Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Automate third-party dependency update from Nix #9134

Closed
Atry opened this issue Jul 21, 2022 · 0 comments
Closed

Automate third-party dependency update from Nix #9134

Atry opened this issue Jul 21, 2022 · 0 comments

Comments

@Atry
Copy link
Contributor

Atry commented Jul 21, 2022

Since we are building universal packages with Nix, we ship HHVM with some bundled dependencies, including:

  1. Cargo dependencies
  2. Statically linked libraries
  3. Nix dependencies in universal packages

We will take the responsibility to update them in case of vulnerabilities. For 1, we have autocargo to update them. For 2, we would reduce them as mentioned in #9130. For 3, we will need a robot to create pull requests to update them.

Once we update to the latest nixpkgs, it will give us some metadata about whether a package is known vulnerable from CI signal, like this:

error: Package ‘libdwarf-20210528’ in /nix/store/4la4fc5wfn4p0784i12h0a046yqzln16-source/pkgs/development/libraries/libdwarf/common.nix:5 is marked as insecure, refusing to evaluate.
       Known issues:
        - CVE-2022-32200
       You can install it anyway by allowing this package, using the
       following methods:
       a) To temporarily allow all insecure packages, you can use an environment
          variable for a single invocation of the nix tools:
            $ export NIXPKGS_ALLOW_INSECURE=1
        Note: For `nix shell`, `nix build`, `nix develop` or any other Nix 2.4+
        (Flake) command, `--impure` must be passed in order to read this
        environment variable.
       b) for `nixos-rebuild` you can add ‘libdwarf-20210528’ to
          `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
          like so:
            {
              nixpkgs.config.permittedInsecurePackages = [
                "libdwarf-20210528"
              ];
            }
       c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
          ‘libdwarf-20210528’ to `permittedInsecurePackages` in
          ~/.config/nixpkgs/config.nix, like so:
            {
              permittedInsecurePackages = [
                "libdwarf-20210528"
              ];
            }

Then we can either patch it, work around it, or keep using it if we confirm it does not affect us, e.g. https://github.com/facebook/hhvm/pull/9128/files#diff-206b9ce276ab5971a2489d75eb1b12999d4bf3843b7988cbe8d687cfde61dea0R22-R26

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant