GNU logs - #31442, boring messages


Message sent to guix-patches@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: [bug#31442] [PATCH 0/5] 'guix health': a tool to report vulnerable packages
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Sun, 13 May 2018 22:24:02 +0000
Resent-Message-ID: <handler.31442.B.152625021730858 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: report 31442
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 31442 <at> debbugs.gnu.org
Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
X-Debbugs-Original-To: guix-patches@HIDDEN
Received: via spool by submit <at> debbugs.gnu.org id=B.152625021730858
          (code B ref -1); Sun, 13 May 2018 22:24:02 +0000
Received: (at submit) by debbugs.gnu.org; 13 May 2018 22:23:37 +0000
Received: from localhost ([127.0.0.1]:32832 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fHzOz-00081e-AZ
	for submit <at> debbugs.gnu.org; Sun, 13 May 2018 18:23:37 -0400
Received: from eggs.gnu.org ([208.118.235.92]:57577)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1fHzOx-00081O-75
 for submit <at> debbugs.gnu.org; Sun, 13 May 2018 18:23:35 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1fHzOr-0003rN-1C
 for submit <at> debbugs.gnu.org; Sun, 13 May 2018 18:23:30 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled
 version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:35821)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <ludo@HIDDEN>) id 1fHzOq-0003r3-TH
 for submit <at> debbugs.gnu.org; Sun, 13 May 2018 18:23:28 -0400
Received: from eggs.gnu.org ([208.118.235.92]:41394)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1fHzOp-000574-K4
 for guix-patches@HIDDEN; Sun, 13 May 2018 18:23:28 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1fHxYw-0002cY-05
 for guix-patches@HIDDEN; Sun, 13 May 2018 16:25:47 -0400
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:51467)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1fHxYs-0002b5-VD; Sun, 13 May 2018 16:25:43 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=43032 helo=gnu.org)
 by fencepost.gnu.org with esmtpsa
 (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82)
 (envelope-from <ludo@HIDDEN>)
 id 1fHxYs-00060x-EN; Sun, 13 May 2018 16:25:42 -0400
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Date: Sun, 13 May 2018 22:25:25 +0200
Message-Id: <20180513202525.4010-1-ludo@HIDDEN>
X-Mailer: git-send-email 2.17.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -5.0 (-----)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.0 (------)

Hello Guix!

On IRC davidl shared a shell script that checks the output of ‘guix lint
-c cve’ and uses that to determine vulnerable packages in a profile.
That reminds me of the plan for ‘guix health’ (a tool to do just that),
so I went ahead and tried to make it a reality at last.

This ‘guix health’ reports information about “leaf” packages in a
profile, but not about their dependencies:

--8<---------------cut here---------------start------------->8---
$ ./pre-inst-env guix health -p /run/current-system/profile/
guix health: warning: util-linux@HIDDEN may be vulnerable to CVE-2018-7738
guix health: warning: util-linux@HIDDEN is available but does not fix any of these
hint: Run `guix pull' and then re-run `guix health' to see if fixes are available.  If
none are available, please consider submitting a patch for the package definition of
'util-linux'.


guix health: warning: shadow@HIDDEN may be vulnerable to CVE-2018-7169
guix health: warning: shadow@HIDDEN is available and fixes CVE-2018-7169, consider ugprading
guix health: warning: tar@HIDDEN may be vulnerable to CVE-2016-6321
guix health: warning: tar@HIDDEN is available but does not fix any of these
hint: Run `guix pull' and then re-run `guix health' to see if fixes are available.  If
none are available, please consider submitting a patch for the package definition of
'tar'.
--8<---------------cut here---------------end--------------->8---

The difficulty here is that we need to know a package’s CPE name before
we can check the CVE database, and we also need to know whether the
package already includes fixes for known CVEs.  This patch set attaches
this information to manifest entries, so that ‘guix health’ can then
rely on it.

Fundamentally, that means we cannot reliably tell much about
dependencies: in cases where the CPE name differs from the Guix name, we
won’t have any match, and more generally, we cannot know what CVE are
patched in the package; we could infer part of this by looking at the
same-named package in the current Guix, but that’s hacky.

I think that longer-term we probably need to attach this kind of
meta-data to packages themselves, by adding a bunch of files in each
package, say under PREFIX/guix.  We could do that for search paths as
well.

Should we satisfy ourselves with the current approach in the meantime?
Thoughts?

Besides, support for properties in manifest entries seems useful to me,
so we may want to keep it regardless of whether we take ‘guix health’
as-is.

