So what happens in nix if a package version is found to have some huge vulnerability? And my app expects that exact version?
Because this is literally what docker, venv, and nix claim to fix but after getting burned by three other systems I'm not willing to invest the time in getting in to nix.
I keep machines powered off that have a working configuration of older AI and other software tools because there is no other way to run them, regardless of the code being available on github.
There's other solutions too, this is a big part of systemd. Which also has nspawn and vmspawn do more explicitly. But everything has some containerization capabilities and ideally you'd give your program access to only what it needs. Privatetmp should always be on.
But if versions are vulnerable you usually want to remove those versions, not put them in containers
I really do not follow what you are trying to convey here.
If there are vulns, and you are using software from nixpkgs, there are tools to get yourself notified about vulnerable packages.
If you want to run vulnerable software on-demand, you can just boot the machine/vm up when needed? If you want to patch stuff yourself, nix makes it trivial to apply your own patches to already packaged software.
So what happens in nix if a package version is found to have some huge vulnerability? And my app expects that exact version?
Because this is literally what docker, venv, and nix claim to fix but after getting burned by three other systems I'm not willing to invest the time in getting in to nix.
I keep machines powered off that have a working configuration of older AI and other software tools because there is no other way to run them, regardless of the code being available on github.
There's other solutions too, this is a big part of systemd. Which also has nspawn and vmspawn do more explicitly. But everything has some containerization capabilities and ideally you'd give your program access to only what it needs. Privatetmp should always be on.
But if versions are vulnerable you usually want to remove those versions, not put them in containers
> remove those versions, not put them in containers
I don't know how to fix this, but perhaps i can ai it and release something on my github if i manage to cobble something together.
These aren't "services" that anyone has access to, except myself; "clients", UIs, and things like whisper.
IF someone were to pay me, I'd figure it out. I'm friends with maintainers and that isn't my style. archiving is.
to wit, i expend no more energy than necessary maintaining other people's code.
I really do not follow what you are trying to convey here.
If there are vulns, and you are using software from nixpkgs, there are tools to get yourself notified about vulnerable packages.
If you want to run vulnerable software on-demand, you can just boot the machine/vm up when needed? If you want to patch stuff yourself, nix makes it trivial to apply your own patches to already packaged software.