Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] glibc: 2.31 -> 2.31-somethingIKnowNotWhatYet [20.09] #103539

Closed
wants to merge 1 commit into from
Closed

[WIP] glibc: 2.31 -> 2.31-somethingIKnowNotWhatYet [20.09] #103539

wants to merge 1 commit into from

Conversation

redvers
Copy link
Member

@redvers redvers commented Nov 12, 2020

cherry-picked (30286eb)

commit 30286ebcc178aec1fb3797ba3ec88cf75feb282b
Author: Maximilian Bosch <maximilian@mbosch.me>
Date:   Mon Aug 10 11:25:08 2020 +0200

    glibc: 2.31 -> 2.32
    
    ChangeLog: https://sourceware.org/pipermail/libc-announce/2020/000029.html
    
    Patches removed:
    
    * `rpcgen-path.patch` is obsolete as the support for SunOS RPC has been
      removed in 2.32[1].
    
    * The vulnerabilities CVE-2020-1752[2] & CVE-2020-10029[3] are fixed in
      `glibc-2.32`[4][5], thus applying those manually isn't necessary anymore.
    
    I also added myself as second maintainer as I'm quite regularly doing
    `glibc`-related stuff in `nixpkgs`, so let's make this situation
    official.
    
    [1] https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=5500cdba4018ddbda7909bc7f4f9718610b43cf0
    [2] https://nvd.nist.gov/vuln/detail/CVE-2020-1752
    [3] https://nvd.nist.gov/vuln/detail/CVE-2020-10029
    [4] Commit 9333498794cde1d5cca518badf79533a24114b6f (CVE-2020-1752)
    [5] Commit ddc650e9b3dc916eab417ce9f79e67337b05035c (CVE-2020-10029)
Motivation for this change

See above: #93992

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@redvers redvers changed the title glibc: 2.31 -> 2.32 [20.09] [WIP] glibc: 2.31 -> 2.32 [20.09] Nov 12, 2020
@veprbl veprbl added this to Needs review in Staging (stable) Nov 12, 2020
@Ma27 @redvers
glibc: 2.31 -> 2.32
1c219b6 
ChangeLog: https://sourceware.org/pipermail/libc-announce/2020/000029.html

Patches removed:

* `rpcgen-path.patch` is obsolete as the support for SunOS RPC has been
  removed in 2.32[1].

* The vulnerabilities CVE-2020-1752[2] & CVE-2020-10029[3] are fixed in
  `glibc-2.32`[4][5], thus applying those manually isn't necessary anymore.

I also added myself as second maintainer as I'm quite regularly doing
`glibc`-related stuff in `nixpkgs`, so let's make this situation
official.

[1] https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=5500cdba4018ddbda7909bc7f4f9718610b43cf0
[2] https://nvd.nist.gov/vuln/detail/CVE-2020-1752
[3] https://nvd.nist.gov/vuln/detail/CVE-2020-10029
[4] Commit 9333498794cde1d5cca518badf79533a24114b6f (CVE-2020-1752)
[5] Commit ddc650e9b3dc916eab417ce9f79e67337b05035c (CVE-2020-10029)

(cherry picked from commit 30286eb)
@redvers redvers changed the title [WIP] glibc: 2.31 -> 2.32 [20.09] glibc: 2.31 -> 2.32 [20.09] Nov 12, 2020
@redvers
Copy link
Member Author

redvers commented Nov 12, 2020

There may be packages that this breaks and have additional changes to cherry-pick.
Not sure if they should be cherry-picked into this PR or not -- seeking advice.

@ofborg ofborg bot requested review from edolstra and Ma27 November 12, 2020 03:59
@TredwellGit
Copy link
Member

#100799

@Ma27
Copy link
Member

Ma27 commented Nov 12, 2020

Yeah, in fact I had to fix ~40 packages during the update to 2.32 (and there were a few more broken). Also I think it's a bad idea to replace such a core component of the OS in a stable release (that is known to have breaking changes in minor releases like the removal of sunrpc support in 2.32 btw), instead we usually applied the relevant patches in the past IIRC.

cc @vcunat

@vcunat
Copy link
Member

vcunat commented Nov 12, 2020

I'm fairly confident that we don't want to upgrade glibc on a stable release. I think the best alternative is to use recent 2.31 branch from upstream. They surely are better at backporting than any of us.

@vcunat
Copy link
Member

vcunat commented Nov 12, 2020

Ah, here's how one can do such a thing: #100813

@redvers
Copy link
Member Author

redvers commented Nov 14, 2020

Sounds good @vcunat - I can take a stab at it but honestly I'm probably not the best person to do it.

@redvers
Copy link
Member Author

redvers commented Nov 21, 2020

Sounds good @vcunat - I can take a stab at it but honestly I'm probably not the best person to do it.

Okay - so I'm the one doing it :-)

Marking as WIP and firing up my hydra instance

@redvers redvers changed the title glibc: 2.31 -> 2.32 [20.09] [WIP] glibc: 2.31 -> 2.31-somethingIKnowNotWhhatYet [20.09] Nov 21, 2020
@redvers redvers changed the title [WIP] glibc: 2.31 -> 2.31-somethingIKnowNotWhhatYet [20.09] [WIP] glibc: 2.31 -> 2.31-somethingIKnowNotWhatYet [20.09] Nov 21, 2020
@redvers
Copy link
Member Author

redvers commented Nov 23, 2020

Putting it in a new branch/pr so I don't confuse my simple brain.

Will reference this PR in the other to cross-reference for history.

@redvers redvers closed this Nov 23, 2020
Staging (stable) automation moved this from Needs review to Done Nov 23, 2020
@redvers redvers deleted the update_glibc_2.31_to_2.32 branch November 23, 2020 16:03
@vcunat vcunat mentioned this pull request Nov 24, 2020
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alyssais alyssais Awaiting requested review from alyssais

@edolstra edolstra Awaiting requested review from edolstra

@Ma27 Ma27 Awaiting requested review from Ma27

Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 101-500 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+ 10.rebuild-linux-stdenv
Projects
Staging (stable)
  
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@redvers @TredwellGit @Ma27 @vcunat