Ludo’.

Ludovic Courtès (5):
  profiles: Add '%current-profile', 'user-friendly-profile', & co.
  packages: Add 'package-patched-vulnerabilities'.
  profiles: Add 'properties' field to manifest entries.
  profiles: Record fixed vulnerabilities as properties of entries.
  DRAFT Add 'guix health'.

 Makefile.am              |   1 +
 guix/packages.scm        |  28 +++++++
 guix/profiles.scm        |  91 ++++++++++++++++++++--
 guix/scripts/health.scm  | 158 +++++++++++++++++++++++++++++++++++++++
 guix/scripts/lint.scm    |  23 +-----
 guix/scripts/package.scm |  40 ----------
 po/guix/POTFILES.in      |   1 +
 tests/packages.scm       |  15 ++++
 tests/profiles.scm       |  22 ++++++
 9 files changed, 312 insertions(+), 67 deletions(-)
 create mode 100644 guix/scripts/health.scm

-- 
2.17.0





Message sent:


Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
Content-Type: text/plain; charset=utf-8
X-Loop: help-debbugs@HIDDEN
From: help-debbugs@HIDDEN (GNU bug Tracking System)
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Subject: bug#31442: Acknowledgement ([PATCH 0/5] 'guix health': a tool to
 report vulnerable packages)
Message-ID: <handler.31442.B.152625021730858.ack <at> debbugs.gnu.org>
References: <20180513202525.4010-1-ludo@HIDDEN>
X-Gnu-PR-Message: ack 31442
X-Gnu-PR-Package: guix-patches
X-Gnu-PR-Keywords: patch
Reply-To: 31442 <at> debbugs.gnu.org
Date: Sun, 13 May 2018 22:24:02 +0000

Thank you for filing a new bug report with debbugs.gnu.org.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 guix-patches@HIDDEN

If you wish to submit further information on this problem, please
send it to 31442 <at> debbugs.gnu.org.

Please do not send mail to help-debbugs@HIDDEN unless you wish
to report a problem with the Bug-tracking system.

--=20
31442: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D31442
GNU Bug Tracking System
Contact help-debbugs@HIDDEN with problems


Message sent to guix-patches@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: [bug#31442] [PATCH 3/5] profiles: Add 'properties' field to manifest entries.
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Mon, 14 May 2018 08:27:02 +0000
Resent-Message-ID: <handler.31442.B31442.152628637229107 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 31442
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 31442 <at> debbugs.gnu.org
Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Received: via spool by 31442-submit <at> debbugs.gnu.org id=B31442.152628637229107
          (code B ref 31442); Mon, 14 May 2018 08:27:02 +0000
Received: (at 31442) by debbugs.gnu.org; 14 May 2018 08:26:12 +0000
Received: from localhost ([127.0.0.1]:33172 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fI8o8-0007ZO-5d
	for submit <at> debbugs.gnu.org; Mon, 14 May 2018 04:26:12 -0400
Received: from eggs.gnu.org ([208.118.235.92]:46689)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1fI8o6-0007Yt-Iw
 for 31442 <at> debbugs.gnu.org; Mon, 14 May 2018 04:26:10 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1fI8o0-0002tY-AD
 for 31442 <at> debbugs.gnu.org; Mon, 14 May 2018 04:26:05 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled
 version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:60790)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1fI8nx-0002oE-CM; Mon, 14 May 2018 04:26:01 -0400
Received: from [193.50.110.240] (port=53312 helo=gnu.org)
 by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1fI8nw-0007HI-Jk; Mon, 14 May 2018 04:26:00 -0400
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Date: Mon, 14 May 2018 10:25:48 +0200
Message-Id: <20180514082550.1131-3-ludo@HIDDEN>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180514082550.1131-1-ludo@HIDDEN>
References: <20180514082550.1131-1-ludo@HIDDEN>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.0 (------)

* guix/profiles.scm (<manifest-entry>)[properties]: New field.
(manifest->gexp)[entry->gexp]: Serialize it.
(sexp->manifest)[sexp->manifest-entry]: Deserialize it.
---
 guix/profiles.scm | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/guix/profiles.scm b/guix/profiles.scm
index 3cdc3d2f1..02828e465 100644
--- a/guix/profiles.scm
+++ b/guix/profiles.scm
@@ -78,6 +78,7 @@
             manifest-entry-dependencies
             manifest-entry-search-paths
             manifest-entry-parent
+            manifest-entry-properties
 
             manifest-pattern
             manifest-pattern?
@@ -181,7 +182,9 @@
   (search-paths manifest-entry-search-paths       ; search-path-specification*
                 (default '()))
   (parent       manifest-entry-parent        ; promise (#f | <manifest-entry>)
-                (default (delay #f))))
+                (default (delay #f)))
+  (properties   manifest-entry-properties         ; list of symbol/value pairs
+                (default '())))
 
