about summary refs log tree commit diff
path: root/third_party/nix/doc/manual/release-notes/rl-1.11.10.xml
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2022-05-18T15·39+0200
committerclbot <clbot@tvl.fyi>2022-05-19T14·08+0000
commitd127f9bd0e7b9b2e0df2de8a2227f77c0907468d (patch)
tree68455040d88b8e0c2817601db88ede450873ff8e /third_party/nix/doc/manual/release-notes/rl-1.11.10.xml
parentc85291c602ac666421627d6934ebc6d5be1b93e1 (diff)
chore(3p/nix): unvendor tvix 0.1 r/4098
Nothing is using this now, and we'll likely never pick this up again,
but we learned a lot in the process.

Every now and then this breaks in some bizarre way on channel bumps
and it's just a waste of time to maintain that.

Change-Id: Idcf2f5acd4ca7070ce18d7149cbfc0d967dc0a44
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5632
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: lukegb <lukegb@tvl.fyi>
Autosubmit: tazjin <tazjin@tvl.su>
Diffstat (limited to 'third_party/nix/doc/manual/release-notes/rl-1.11.10.xml')
-rw-r--r--third_party/nix/doc/manual/release-notes/rl-1.11.10.xml31
1 files changed, 0 insertions, 31 deletions
diff --git a/third_party/nix/doc/manual/release-notes/rl-1.11.10.xml b/third_party/nix/doc/manual/release-notes/rl-1.11.10.xml
deleted file mode 100644
index 415388b3e2d1..000000000000
--- a/third_party/nix/doc/manual/release-notes/rl-1.11.10.xml
+++ /dev/null
@@ -1,31 +0,0 @@
-<section xmlns="http://docbook.org/ns/docbook"
-      xmlns:xlink="http://www.w3.org/1999/xlink"
-      xmlns:xi="http://www.w3.org/2001/XInclude"
-      version="5.0"
-      xml:id="ssec-relnotes-1.11.10">
-
-<title>Release 1.11.10 (2017-06-12)</title>
-
-<para>This release fixes a security bug in Nix’s “build user” build
-isolation mechanism. Previously, Nix builders had the ability to
-create setuid binaries owned by a <literal>nixbld</literal>
-user. Such a binary could then be used by an attacker to assume a
-<literal>nixbld</literal> identity and interfere with subsequent
-builds running under the same UID.</para>
-
-<para>To prevent this issue, Nix now disallows builders to create
-setuid and setgid binaries. On Linux, this is done using a seccomp BPF
-filter. Note that this imposes a small performance penalty (e.g. 1%
-when building GNU Hello). Using seccomp, we now also prevent the
-creation of extended attributes and POSIX ACLs since these cannot be
-represented in the NAR format and (in the case of POSIX ACLs) allow
-bypassing regular Nix store permissions. On macOS, the restriction is
-implemented using the existing sandbox mechanism, which now uses a
-minimal “allow all except the creation of setuid/setgid binaries”
-profile when regular sandboxing is disabled. On other platforms, the
-“build user” mechanism is now disabled.</para>
-
-<para>Thanks go to Linus Heckemann for discovering and reporting this
-bug.</para>
-
-</section>