Demi Marie Obenour writes: > On 11/13/25 11:04, Alyssa Ross wrote: >> Demi Marie Obenour writes: >> >>> combined = callSpectrumPackage release/combined/run-vm.nix {}; >>> }) (_: {}) >>> diff --git a/release/update.nix b/release/update.nix >>> new file mode 100644 >>> index 0000000000000000000000000000000000000000..ec51eb12d33030255b7b4a7e74e14416f1f0659d >>> --- /dev/null >>> +++ b/release/update.nix >>> @@ -0,0 +1,30 @@ >>> +# SPDX-License-Identifier: MIT >>> +# SPDX-FileCopyrightText: 2021-2024 Alyssa Ross >>> +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour >>> + >>> +import ../lib/call-package.nix ( >>> +{ callSpectrumPackage, config, efi >>> +, runCommand, stdenv, rootfs >>> +}: >>> + >>> +runCommand "spectrum-update-directory" { >>> + __structuredAttrs = true; >>> + unsafeDiscardReferences = { out = true; }; >>> + dontFixup = true; >>> + env = { >>> + VERSION = config.version; >>> + ROOTHASH = "${rootfs}/rootfs.verity.roothash"; >>> + VERITY = "${rootfs}/rootfs.verity.superblock"; >>> + ROOT_FS = "${rootfs}/rootfs"; >>> + EFI = efi; >>> + }; >> >> I'd just inline these as string interpolations rather than passing them >> as environment variables (except maybe VERSION). > > In general, this is very bad practice and has caused security > vulnerabilities in GitHub Actions. These have even been exploited in > the wild. However, this is *not* a vulnerability in this context as > the input is trusted and known not to contain shell metacharacters. > I mostly wanted to avoid bad habits that are fine in the Nix context, > but not in others. I think that will result in overly unidiomatic Nix code. Bad practices are always contextual.