 (define-record-type* <manifest-pattern> manifest-pattern
   make-manifest-pattern
@@ -320,18 +323,20 @@ denoting a specific output of a package."
   (define (entry->gexp entry)
     (match entry
       (($ <manifest-entry> name version output (? string? path)
-                           (deps ...) (search-paths ...))
+                           (deps ...) (search-paths ...) _ (properties ...))
        #~(#$name #$version #$output #$path
                  (propagated-inputs #$(map entry->gexp deps))
                  (search-paths #$(map search-path-specification->sexp
-                                      search-paths))))
+                                      search-paths))
+                 (properties . #$properties)))
       (($ <manifest-entry> name version output package
-                           (deps ...) (search-paths ...))
+                           (deps ...) (search-paths ...) _ (properties ...))
        #~(#$name #$version #$output
                  (ungexp package (or output "out"))
                  (propagated-inputs #$(map entry->gexp deps))
                  (search-paths #$(map search-path-specification->sexp
-                                      search-paths))))))
+                                      search-paths))
+                 (properties . #$properties)))))
 
   (match manifest
     (($ <manifest> (entries ...))
@@ -394,7 +399,9 @@ procedure is here for backward-compatibility and will eventually vanish."
                           (dependencies deps*)
                           (search-paths (map sexp->search-path-specification
                                              search-paths))
-                          (parent parent))))
+                          (parent parent)
+                          (properties (or (assoc-ref extra-stuff 'properties)
+                                          '())))))
          entry))))
 
   (match sexp
-- 
2.17.0





Message sent to guix-patches@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: [bug#31442] [PATCH 1/5] profiles: Add '%current-profile', 'user-friendly-profile', & co.
References: <20180513202525.4010-1-ludo@HIDDEN>
In-Reply-To: <20180513202525.4010-1-ludo@HIDDEN>
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Mon, 14 May 2018 08:27:03 +0000
Resent-Message-ID: <handler.31442.B31442.152628637229115 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 31442
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 31442 <at> debbugs.gnu.org
Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Received: via spool by 31442-submit <at> debbugs.gnu.org id=B31442.152628637229115
          (code B ref 31442); Mon, 14 May 2018 08:27:03 +0000
Received: (at 31442) by debbugs.gnu.org; 14 May 2018 08:26:12 +0000
Received: from localhost ([127.0.0.1]:33174 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fI8o8-0007ZU-DL
	for submit <at> debbugs.gnu.org; Mon, 14 May 2018 04:26:12 -0400
Received: from eggs.gnu.org ([208.118.235.92]:46688)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1fI8o6-0007Ys-Iw
 for 31442 <at> debbugs.gnu.org; Mon, 14 May 2018 04:26:10 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1fI8o0-0002sy-3f
 for 31442 <at> debbugs.gnu.org; Mon, 14 May 2018 04:26:05 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_40 autolearn=disabled
 version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:60787)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1fI8nv-0002lc-KN; Mon, 14 May 2018 04:25:59 -0400
Received: from [193.50.110.240] (port=53312 helo=gnu.org)
 by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1fI8nu-0007HI-OS; Mon, 14 May 2018 04:25:59 -0400
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Date: Mon, 14 May 2018 10:25:46 +0200
Message-Id: <20180514082550.1131-1-ludo@HIDDEN>
X-Mailer: git-send-email 2.17.0
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.0 (------)

* guix/scripts/package.scm (%user-profile-directory)
(%profile-directory, %current-profile, canonicalize-profile)
(user-friendly-profile): Move to...
* guix/profiles.scm: ... here.
---
 guix/profiles.scm        | 49 +++++++++++++++++++++++++++++++++++++++-
 guix/scripts/package.scm | 40 --------------------------------
 2 files changed, 48 insertions(+), 41 deletions(-)

diff --git a/guix/profiles.scm b/guix/profiles.scm
index dca247976..3cdc3d2f1 100644
--- a/guix/profiles.scm
+++ b/guix/profiles.scm
@@ -25,6 +25,7 @@
 ;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
 
