Skip to content
This repository has been archived by the owner on Apr 7, 2022. It is now read-only.

rebuild: copy store derivations #28

Merged
merged 1 commit into from
Sep 8, 2021
Merged

rebuild: copy store derivations #28

merged 1 commit into from
Sep 8, 2021

Conversation

dermetfan
Copy link
Contributor

This is necessary for vulnix as it operates on the .drv files. They cannot be generated by nix on the target machine as only build outputs are copied over and no nix expressions are available.

I considered running the vulnix scan as part of the bitte build to avoid this PR. This introduces infinite recursion if we want to include vulnix itself in the scan. I considered it not worth the effort to try since vulnix itself could be a vulnerability that we would not want to ignore by essentially scanning another configuration than the one we actually deploy.

If we would like to try other options in the future to avoid the need for copying store derivations to the target we can always roll back this change.

lib/src/rebuild.rs Show resolved Hide resolved
@nrdxp nrdxp merged commit e579aa4 into master Sep 8, 2021
@dermetfan dermetfan deleted the vulnix branch September 9, 2021 10:57
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants