New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC: introduce a patches file in <pkg>/nix-support/ #61974
base: staging
Are you sure you want to change the base?
Conversation
Not sure why this is needed, because those file names are already accessible through the derivation value itself, |
@infinisil If you have an installed package there is no way to get that. What you suggested is the same as the current situation which is parsing the derivation. |
Ah I see. You can still do this though: $ nix show-derivation $(nix-store -q --deriver \
/nix/store/681354n3k44r8z90m35hm8945vsp95h1-glibc-2.27) \
| jq '.[].env.patches'
"/nix/store/r0rc2prwi70hgw4jray5a8sd41fhvjm7-rpcgen-path.patch /nix/store/pp29isd0nvy4jrm9q2f92pjlc83xwa0i-nix-locale-archive.patch /nix/store/5212825a2npxaf7qd81sxfrqq6219rlx-dont-use-system-ld-so-cache.patch /nix/store/mnglr8rr7nl444h7p50ysyq8qd0fm1lm-dont-use-system-ld-so-preload.patch /nix/store/za0pg7fmysrcwrqcal26fnmzw6vycgdn-fix_path_attribute_in_getconf.patch /nix/store/xkd50xxii6k7l1kmw4l5x6xzbhamcs87-allow-kernel-2.6.32.patch /nix/store/nqa9d4yxz1l2cgswzqr1pkm4jfrksm0q-locale-C.diff /nix/store/7kw224hdyxd7115lrqh9a4dv2x8msq2s-fix-x64-abi.patch" |
@infinisil the whole point is to not require derivations to be available :) |
Oh right, I forgot that So the main use case for this is for end users being able to check what patches their installed software has? |
@infinisil yeah. For me the idea is to use Vulnix to automate vulnerability scans of live systems. |
I'm 👍 on this idea then :) |
Changed from draft to ready to review to get automatic reviewers. |
I haven't been following the discussion on pure evaluation but my gut feeling tells me that the idea of adding structured metadata to the output is a good idea. This is also something that the Python community in their packaging has been banging their heads on and they're moving towards structured, static metadata attached to package releases instead of having to evaluate (untrusted) Python code in some location. Obviously Nix is in a better spot here, but still, my intuition tells me that this might become an ever-repeating corner case issue so I'd be in favor of computing static metadata and attaching that to the output. The format ($out/nix-support) might need to be thought of a little bit more: Who manages that namespace? Should we use multiple files or a single file? Is the intended consumer better served using a structured format like JSON? We might want to start with something like what we have now and then deprecate or evolve the format later (adding a version identifier early on could be helpful for consumers). One specific note on this patch: AFAICT this only includes the metadata on the dev output, but IMHO those should be present in all outputs. |
Nix already has a way to keep the structured metadata: |
Right, however, I'm not sure whether that helps - you can create stores that will never have the derivations in the first place and thus it's not an issue of preventing GC but getting them in the first place ... or did I get that wrong? |
True, you can do that. Maybe Nix could have an option As soon as we have structured attributes, the stdenv could have an output |
Hello, I'm a bot and I thank you in the name of the community for your contributions. Nixpkgs is a busy repository, and unfortunately sometimes PRs get left behind for too long. Nevertheless, we'd like to help committers reach the PRs that are still important. This PR has had no activity for 180 days, and so I marked it as stale, but you can rest assured it will never be closed by a non-human. If this is still important to you and you'd like to remove the stale label, we ask that you leave a comment. Your comment can be as simple as "still important to me". But there's a bit more you can do: If you received an approval by an unprivileged maintainer and you are just waiting for a merge, you can @ mention someone with merge permissions and ask them to help. You might be able to find someone relevant by using Git blame on the relevant files, or via GitHub's web interface. You can see if someone's a member of the nixpkgs-committers team, by hovering with the mouse over their username on the web interface, or by searching them directly on the list. If your PR wasn't reviewed at all, it might help to find someone who's perhaps a user of the package or module you are changing, or alternatively, ask once more for a review by the maintainer of the package/module this is about. If you don't know any, you can use Git blame on the relevant files, or GitHub's web interface to find someone who touched the relevant files in the past. If your PR has had reviews and nevertheless got stale, make sure you've responded to all of the reviewer's requests / questions. Usually when PR authors show responsibility and dedication, reviewers (privileged or not) show dedication as well. If you've pushed a change, it's possible the reviewer wasn't notified about your push via email, so you can always officially request them for a review, or just @ mention them and say you've addressed their comments. Lastly, you can always ask for help at our Discourse Forum, or more specifically, at this thread or at #nixos' IRC channel. |