 (define-module (guix profiles)
+  #:use-module ((guix config) #:select (%state-directory))
   #:use-module ((guix utils) #:hide (package-name->name+version))
   #:use-module ((guix build utils)
                 #:select (package-name->name+version))
@@ -118,7 +119,13 @@
             generation-file-name
             switch-to-generation
             roll-back
-            delete-generation))
+            delete-generation
+
+            %user-profile-directory
+            %profile-directory
+            %current-profile
+            canonicalize-profile
+            user-friendly-profile))
 
 ;;; Commentary:
 ;;;
@@ -1465,4 +1472,44 @@ because the NUMBER is zero.)"
           (else
            (delete-and-return)))))
 
+(define %user-profile-directory
+  (and=> (getenv "HOME")
+         (cut string-append <> "/.guix-profile")))
+
+(define %profile-directory
+  (string-append %state-directory "/profiles/"
+                 (or (and=> (or (getenv "USER")
+                                (getenv "LOGNAME"))
+                            (cut string-append "per-user/" <>))
+                     "default")))
+
+(define %current-profile
+  ;; Call it `guix-profile', not `profile', to allow Guix profiles to
+  ;; coexist with Nix profiles.
+  (string-append %profile-directory "/guix-profile"))
+
+(define (canonicalize-profile profile)
+  "If PROFILE is %USER-PROFILE-DIRECTORY, return %CURRENT-PROFILE.  Otherwise
+return PROFILE unchanged.  The goal is to treat '-p ~/.guix-profile' as if
+'-p' was omitted."                           ; see <http://bugs.gnu.org/17939>
+
+  ;; Trim trailing slashes so that the basename comparison below works as
+  ;; intended.
+  (let ((profile (string-trim-right profile #\/)))
+    (if (and %user-profile-directory
+             (string=? (canonicalize-path (dirname profile))
+                       (dirname %user-profile-directory))
+             (string=? (basename profile) (basename %user-profile-directory)))
+        %current-profile
+        profile)))
+
+(define (user-friendly-profile profile)
+  "Return either ~/.guix-profile if that's what PROFILE refers to, directly or
+indirectly, or PROFILE."
+  (if (and %user-profile-directory
+           (false-if-exception
+            (string=? (readlink %user-profile-directory) profile)))
+      %user-profile-directory
+      profile))
+
 ;;; profiles.scm ends here
diff --git a/guix/scripts/package.scm b/guix/scripts/package.scm
index 4f519e6f3..29829f52c 100644
--- a/guix/scripts/package.scm
+++ b/guix/scripts/package.scm
@@ -64,46 +64,6 @@
 ;;; Profiles.
 ;;;
 
-(define %user-profile-directory
-  (and=> (getenv "HOME")
-         (cut string-append <> "/.guix-profile")))
-
-(define %profile-directory
-  (string-append %state-directory "/profiles/"
-                 (or (and=> (or (getenv "USER")
-                                (getenv "LOGNAME"))
-                            (cut string-append "per-user/" <>))
-                     "default")))
-
-(define %current-profile
-  ;; Call it `guix-profile', not `profile', to allow Guix profiles to
-  ;; coexist with Nix profiles.
-  (string-append %profile-directory "/guix-profile"))
-
-(define (canonicalize-profile profile)
-  "If PROFILE is %USER-PROFILE-DIRECTORY, return %CURRENT-PROFILE.  Otherwise
-return PROFILE unchanged.  The goal is to treat '-p ~/.guix-profile' as if
-'-p' was omitted."                           ; see <http://bugs.gnu.org/17939>
-
-  ;; Trim trailing slashes so that the basename comparison below works as
-  ;; intended.
-  (let ((profile (string-trim-right profile #\/)))
-    (if (and %user-profile-directory
-             (string=? (canonicalize-path (dirname profile))
-                       (dirname %user-profile-directory))
-             (string=? (basename profile) (basename %user-profile-directory)))
-        %current-profile
-        profile)))
-
-(define (user-friendly-profile profile)
-  "Return either ~/.guix-profile if that's what PROFILE refers to, directly or
-indirectly, or PROFILE."
-  (if (and %user-profile-directory
-           (false-if-exception
-            (string=? (readlink %user-profile-directory) profile)))
-      %user-profile-directory
-      profile))
-
 (define (ensure-default-profile)
   "Ensure the default profile symlink and directory exist and are writable."
 
-- 
2.17.0





Message sent to guix-patches@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: [bug#31442] [PATCH 4/5] profiles: Record fixed vulnerabilities as properties of entries.
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Mon, 14 May 2018 08:27:03 +0000
Resent-Message-ID: <handler.31442.B31442.152628637329121 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 31442
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 31442 <at> debbugs.gnu.org
Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Received: via spool by 31442-submit <at> debbugs.gnu.org id=B31442.152628637329121
          (code B ref 31442); Mon, 14 May 2018 08:27:03 +0000
Received: (at 31442) by debbugs.gnu.org; 14 May 2018 08:26:13 +0000
Received: from localhost ([127.0.0.1]:33176 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fI8o8-0007ZY-Nw
	for submit <at> debbugs.gnu.org; Mon, 14 May 2018 04:26:12 -0400
Received: from eggs.gnu.org ([208.118.235.92]:46690)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1fI8o6-0007Yv-Ps
 for 31442 <at> debbugs.gnu.org; Mon, 14 May 2018 04:26:11 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1fI8o0-0002um-R6
 for 31442 <at> debbugs.gnu.org; Mon, 14 May 2018 04:26:05 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled
 version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:60791)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1fI8ny-0002pB-EU; Mon, 14 May 2018 04:26:02 -0400
Received: from [193.50.110.240] (port=53312 helo=gnu.org)
 by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1fI8nx-0007HI-Ld; Mon, 14 May 2018 04:26:02 -0400
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Date: Mon, 14 May 2018 10:25:49 +0200
Message-Id: <20180514082550.1131-4-ludo@HIDDEN>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180514082550.1131-1-ludo@HIDDEN>
References: <20180514082550.1131-1-ludo@HIDDEN>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.0 (------)

* guix/profiles.scm (package->manifest-entry)[fixed, cpe-name]
[cpe-version]: New variables.
Populate the 'properties' field based on these.
* tests/profiles.scm ("manifest-entry-properties"): New test.
---
 guix/profiles.scm  | 23 ++++++++++++++++++++++-
 tests/profiles.scm | 22 ++++++++++++++++++++++
 2 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/guix/profiles.scm b/guix/profiles.scm
index 02828e465..6656cf356 100644
--- a/guix/profiles.scm
+++ b/guix/profiles.scm
@@ -286,6 +286,17 @@ file name."
 (define* (package->manifest-entry package #:optional (output "out")
                                   #:key (parent (delay #f)))
   "Return a manifest entry for the OUTPUT of package PACKAGE."
+  (define fixed
+    (append (package-patched-vulnerabilities package)
+            (or (assq-ref (package-properties package) 'lint-hidden-cve)
+                '())))
+
+  (define cpe-name
+    (assoc-ref (package-properties package) 'cpe-name))
+
+  (define cpe-version
+    (assoc-ref (package-properties package) 'cpe-version))
+
   ;; For each dependency, keep a promise pointing to its "parent" entry.
   (letrec* ((deps  (map (match-lambda
                           ((label package)
@@ -303,7 +314,17 @@ file name."
                      (dependencies (delete-duplicates deps))
                      (search-paths
                       (package-transitive-native-search-paths package))
-                     (parent parent))))
+                     (parent parent)
+                     (properties `(,@(if cpe-name
+                                         `((cpe-name . ,cpe-name))
+                                         '())
+                                   ,@(if cpe-version
+                                         `((cpe-version . ,cpe-version))
+                                         '())
+                                   ,@(if (null? fixed)
+                                         '()
+                                         `((fixed-vulnerabilities
+                                            . ,fixed))))))))
     entry))
 
 (define (packages->manifest packages)
diff --git a/tests/profiles.scm b/tests/profiles.scm
index c668c2b83..8152e4b68 100644
--- a/tests/profiles.scm
+++ b/tests/profiles.scm
@@ -439,6 +439,28 @@
                                                     #:locales? #f)))
         (return #f)))))
 
