glibc: 2.38-23 -> 2.38-27

[edef1c]

Description of changes

Fixes CVE-2023-4911.

Backport to stable: #258975

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.11 Release Notes (or backporting 23.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

[edef1c]

Looks like this is somewhat of a dupe of #258856 and #258857, but those are currently held back by being a cherry-pick rather than a patchlevel update.

[Ma27]

Thanks a lot @edef1c ! Currently starting a few test-builds and will do a review+merge when that's done. Hope I'll get everything done today.

[flokli]

With 70cf1cfeb4ce9449dcb3e8d479bab5262d4956b4 (the version before the rename) I did run some builds (nixosTests.nscd and nixosTests.avahi), which should give some exposure into nss lookups still working.

coreutils, libpng-apng-1.6.40 and gnutls were a bit flaky, but ultimately the builds succeeded!

I tried to reproduce the same 2.38-master.patch.gz as @edef1c, but for some reason mine does have a slightly different format (Author and Date, instead of Author[Date] and Commit[Date] fields), but the patch contents are the same.

I'd say let's get this in, we can have a discussion around the patch workflow later.

[Ma27]

I tried to reproduce the same 2.38-master.patch.gz as @edef1c, but for some reason mine does have a slightly different format (Author and Date, instead of Author[Date] and Commit[Date] fields), but the patch contents are the same.

Same here, but I assumed differences in git versions (and this is non-functional, so 🤷 )

I'd say let's get this in, we can have a discussion around the patch workflow later.

👍

[alyssais]

I tried to reproduce the same 2.38-master.patch.gz as @edef1c, but for some reason mine does have a slightly different format (Author and Date, instead of Author[Date] and Commit[Date] fields), but the patch contents are the same.

That sounds like --format=full vs --format=fuller.

[Atemu]

Why is this a binary checked into git?

[raphaelr]

It's explained in common.nix:

      /* No tarballs for stable upstream branch, only https://sourceware.org/git/glibc.git and using git would complicate bootstrapping.
          $ git fetch --all -p && git checkout origin/release/2.38/master && git describe
          glibc-2.38-27-g750a45a783
          $ git show --minimal --reverse glibc-2.38.. | gzip -9n --rsyncable - > 2.38-master.patch.gz

         To compare the archive contents zdiff can be used.
          $ zdiff -u 2.38-master.patch.gz ../nixpkgs/pkgs/development/libraries/glibc/2.38-master.patch.gz

[Atemu]

This explains the need for the patch but not why it's gzipped?

[flokli]

Because it's already 3KB without being gzipped, and people are careful about not increasing the size of the nixpkgs repo.

[alyssais]

Don't people always download the Nixpkgs repo compressed in some way, though? If you do a git clone, you get compressed packs. If you download a channel, you get a tar.xz. If you download from GitHub, you get a zip or a tar.gz or whatever. I'd expect this file being a .gz to make the compressed size of Nixpkgs as a whole slightly worse, because now it's opaque to the compressor and can't be deduplicated with other similar files.

[mweinelt]

We sometimes backport security fixes and tests that validate they work. In some cases the test artifacts are in fact binary (think image formats, asn1, ...), but we'd still like to have them, to ensure the patch works, and does not regress.

This is especially relevant, since fetchpatch drops binary hunks, and even then we sometimes need to put a rebased patch into the tree.

[alyssais]

That sounds different though — the patch itself would still be a text file, right?

[Atemu]

Those artifacts should then either be generated from text-based formats or be fetched from somewhere else.

Binaries in Git are incredibly inefficient in both size and, more importantly, performance and Nixpkgs can already be a challenge in those regards.

[Ma27]

Sorry, I'm a little late to the party 😅

I just skimmed through old PRs and it seems as if we started at around 2.31 or 2.32 with that when we needed to apply a bunch of patches for several issues and decided to just follow the release branch.
I guess it sounds reasonable to switch to a plaintext patchset especially given @alyssais' explanation on the expected influence on nixpkgs tarballs.

cc @TredwellGit @vcunat in case they have anything to add.

[Ma27]

fwiw #287594 contains a patch rather than a gz file.