I marked this as stale due to inactivity. → More info |
Can we revisit this? cc @nikstur (discussions on SBOM at sprint) |
@RaitoBezarius Yeah SBOMs would be the right way to go forward with this, I don't know if they were a thing in 2019 when I initially created the issue :D but it certainly is what I wanted to have. SBOM+VEX is probably the thing we need for nix packages, it can be also an artifact that is part of the store path output ? |
Sounds like CycloneDX would be the ideal fit. It is an easy to read JSON and can be BOTH a SBOM and a VEX (and many more things) at the same time. We could either expose the SBOM as a passthru argument/derivation or include it in the output of the derivation. You can then use a tool like bombon (which I have written) to collect the SBOMs of the dependencies and assemble them into a single document for an arbitrary closure. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't really get the point of this.
If you have an output path on a system but not the accompanying derivation, you're likely managing that system remotely and in that case you have the nix expressions handy.
Then also the patches are put into the dev
output which you'll likely not actually have in a system closure as that's part of the build-time closure at best.
Next problem is a minor one but it's still smelly: The patches are now referenced by the dev output which means they become part of its closure. Build-time deps leaking into the output paths doesn't feel right.
If you have the need to audit your systems, you should use the Nix expressions directly.
The state of a system should always be a direct result of the Nix expressions, so looking at it should contain no more information than was available before which means there's no point looking at it other than to verify it's indeed the result of some Nix expressions.
This is assuming a very Nix expression driven world, but Nix store is a lower level primitive that can be used in more contexts than simply Nix expressions IMHO. Moreover, not all tooling is going to understand how to derive this information from Nix expressions, having them as part of derivations is a neat way to make them understandable for "simple tooling" (scanners, compliance, etc.).
Maybe, let's not have patches but SBOMs? Would that solve the smell? |
I can't imagine how you'd arrive at output paths in any other way than Nix expressions outside of highly experimental tooling. (well, other than using GUIX); not something you'd do in a productive environment that cares about security enough to warrant checks.
If you care about security at all, you should teach the tooling how to get the info from Nix expressions or use better tooling.
Good point. I'm not against optional support for this sort of thing. If you are forced to use bad tooling for security audits etc., there's no other way. I'd be fine with an opt-in flag to store patches, SBOM or whatever lesser source information in the output. Not on my machine though please. I don't need thousands of useless patches in my closure. |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/tweag-nix-dev-update-46/26872/4 |
Motivation for this change
This is more of a request for comments than an actual PR, I would like to collect some feedback in order to find ways to scan for vulnerabilities in a live system without the need to have derivations available in the nix store.
Vulnix is a great tool in the Nixpkgs development context but when we want to use it for automating scans of live systems where derivations aren't necessarily available it becomes a bit tricky. An example of such systems is machines that are deployed with NixOps where the derivations are built in a deploy server or machines that rely on a binary cache to substitute paths.
The idea in this PR is to introduce a
patches
file that would be created under/nix/store/<hash>-<pkg-name>/nix-support/
; in such a file we would dump the list of patches filenames. Afaik, Vulnix already relies on the assumption that CVE patches would have a filename that mentions the CVE id, from the README:So we can follow the same approach for Nix store paths and teach Vulnix to look for the patches file under nix-support to auto-detect security fixes
cc: @ckauhaus
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nix-review --run "nix-review wip"
./result/bin/
)nix path-info -S
before and after)