-
-
Notifications
You must be signed in to change notification settings - Fork 14.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dotnet: improve EOL evaluation errors #363439
Conversation
@Atemu as discussed in #339370
That does sound reasonable, but cc-wrapper does:
So it only replaces those three attributes and inherits everything else. What I've done here only sets Edit: |
914bd66
to
26acd64
Compare
inherit (cli) meta; | ||
meta = { | ||
description = "${cli.meta.description} (combined)"; | ||
maintainers = with lib.maintainers; [ corngood ]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maintainers here should be inherited or a combination of all maintainers from all combined packages imo
|
||
meta = { | ||
description = "${unwrapped.meta.description} (wrapper)"; | ||
maintainers = with lib.maintainers; [ corngood ]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should inherit the maintainers from the unwrapped as well shouldn't it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's sort of what I was getting at with my top level comment. Why shouldn't it be the maintainers of the wrapper itself?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mean, you can be, but the wrapped package is also affecting the end result, so their maintainers should be preserved and then you added on top (even though it won't change much as currently you're the maintainer for both).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't have a good answer for that, which is why I created this draft PR for discussion. It looks like most other wrappers err on the side of inheriting things.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think to address the original problem we could inherit from meta but remove things like vulnerabilities, deprecations and etc.
Unless if @Atemu has some documentation, code comment, discourse post, matrix chat or something similar saying that wrappers shouldn't inherit meta like that, considering that all other wrappers seem to do it.
Because it is confusing finding many other languages doing it but then being told we shouldn't when we're in the same situation as them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This isn't any sort of standard or documented best practice, just my opinion.
I hold this opinion precisely because of cases like the linked one where passing through all of meta causes issues. There are further issues such as meta.position
and who knows what other magic is hidden in meta.
I think other wrappers should also only inherit what is acually necessary.
Just because it's the predominant pattern, that doesn't mean it's good.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just because it's the predominant pattern, that doesn't mean it's good.
I tend to agree, which is why this PR goes completely the other way. IMO the sanest thing to do is just treat the wrapper as its own package and only inherit what's needed. Otherwise we have to define exactly what a wrapper is, and I don't think it's going to be clear in all cases.
What's your take on maintainers
specifically?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think other wrappers should also only inherit what is acually necessary.
Just because it's the predominant pattern, that doesn't mean it's good.
Yes, it doesn't, but it gets used as reference for new things constantly and provides a certain measure of standardization as if you've seen one wrapper you have an idea of how other wrappers will work.
If this wasn't an issue for other compilers which are used much more widely than .NET I don't see why this should be an issue for us or something addressed at a higher level across all of nixpkgs.
Users are putting themselves and others (on their local network, chat apps, social networks, shared devices and more) at risk by using .NET 6 and/or 7. I don't think this should be easy nor painless to do. It should cause as big of an annoyance as possible so they actually think about what they're doing and maintainers actually do something about it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I replied at top level. I think we should keep this thread for discussion of maintainers
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this wasn't an issue for other compilers which are used much more widely than .NET I don't see why this should be an issue for us
Because dotnet is the only compiler I know of in Nixpkgs that gets EOL'd via insecure.
Btw, why is the compiler EOL'd anyways? Isn't only the runtime relevant for security? Not to deep into dotnet to know the details here.
Users are putting themselves and others (on their local network, chat apps, social networks, shared devices and more) at risk by using .NET 6 and/or 7. I don't think this should be easy nor painless to do. It should cause as big of an annoyance as possible so they actually think about what they're doing and maintainers actually do something about it.
Having to put it in permittedInsecure is annoyance enough. Anything past that is extremely unnecessary.
swift-wrapper inherits all of meta:
pkgconfig-wrapper does something like cc-wrapper:
rustc-wrapper:
|
Lets discuss this here because it's not related to the line of code quoted. This is about whether we do anything at all. i.e. Do we even remove Right now you have to do this:
IMO there's no benefit in requiring that the wrapper be permitted separately. It's just confusing. |
Yes, I don't disagree it's confusing, however we're causing maintainer churn for something that'll ultimately be removed (.NET 6 and 7). |
It benefits me because I currently have all of this in my local config:
and I'm not going to realistically stop using those packages any time soon. |
True, but is all of this worth it to avoid adding just one extra like per SDK? |
@Atemu continuing here since it's unrelated to maintainers line.
Maybe we should look at how java handles this? Considering they have the same model there (compiler + runtime).
The SDK could be left as not insecure, however the packages used at runtime definitely should be marked as such if we do so. As a package can compile with a more recent SDK and run in a more recent runtime runtime but use packages from an earlier release which are EOL and possibly insecure.
Yes, but if we marked them as unsupported I don't see why we should waste extra effort on it as we'll be removing it once it's no longer used in nixpkgs anyways. |
Java apps generally depend on LTS versions and those are generally maintained for decades. It's rare for a Java app that is not compatible with a supported LTS JDK to have any relevance whatsoever because it must have been last updated well over a decade ago. I'm not saying this doesn't happen but it's exceedingly rare I think.
To not make the lives of those who have no other choice unnecessarily hard.
I'm not quite sure what you mean by this? Marking the SDK and runtimes as insecure has already happened which has already marked all dependent packages as insecure transitively. Are you intending on marking the individual packages as insecure? If so, why? That wouldn't solve any problem and only cause unnecessary pain. It'd also be wrong because the packages themselves don't have security issues, it's the SDKs they use and those are already marked appropriately and cause an eval abort.
Again, this isn't about making their life easier through significant effort, it's about not making their lives unnecessary hard with very little effort in correctly setting metadata. It's simply incorrect to mark i.e. the wrapper as insecure because the wrapper code itself doesn't have any known security issue whatsoever, only the wrapped SDK. |
Yes.
