@grahamc for security.

Surprised at the reverse dependency size, but nix-review confirms. I guess ~everything with a web UI uses sass these days.

But hey, CVE, so yay mass rebuild :(

would you mind changing the base branch to staging?

Done, transplanted to staging.

@danderson you need to change the base branch in the GitHub UI as well as rebasing. (I’ve done it for you this time.)

fwiw, we have previously not taken this update because of some regressions it introduces. See #72934. Although I don’t think we know about the security issues then.

So I guess there’s a trade off to be made here. Fix the CVEs and break packages, or don’t? Cc @FRidh @hedning @lazka.

Maybe we could keep 3.6.1, but just apply the fixes for the CVEs?

Thanks for the review, and for flagging potential issues!

Sounds like "mainline" GTK should work now, although it also sounds like libsass is one of those libraries that's hard to update without breaking stuff :/. sass/libsass#3033 is the upstream bug discussing memory consumption issues, currently without resolution other than "stop doing the sass pattern that triggers the bug".

Based on this, it sounds like 3.6.1 or 3.6.2 with a CVE patch is the way to go now, because the alternative is to risk breaking a lot of builds right before 20.03 (which also needs this CVE patch).

I will try to build a 1.6.1+patches tonight. If that works, I'll update this PR to that.

Unfortunately, libsass 3.6.2 included a large set of code changes, and the CVE patch for 3.6.3 doesn't apply cleanly to 3.6.1. The patch fix is non-obvious (entire new files + refactorings happened in 3.6.2), so to fix based on 3.6.1 we would have to write a custom patch just for nixpkgs, and hope we got it right.

Writing a custom CVE patch makes me more nervous than the risks associated with upgrading to 3.6.3, given that the known regressions in Nix should be fixed. @alyssais wdyt? How should we proceed?

Right, given that this is fixed in gtk, and it's hard to backport the needed fixes, it probably makes sense to merge this as is, and deal with any fallout. Breaking a few themes isn't that big of a deal.

I guess the main issue could be broken builds on hydra which consumes too much resources. So we should watch out for that and mark offending derivations as broken.

@danderson please drop the revert commit and we can merge

Oops, how did that get pushed. Sorry! Fixed.

@GrahamcOfBorg build arc-theme

Somebody probably needs to do a nix-review and mark broken any packages that OOM with a reasonable amount of memory

Ack. I don't have a machine with the resources to nix-review this right now. Will attempt to locate one and do this.

Checking themes can be done while its in staging-next so we have a stdenv.

Building arc-theme with this patch ate my RAM (16GiB), froze the system, and I had to hard reset. This broke my file system and I had to rescue it by booting up a USB stick and doing fsck.

Then I added 16GiB of swap and tried again. It ate my swap. I had to revert this patch locally and use libsass-3.6.1.

Maybe we should mark arc-theme as broken for now?

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/out-of-memory-rebuilding-nixos-unstable/6786/3

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/my-laptop-froze-mid-upgrade-and-now-im-getting-strange-errors/6781/3

marked arc-theme and yaru-theme as broken on master.

I think this also most likely broke hlibsass (haskell bindings to libsass) and all the packages downstream.

I was wrong. This actually fixes it. I had version of channel on my machine.