+(test-equal "manifest-entry-properties"
+  '(((fixed-vulnerabilities "CVE-2015-1234"))
+    ((fixed-vulnerabilities "CVE-2016-1234" "CVE-2018-4567"))
+    ((cpe-name . "Pi")
+     (fixed-vulnerabilities "CVE-2002-0001"))
+    ())
+  (let ((p1 (dummy-package "pi"
+              (source (dummy-origin
+                       (patches (list "/a/b/pi-CVE-2015-1234.patch"))))))
+        (p2 (dummy-package "pi"
+              (source (dummy-origin
+                       (patches
+                        (list
+                         "/a/b/pi-CVE-2016-1234-CVE-2018-4567.patch"))))))
+        (p3 (dummy-package "pi" (source (dummy-origin))
+                           (properties
+                            '((cpe-name . "Pi")
+                              (lint-hidden-cve "CVE-2002-0001")))))
+        (p4 (dummy-package "pi" (source (dummy-origin)))))
+    (map (compose manifest-entry-properties package->manifest-entry)
+         (list p1 p2 p3 p4))))
+
 (test-assertm "no collision"
   ;; Here we have an entry that is "lowered" (its 'item' field is a store file
   ;; name) and another entry (its 'item' field is a package) that is
-- 
2.17.0





Message sent to guix-patches@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: [bug#31442] [PATCH 5/5] DRAFT Add 'guix health'.
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Mon, 14 May 2018 08:27:04 +0000
Resent-Message-ID: <handler.31442.B31442.152628637529135 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 31442
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 31442 <at> debbugs.gnu.org
Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Received: via spool by 31442-submit <at> debbugs.gnu.org id=B31442.152628637529135
          (code B ref 31442); Mon, 14 May 2018 08:27:04 +0000
Received: (at 31442) by debbugs.gnu.org; 14 May 2018 08:26:15 +0000
Received: from localhost ([127.0.0.1]:33179 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fI8oB-0007Zr-0y
	for submit <at> debbugs.gnu.org; Mon, 14 May 2018 04:26:15 -0400
Received: from eggs.gnu.org ([208.118.235.92]:46698)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1fI8o8-0007Yy-UG
 for 31442 <at> debbugs.gnu.org; Mon, 14 May 2018 04:26:13 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1fI8o2-0002wj-Fu
 for 31442 <at> debbugs.gnu.org; Mon, 14 May 2018 04:26:07 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled
 version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:60792)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1fI8nz-0002rM-CZ; Mon, 14 May 2018 04:26:03 -0400
Received: from [193.50.110.240] (port=53312 helo=gnu.org)
 by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1fI8ny-0007HI-Li; Mon, 14 May 2018 04:26:03 -0400
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Date: Mon, 14 May 2018 10:25:50 +0200
Message-Id: <20180514082550.1131-5-ludo@HIDDEN>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180514082550.1131-1-ludo@HIDDEN>
References: <20180514082550.1131-1-ludo@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.0 (------)

DRAFT: Needs doc and tests, plus the FIXME noted inside.

* guix/scripts/health.scm: New file.
* Makefile.am (MODULES): Add it.
* po/guix/POTFILES.in: Add it.
---
 Makefile.am             |   1 +
 guix/scripts/health.scm | 158 ++++++++++++++++++++++++++++++++++++++++
 po/guix/POTFILES.in     |   1 +
 3 files changed, 160 insertions(+)
 create mode 100644 guix/scripts/health.scm

diff --git a/Makefile.am b/Makefile.am
index 38bd54cf4..870ff6a89 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -194,6 +194,7 @@ MODULES =					\
   guix/scripts/package.scm			\
   guix/scripts/gc.scm				\
   guix/scripts/hash.scm				\
+  guix/scripts/health.scm			\
   guix/scripts/pack.scm				\
   guix/scripts/pull.scm				\
   guix/scripts/substitute.scm			\
diff --git a/guix/scripts/health.scm b/guix/scripts/health.scm
new file mode 100644
index 000000000..a991fcbe3
--- /dev/null
+++ b/guix/scripts/health.scm
@@ -0,0 +1,158 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2018 Ludovic Courtès <ludo@HIDDEN>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (guix scripts health)
+  #:use-module (guix ui)
+  #:use-module (guix scripts)
+  #:use-module (guix profiles)
+  #:use-module (guix packages)
+  #:use-module (guix cve)
+  #:use-module (guix utils)
+  #:use-module (gnu packages)
+  #:use-module (srfi srfi-1)
+  #:use-module (srfi srfi-37)
+  #:use-module (ice-9 match)
+  #:export (guix-health))
+
+
+;;;
+;;; Reporting CVEs.
+;;;
+
+(define (same-package-entries? entry1 entry2)
+  "Return true if ENTRY1 and ENTRY2 refer to the same package and version."
+  (and (string=? (manifest-entry-name entry1)
+                 (manifest-entry-name entry2))
+       (string=? (manifest-entry-version entry1)
+                 (manifest-entry-version entry2))))
+
+(define (manifest-entry-vulnerabilities entry lookup-vulnerabilities)
+  "Return the list of vulnerabilities for ENTRY.  Call LOOKUP-VULNERABILITIES
+to determine the list of vulnerabilities for a package/version."
+  (let* ((name     (manifest-entry-name entry))
+         (cpe-name (or (assoc-ref (manifest-entry-properties entry)
+                                  'cpe-name)
+                       name))
+         (version  (manifest-entry-version entry))
+         (cpe-version (or (assoc-ref (manifest-entry-properties entry)
+                                     'cpe-version)
+                          version))
+         (fixed    (or (assoc-ref (manifest-entry-properties entry)
+                                  'fixed-vulnerabilities)
+                       '())))
+    (remove (lambda (vuln)
+              (member (vulnerability-id vuln) fixed))
+            (lookup-vulnerabilities cpe-name cpe-version))))
+
+(define (check-profile-cve profile)
+  "Check and report the CVEs of packages in PROFILE."
+  (define lookup-vulnerabilities
+    (vulnerabilities->lookup-proc (current-vulnerabilities)))
+
+  (define (report-entry-vulnerabilities entry)
+    (let ((name (manifest-entry-name entry))
+          (version (manifest-entry-version entry)))
+      (match (manifest-entry-vulnerabilities entry lookup-vulnerabilities)
+        (()
+         #t)
+        ((vulns ...)
+         (warning (G_ "~a@~a may be vulnerable to~{ ~a~}~%")
+                  name version (map vulnerability-id vulns))
+         (match (find-best-packages-by-name name #f)
+           ((package . _)
+            (let ((vulns* (lookup-vulnerabilities name
+                                                  (package-version package))))
+              (match (lset-difference string=?
+                                      (map vulnerability-id vulns)
+                                      (map vulnerability-id vulns*))
+                (()
+                 (warning (G_ "~a@~a is available but does not \
+fix any of these~%")
+                          name (package-version package))
+                 (display-hint (format #f (G_ "Run @command{guix pull} and
+then re-run @command{guix health} to see if fixes are available.  If none are
+available, please consider submitting a patch for the package definition of
+'~a'.")  name)))
+                (fixed
+                 (warning (G_ "~a@~a is available and fixes~{ ~a~}, \
+consider ugprading~%")
+                          name (package-version package) fixed)))))
+           (()
+            (warning (G_ "'~a' is unavailable and thus \
+cannot be upgraded~%")
+                     name)))))))
+
+  (let* ((manifest (profile-manifest profile))
+         (entries  (manifest-transitive-entries manifest)))
+    ;; FIXME: We don't report vulnerabilities in dependencies of the entries.
+    ;; We could check the references and infer the package name/version for
+    ;; each of them, but then we wouldn't know their CPE name nor whether they
+    ;; already contain patches fixing known vulnerabilities.
+    (for-each report-entry-vulnerabilities
+              (delete-duplicates entries same-package-entries?))))
+
+
+;;;
+;;; Command-line options.
+;;;
+
+(define (show-help)
+  (display (G_ "Usage: guix health [OPTIONS]
+Report on the vulnerabilities of packages in a profile.\n"))
+  (display (G_ "
+  -p, --profile=PROFILE  use PROFILE instead of the user's default profile"))
+  (newline)
+  (display (G_ "
+  -h, --help             display this help and exit"))
+  (display (G_ "
+  -V, --version          display version information and exit"))
+  (newline)
+  (show-bug-report-information))
+
+(define %options
+  (list  (option '(#\h "help") #f #f
+                 (lambda args
+                   (show-help)
+                   (exit 0)))
+         (option '(#\V "version") #f #f
+                 (lambda args
+                   (show-version-and-exit "guix package")))
+
+         (option '(#\p "profile") #t #f
+                (lambda (opt name arg result)
+                  (values (alist-cons 'profile (canonicalize-profile arg)
+                                      result)
+                          #f)))))
+
+(define %default-options
+  ;; Alist of default option values.
+  '())
+
+
+;;;
+;;; Entry point.
+;;;
+
+(define (guix-health . args)
+  (with-error-handling
+    (let* ((opts    (parse-command-line args %options (list %default-options)
+                                        #:build-options? #f))
+           (profile (or (and=> (assoc-ref opts 'profile)
+                               user-friendly-profile)
+                        %user-profile-directory)))
+      (check-profile-cve profile))))
diff --git a/po/guix/POTFILES.in b/po/guix/POTFILES.in
index d11f408d4..76fdbe13b 100644
--- a/po/guix/POTFILES.in
+++ b/po/guix/POTFILES.in
@@ -31,6 +31,7 @@ guix/scripts/challenge.scm
 guix/scripts/copy.scm
 guix/scripts/pack.scm
 guix/scripts/weather.scm
+guix/scripts/health.scm
 guix/gnu-maintenance.scm
 guix/scripts/container.scm
 guix/scripts/container/exec.scm
-- 
2.17.0





