You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Since we are building universal packages with Nix, we ship HHVM with some bundled dependencies, including:
Cargo dependencies
Statically linked libraries
Nix dependencies in universal packages
We will take the responsibility to update them in case of vulnerabilities. For 1, we have autocargo to update them. For 2, we would reduce them as mentioned in #9130. For 3, we will need a robot to create pull requests to update them.
Once we update to the latest nixpkgs, it will give us some metadata about whether a package is known vulnerable from CI signal, like this:
error: Package ‘libdwarf-20210528’ in /nix/store/4la4fc5wfn4p0784i12h0a046yqzln16-source/pkgs/development/libraries/libdwarf/common.nix:5 is marked as insecure, refusing to evaluate.
Known issues:
- CVE-2022-32200
You can install it anyway by allowing this package, using the
following methods:
a) To temporarily allow all insecure packages, you can use an environment
variable for a single invocation of the nix tools:
$ export NIXPKGS_ALLOW_INSECURE=1
Note: For `nix shell`, `nix build`, `nix develop` or any other Nix 2.4+
(Flake) command, `--impure` must be passed in order to read this
environment variable.
b) for `nixos-rebuild` you can add ‘libdwarf-20210528’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"libdwarf-20210528"
];
}
c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘libdwarf-20210528’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"libdwarf-20210528"
];
}
Since we are building universal packages with Nix, we ship HHVM with some bundled dependencies, including:
We will take the responsibility to update them in case of vulnerabilities. For 1, we have autocargo to update them. For 2, we would reduce them as mentioned in #9130. For 3, we will need a robot to create pull requests to update them.
Once we update to the latest nixpkgs, it will give us some metadata about whether a package is known vulnerable from CI signal, like this:
Then we can either patch it, work around it, or keep using it if we confirm it does not affect us, e.g. https://github.com/facebook/hhvm/pull/9128/files#diff-206b9ce276ab5971a2489d75eb1b12999d4bf3843b7988cbe8d687cfde61dea0R22-R26
The text was updated successfully, but these errors were encountered: