diff options
author | Eelco Dolstra <e.dolstra@tudelft.nl> | 2005-03-07T16·26+0000 |
---|---|---|
committer | Eelco Dolstra <e.dolstra@tudelft.nl> | 2005-03-07T16·26+0000 |
commit | 97c93526da4dfba1b92a11fb8522c07456d9e1ec (patch) | |
tree | 70dddcc70c7f305d0c738ca6564c97969fdda164 /corepkgs/nar | |
parent | bfbc55cbc6b72aa14805131553c6b2547d3b6ee7 (diff) |
* In the checker, do traversals of the dependency graph explicitly. A
conditional expression in the blacklist can specify when to continue/stop a traversal. For example, in <condition> <within> <traverse> <not><hasAttr name='outputHash' value='.+' /></not> </traverse> <hasAttr name='outputHash' value='ef1cb003448b4a53517b8f25adb12452' /> </within> </condition> we traverse the dependency graph, not following the dependencies of `fetchurl' derivations (as indicated by the presence of an `outputHash' attribute - this is a bit ugly). The resulting set of paths is scanned for a fetch of a file with the given hash, in this case, the hash of zlib-1.2.1.tar.gz (which has a security bug). The intent is that a dependency on zlib is not a problem if it is in a `fetchurl' derivation, since that's build-time only. (Other build-time uses of zlib *might* be a problem, e.g., static linking.)
Diffstat (limited to 'corepkgs/nar')
0 files changed, 0 insertions, 0 deletions