Conversation
alyssais
added
the
1.severity: security
|
Security backport for stable: #309808 |
06kellyjac
left a comment
06kellyjac
left a comment
There was a problem hiding this comment.
Is the liblastlog2 and pam_lastlog2 dependency on sqlite always necessary or only for with pamSupport?
LGTM
If I'm reading correctly, it's possible to build liblastlog2 without building pam_lastlog2. We could add an option to disable it, but I don't know how to decide whether that's worth it. |
ofborg
bot
added
10.rebuild-darwin: 501+
|
For reference, the parallel build is a bit flaky now: |
|
Time to switch to Meson? |
|
It feels late for 24.05. But fortunately adding meson+ninja wouldn't create an eval-time cycle here. |
|
Reported, also. |
Difficult to know if these actually fix it, since it only happens sometimes. Link: NixOS#309805 (comment) Link: https://lore.kernel.org/util-linux/87le4c1zm4.fsf@alyssa.is/
Difficult to know if these actually fix it, since it only happens sometimes. Link: #309805 (comment) Link: https://lore.kernel.org/util-linux/87le4c1zm4.fsf@alyssa.is/ vcunat edit: only apply on some platforms for now, balancing fixes and the amount of rebuild work on Hydra. The rest is picked from PR #311988
|
And (aarch64-)darwin build regressed on this update with a different error now: https://hydra.nixos.org/build/260146685 |
|
Oh, that darwin issue would even become a blocker for |
|
There's also a bug report here: util-linux/util-linux#3011. |
|
Man, x86_64-darwin sports yet another error: (IIRC older macOS doesn't provide this function yet) |
|
Quite a bad luck with this release, and in the last moments before nixpkgs "freeze". |
|
I really wish OfBorg was capable of getting past LLVM on staging for Darwin… |
|
If it was so easy, we perhaps wouldn't even need |
|
It gets most of the way through — we just need to up the timeout a bit, and then I think OfBorg might even be less overloaded, because it wouldn't be wasting so much of its time trying the same futile LLVM builds over and over. |
|
Maybe we should just roll back to util-linux 2.39.x for now and keep nixpkgs 24.05 that way? (darwin now, linux on the next rebuild) |
|
Sounds fine. |
|
We should probably cherry-pick #309808 in that case. |
|
Perhaps 2.39.4 instead, as it sounds minimal and should contain also that fix |
We're running into multiple issues, so let's be conservative. In particular, this commit should fix *-darwin builds. /cc PR #309805 as this is kind-of reverting it (partially for now)
|
Ah yes, that sounds good. I missed that. |
|
For reference, 2.40.1 also broke its static musl build: |
We need this now to fix nixStatic build: https://hydra.nixos.org/build/259722977 /cc PR #309805
|
That's likely easily fixed by just disabling the PAM plugin on static builds. But is there any point fixing that, even on staging, or will we revert this there as well? |
|
Right, not now. I've given up on fixing 2.40.x for nixpkgs 24.05. |
|
I mean what about staging? i.e. post 24.05 |
|
I guess it'd just cause merge conflicts, since the gradual reversion on staging-next will propagate to staging. So for future reference when we come back to 2.40, here's the diff for static: diff --git i/pkgs/os-specific/linux/util-linux/default.nix w/pkgs/os-specific/linux/util-linux/default.nix
index 642480b670c7..169f8293ae3e 100644
--- i/pkgs/os-specific/linux/util-linux/default.nix
+++ w/pkgs/os-specific/linux/util-linux/default.nix
@@ -6,6 +6,7 @@
, ncursesSupport ? true
, ncurses
, pamSupport ? true
+, pamLastlogSupport ? pamSupport && !stdenv.hostPlatform.isStatic
, pam
, systemdSupport ? lib.meta.availableOn stdenv.hostPlatform systemd
, systemd
@@ -61,6 +62,7 @@ stdenv.mkDerivation rec {
"--disable-makeinstall-setuid" "--disable-makeinstall-chown"
"--disable-su" # provided by shadow
"--with-tmpfilesdir=${placeholder "out"}/lib/tmpfiles.d"
+ (lib.enableFeature pamLastlogSupport "pam-lastlog2")
(lib.enableFeature writeSupport "write")
(lib.enableFeature nlsSupport "nls")
(lib.withFeature ncursesSupport "ncursesw") |
|
For context: This update also caused a regression with detecting the UUID of some special LUKS devices (maybe only if the LUKS device contains a LVM). I haven't reported this upstream yet, will do later. |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/nixos-24-05-upgrade-no-boot-device/46335/3 |
|
bcachefs-tools on master needs util-linux/util-linux#3001 to detect my disks correctly, not a huge issue, but worth noting for future potential issues if that makes it in to nixpkgs-unstable before this does. |
|
We can backport that patch. |
7 participants
Description of changes
CVE-2024-28085 (low priority since NixOS doesn't make wall setgid by default).
Release notes
Don't see anything looking like a breaking change.
Things done
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)Add a 👍 reaction to pull requests you find important.