference so I'd err on going with the answer that works best for everyone-- which sounds like removing it! Would you mind submitting a PR to do so? :) |
The build of the wrapper was disabled in 93e44be (NixOS#21023) and is not related to the CVE itself. (See comments in the mentioned PR.)
Submitted a PR: #22212. |
Motivation for this change
Update to latest (Aug 2015 -> July 2016), and apply recommended upstream patch for security issue present in all versions.
(see http://www.openwall.com/lists/oss-security/2016/10/19/1 for more information)
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandbox
innix.conf
on non-NixOS)
nix-shell -p nox --run "nox-review wip"
./result/bin/
)I did test using nox-review but it only built the musl package. I'm not sure if there are more useful things to check that use musl.