@GrahamcOfBorg test systemd

Let's add the passthru tests:

diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix
index 3235fb3b95c..3cf62261bd9 100644
--- a/pkgs/os-specific/linux/systemd/default.nix
+++ b/pkgs/os-specific/linux/systemd/default.nix
@@ -7,6 +7,7 @@
 , gettext, docbook_xsl, docbook_xml_dtd_42, docbook_xml_dtd_45
 , ninja, meson, python3Packages, glibcLocales
 , patchelf
+, nixosTests
 , substituteAll
 , getent
 , buildPackages
@@ -295,7 +296,12 @@ in stdenv.mkDerivation {
   # in a backwards-incompatible way.  If the interface version of two
   # systemd builds is the same, then we can switch between them at
   # runtime; otherwise we can't and we need to reboot.
-  passthru.interfaceVersion = 2;
+  passthru = {
+    interfaceVersion = 2;
+    tests = {
+      main = nixosTests.systemd;
+    };
+  };
 
   meta = with stdenv.lib; {
     homepage = "https://www.freedesktop.org/wiki/Software/systemd/";

[Edit]: my bad, this is on 20.03 ><

Let's do this for master, but if systemd breaks to build in stable, we should notice :-)

LGTM

Don't we want to include systemd/systemd#16033 as well? (see this thread for context)

While I agree this is probably desirable, it's 9 patches, and some don't apply cleanly on our 243.7 (which is unfortunately what we have in stable, and they don't see to be backported to systemd-stable/v243-stable branch, as it's too old). Would you be up to creating such a patchset?

I'd need to further dig if the patch inside this PR is enough to fix CVE-2020-13776, or if we need to backport more fixes.

On the other hand, I'm wondering how other stable distros with older systemd versions handle this. Do they just always bump to the most recent major version, or do they maintain a patchset?

I digged into this patchset.

CVE-2020-13776 is fixed by 156a5fd297b61bce31630d7a52c15614bf784843. See the https://github.com/systemd/systemd/pull/15991/files#diff-15f67a613ddd6933b407b80c01f2ae5eR53 test. In that regard, this PR should be good.

The systemd second PR I linked in my previous post is refactoring the various integer parsers. While it's not mitigating any CVE, it's mitigating some potential bugs with +-prefixed uids (which are not supposed to be valid as per the posix specification). f5979b63cc305ba217dfd174b1bf0583bcf75a73 might be particularly interesting to backport. That being said, it'll depend on 5 commits coming from this patchset. Provided the original 6.7 score, I wouldn't bother to backport that. Note: I may be wrong, I'd like a second opinion on that.

On the other hand, I'm wondering how other stable distros with older systemd versions handle this. Do they just always bump to the most recent major version, or do they maintain a patchset?

That's a good question, I have no idea, let's have a look.

Debian, Fedora and Archlinux are targeting github/systemd/systemd-stable.

Debian:

• https://salsa.debian.org/systemd-team/systemd/-/blob/debian/master/debian/watch#L3

Arch:

• https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/systemd#n21
• https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/systemd#n94

Fedora:

• https://src.fedoraproject.org/rpms/systemd/blob/master/f/systemd.spec#_4
• https://src.fedoraproject.org/rpms/systemd/blob/master/f/systemd.spec#_32

This repo is supposed to contain the necessary backports for 245.x.

This particular CVE hasn't been backported to systemd-stable though. Debian, Fedora and Arch are still subject to CVE-2020-13776.

That being said, systemd-stable is maintained by the systemd team, which can probably make some better decisions about what to backport than we can do. These backports are also painfree on our side since upstream is also in charge of cherry-picking the backports dependencies ;)

Overall, I think we should start following systemd-stable in place of systemd, at least for NixOS stable.

Let's merge this PR first though.

Debian, Fedora and Archlinux are targeting github/systemd/systemd-stable.

This repo is supposed to contain the necessary backports for 245.x.

This particular CVE hasn't been backported to systemd-stable though. Debian, Fedora and Arch are still subject to CVE-2020-13776.

Thanks for the digging! I'll poke upstream to do a new point release.

Edit: done at systemd/systemd-stable#70

CVE-2020-13776 is fixed by 156a5fd297b61bce31630d7a52c15614bf784843. See the https://github.com/systemd/systemd/pull/15991/files#diff-15f67a613ddd6933b407b80c01f2ae5eR53 test. In that regard, this PR should be good.

Agreed, let's merge this into staging-20.03.

@NixOS/nixos-release-managers, @vcunat, can you take care of piping this through the staging process?