Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of #43811 jdk updates (help needed) #43842

Merged
merged 1 commit into from Oct 6, 2018
Merged

Backport of #43811 jdk updates (help needed) #43842

merged 1 commit into from Oct 6, 2018

Conversation

srhb
Copy link
Contributor

@srhb srhb commented Jul 20, 2018
edited

Backport of parts of #43811

oraclejdk: 10.0.1 -> 10.0.2 [Critical security fixes]

(cherry picked from commit defa760)

Motivation for this change

I am unsure what the correct approach here. From the release notes, it seems like we should drop the oraclejdk8psu_distro entirely, but is that a sensible thing to do on our stable branch?

Opinions wanted. :-)

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

@LnL7
Copy link
Member

LnL7 commented Jul 21, 2018

We can keep it, but mark it as insecure.

@srhb
Merge pull request NixOS#43811 from taku0/oraclejdk-8u181
79e6571 
oraclejdk: 10.0.1 -> 10.0.2 [Critical security fixes]

(cherry picked from commit defa760)
@srhb
Copy link
Contributor Author

srhb commented Jul 21, 2018

I've constrained this to 10.0.1 -> 10.0.2 since I'm not sure how to deal with the insecure mark.

@LnL7
Copy link
Member

LnL7 commented Jul 21, 2018

I'm referring to meta. knownVulnerabilities , here are some examles: https://search.nix.gsc.io/?q=knownVulnerabilities%20%3D&i=nope&files=&repos=
That results in an error message like this, but still allows the user to bypass it if a working build is more important to them.

Known issues:
 - CVE-2013-1953

You can install it anyway by whitelisting this package, using the
following methods:

a) for `nixos-rebuild` you can add ‘autotrace-0.31.1’ to
   `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
   like so:

     {
       nixpkgs.config.permittedInsecurePackages = [
         "autotrace-0.31.1"
       ];
     }

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘autotrace-0.31.1’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:

     {
       permittedInsecurePackages = [
         "autotrace-0.31.1"
       ];
     }

@srhb
Copy link
Contributor Author

srhb commented Jul 21, 2018
edited

Right, I know about the option, but the way the oraclejdks are set up, this would require duplicating the content of the general package since it has no meta parameterization or passthrough.

@samueldr
Copy link
Member

samueldr commented Oct 6, 2018

@andir any opinions here? I think it's still important to get this into 18.03 before it's EOL'd completely.

@andir
Copy link
Member

andir commented Oct 6, 2018

@samueldr thanks for the ping. We should definitly get the fixes in to 18.03.

@srhb How about just changing the PSU release to something like shown below? It is probably not the pretties we could come up with but that should get the job done.

{ callPackage, ... }@_args:
let
  drv = import ./jdk-linux-base.nix {
    productVersion = "8";
    patchVersion = "172";
    downloadUrl = http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html;
    sha256.i686-linux = "0csskx8xis0dr1948j76fgrwwsj4gzdbjqfi7if4v4j62b9i0hqa";
    sha256.x86_64-linux = "0inkx73rwv7cvn9lqcr3hmnm0sr89h1fh29yamikb4dn02a0p818";
    sha256.armv7l-linux = "1576cb0rlc42dsnmh388gy1wjas7ac6g135s8h74x8sm4b56qpln";
    sha256.aarch64-linux = "0zpkmq8zxmpifawj611fg67srki63haz02rm6xwfc5qm2lxx5g6s";
    jceName = "jce_policy-8.zip";
    jceDownloadUrl = http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html;
    sha256JCE = "0n8b6b8qmwb14lllk2lk1q1ahd3za9fnjigz5xn65mpg48whl0pk";
  };
  args = removeAttrs _args ["callPackage"];
in
(callPackage drv args).overrideAttrs (attrs: {
  meta = attrs.meta // {
    knownVulnerabilities = [ "CVE-XXX-YYYYY" ];
  };
})

@srhb
Copy link
Contributor Author

srhb commented Oct 6, 2018

Thanks @andir, I had something similar but was unable to test it since Oracles website apparently has some draconic requirements before you can even get at the archived versions.

I propose clicking the button and getting the 10.0.1 -> 10.0.2 bump done and raising a separate issue for marking the psu release insecure. I'll leave oracle backports to others in the future to avoid similar hold-ups. Apologies. :)

@andir andir merged commit bfa517d into NixOS:release-18.03 Oct 6, 2018
@srhb srhb deleted the jdk-backport branch October 6, 2018 09:01
@andir andir mentioned this pull request Oct 6, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 0 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@srhb @LnL7 @samueldr @andir @GrahamcOfBorg