It would, because if you look at the other PR, that removes unnecessary uses of
It wouldn't be wrong. Many .NET CVEs have been causes by packages and not the runtime itself. Including RCEs. Just look through previous advisories and you'll see they mention package versions and not the runtime itself. For example,
Fair, but the eval error already tells the person everything they have to add, is it really making their lives harder if we spoonfeed them everything they need to do to fix it? I'm not entirely against fixing this, I'm just upset at this being solved here and not at a higher level with guidance on the best way to do this considering that much larger packages do this and don't seem to be doing any similar changes. |
I may be wrong, but I think you're talking about different things. @GGG-KILLER is talking about marking the nuget packages associated with an insecure SDK/runtime insecure, not marking packages built with the SDK insecure. So for example:
However, I think this is getting off topic for this PR. We'll do another for that change, and we can discuss it there. |
@GGG-KILLER @Atemu Do either of you (or anyone else) have any actual problems with this PR as it is?
IMO most of this has been off-topic. |
I have a problem with the maintainers list, lack of url and homepage. |
For reference: {
available = true;
broken = false;
description = ".NET SDK 9.0.100";
homepage = "https://dotnet.github.io/";
insecure = false;
knownVulnerabilities = [ ];
license = {
deprecated = false;
free = true;
fullName = "MIT License";
redistributable = true;
shortName = "mit";
spdxId = "MIT";
url = "https://spdx.org/licenses/MIT.html";
};
mainProgram = "dotnet";
maintainers = [
{
email = "[email protected]";
github = "kuznero";
githubId = 449813;
name = "Roman Kuznetsov";
}
{
email = "[email protected]";
github = "mdarocha";
githubId = 11572618;
name = "Marek Darocha";
}
{
email = "[email protected]";
github = "corngood";
githubId = 3077118;
name = "David McFarland";
}
];
name = "dotnet-sdk-9.0.100";
outputsToInstall = [ "out" ];
platforms = [
"x86_64-darwin"
"aarch64-darwin"
"aarch64-linux"
"x86_64-linux"
];
position = "/home/david/src/nixpkgs/pkgs/development/compilers/dotnet/build-dotnet.nix:212";
sourceProvenance = [
{
isSource = false;
shortName = "binaryBytecode";
}
{
isSource = false;
shortName = "binaryNativeCode";
}
];
unfree = false;
unsupported = false;
} So how about we keep:
I'm not sure that's the case. Things that live in nixpkgs (e.g. |
Sounds good to me!
But won't that affect the display in |
Yes, presumably. I think that's a good enough reason to include |
26acd64
to
a5d767c
Compare
Okay, I've updated it as discussed. Here's a diff of the wrapped meta attrset: 2c2
< available = false;
---
> available = true;
4c4
< description = ".NET SDK 6.0.428";
---
> description = ".NET SDK 6.0.428 (wrapper)";
6,7c6
< insecure = true;
< knownVulnerabilities = [ "Dotnet SDK 6.0.428 is EOL, please use 8.0 (LTS) or 9.0 (Current)" ];
---
> insecure = false;
38c37
< name = "dotnet-sdk-6.0.428";
---
> name = "dotnet-sdk-wrapped-6.0.428";
46,56c45
< position = "/home/david/src/nixpkgs/pkgs/development/compilers/dotnet/build-dotnet.nix:212";
< sourceProvenance = [
< {
< isSource = false;
< shortName = "binaryBytecode";
< }
< {
< isSource = false;
< shortName = "binaryNativeCode";
< }
< ];
---
> position = "/home/david/src/nixpkgs/pkgs/development/compilers/dotnet/wrapper.nix:28"; and a combinePackages meta: 64c53
< description = ".NET SDK 9.0.101";
---
> description = ".NET SDK 9.0.101 (wrapper) (combined) (wrapper)";
67d55
< knownVulnerabilities = [ ];
98c86
< name = "dotnet-sdk-9.0.101";
---
> name = "dotnet-wrapped-combined";
106,116c94
< position = "/home/david/src/nixpkgs/pkgs/development/compilers/dotnet/build-dotnet.nix:212";
< sourceProvenance = [
< {
< isSource = false;
< shortName = "binaryBytecode";
< }
< {
< isSource = false;
< shortName = "binaryNativeCode";
< }
< ];
---
> position = "/home/david/src/nixpkgs/pkgs/development/compilers/dotnet/wrapper.nix:28";
Yes, this is weird, but it is technically a wrapper around the combination of some wrappers. It's also unlikely that a user will ever see the |
Not ideal but looks good enough to me. Preferably we wouldn't have that many suffixes but the end user probably won't see it as you mentioned. |
I'm converting this back to a draft because I've added 6693d97, which is meant to mark the nuget packages as insecure along with the corresponding SDK. It does this by requiring evaluation of the SDK, which means:
Edit: this could be a separate PR, but it seems closely related, so I put it here for now.
|
Interesting solution, wouldn't have thought of it myself!
It is indeed unusual and I think it might be confusing for the maintainers of other packages that now only reference |
It seems pretty intuitive. It may not be clear exactly where the dependency comes from (it usually isn't anyway), but you still get the usual message, and the resolution is the same:
|
Fair enough, I'm really fond of this solution since it achieves the evaluation error I wanted and as a bonus doesn't generate a billion lines of |
These are the packages that become insecure with this change. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't do in-depth testing but the diff generally LGTM.
This should be improved:
b1170df
to
c9b3f43
Compare
This causes evaluation of the nuget packages to fail when the SDK is insecure, without requiring the individual packages to be permitted.
c9b3f43
to
e8df659
Compare
Thanks! |
Successfully created backport PR for |
Cc: @NixOS/dotnet
Things done
nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)Add a 👍 reaction to pull requests you find important.