Grafts

Ludovic Courtès Mon, 13 Oct 2014 00:11:03 -0700

Hello,

I pushed ‘wip-grafts’, a branch that implements “grafts.”


Normally security updates deep in the DAG, such as an update of Bash or
libc, cause a rebuild of everything, which can some time, as we’ve seen
lately.

The idea of grafts is to graft the fixed package on any packages users
may want to install.  So, suppose there’s a libc fix; when installing
IceCat, you’ll just be starting from the (pre-built) IceCat, and an
additional derivation will patch the files in it to replace references
to the old libc with references to the fixed libc (in practice this only
works if the file name of the old and fixed libc have the same length.)

‘wip-grafts’ adds a ‘graft’ field to package records.  In the example
above, we’d just add a ‘graft’ field to glibc, pointing to the fixed
glibc, and the graft would just be automagically applied.  The branch
has an example of that with Bash:

--- a/gnu/packages/bash.scm
+++ b/gnu/packages/bash.scm
@@ -185,7 +185,13 @@ allows command-line editing, unlimited command history, shell functions and
 aliases, and job control while still allowing most sh scripts to be run
 without modification.")
      (license gpl3+)
-     (home-page "http://www.gnu.org/software/bash/";))))
+     (home-page "http://www.gnu.org/software/bash/";)
+     (graft bash-fixed))))
+
+(define bash-fixed                                ;FIXME: Use something real.
+  (package (inherit bash)
+    (version "4.3.42")
+    (graft #f)))
 
 (define-public bash-light
   ;; A stripped-down Bash for non-interactive use.
@@ -210,4 +216,5 @@ without modification.")
 
                  ,@(if (%current-target-system)
                        '("bash_cv_job_control_missing=no")
-                       '()))))))))
+                       '()))))))
+    (graft #f)))

The implementation looks for ‘graft’ fields in all the transitive inputs
of the package being built.

Currently it works but needs more testing and documentation.  There are
also performance issues that need to be worked out.

Comments welcome!

The general idea was implemented by Shea Levy in Nixpkgs¹, and also
suggested by Mark Weaver on IRC, who helped refine how things should
work in Guix–thanks!

Ludo’.

¹ 
https://github.com/NixOS/nixpkgs/commit/d1662d715514e6ef9d3dc29f132f1b3d8e608a18

signature.asc
Description: PGP signature

Grafts

Reply via email to