Message sent to guix-patches@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: [bug#31442] [PATCH 2/5] packages: Add 'package-patched-vulnerabilities'.
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Mon, 14 May 2018 08:27:04 +0000
Resent-Message-ID: <handler.31442.B31442.152628637729149 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 31442
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 31442 <at> debbugs.gnu.org
Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Received: via spool by 31442-submit <at> debbugs.gnu.org id=B31442.152628637729149
          (code B ref 31442); Mon, 14 May 2018 08:27:04 +0000
Received: (at 31442) by debbugs.gnu.org; 14 May 2018 08:26:17 +0000
Received: from localhost ([127.0.0.1]:33182 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fI8oD-0007a5-Gr
	for submit <at> debbugs.gnu.org; Mon, 14 May 2018 04:26:17 -0400
Received: from eggs.gnu.org ([208.118.235.92]:46704)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1fI8oB-0007Z1-3R
 for 31442 <at> debbugs.gnu.org; Mon, 14 May 2018 04:26:15 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1fI8o0-0002sm-11
 for 31442 <at> debbugs.gnu.org; Mon, 14 May 2018 04:26:10 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled
 version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:60789)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1fI8nw-0002lu-9D; Mon, 14 May 2018 04:26:00 -0400
Received: from [193.50.110.240] (port=53312 helo=gnu.org)
 by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1fI8nv-0007HI-Mk; Mon, 14 May 2018 04:26:00 -0400
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Date: Mon, 14 May 2018 10:25:47 +0200
Message-Id: <20180514082550.1131-2-ludo@HIDDEN>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180514082550.1131-1-ludo@HIDDEN>
References: <20180514082550.1131-1-ludo@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.0 (------)

* guix/packages.scm (patch-file-name): New procedure.
(%vulnerability-regexp): New variable.
(package-patched-vulnerabilities): New procedure.
* guix/scripts/lint.scm (patch-file-name): Remove.
(check-vulnerabilities): Adjust to use
'package-patched-vulnerabilities'.
* tests/packages.scm ("package-patched-vulnerabilities"): New test.
---
 guix/packages.scm     | 28 ++++++++++++++++++++++++++++
 guix/scripts/lint.scm | 23 ++++-------------------
 tests/packages.scm    | 15 +++++++++++++++
 3 files changed, 47 insertions(+), 19 deletions(-)

diff --git a/guix/packages.scm b/guix/packages.scm
index e0ab72086..f536597ae 100644
--- a/guix/packages.scm
+++ b/guix/packages.scm
@@ -35,6 +35,7 @@
   #:use-module (guix sets)
   #:use-module (ice-9 match)
   #:use-module (ice-9 vlist)
+  #:use-module (ice-9 regex)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-9 gnu)
   #:use-module (srfi srfi-11)
@@ -106,6 +107,7 @@
             package-cross-derivation
             package-output
             package-grafts
+            package-patched-vulnerabilities
             package/inherit
 
             transitive-input-references
@@ -394,6 +396,32 @@ DELIMITER (a string), you can customize what will appear between the name and
 the version.  By default, DELIMITER is \"@\"."
   (string-append (package-name package) delimiter (package-version package)))
 
+(define (patch-file-name patch)
+  "Return the basename of PATCH's file name, or #f if the file name could not
+be determined."
+  (match patch
+    ((? string?)
+     (basename patch))
+    ((? origin?)
+     (and=> (origin-actual-file-name patch) basename))))
+
+(define %vulnerability-regexp
+  ;; Regexp matching a CVE identifier in patch file names.
+  (make-regexp "CVE-[0-9]{4}-[0-9]+"))
+
+(define (package-patched-vulnerabilities package)
+  "Return the list of patched vulnerabilities of PACKAGE as a list of CVE
+identifiers.  The result is inferred from the file names of patches."
+  (define (patch-vulnerabilities patch)
+    (map (cut match:substring <> 0)
+         (list-matches %vulnerability-regexp patch)))
+
+  (let ((patches (filter-map patch-file-name
+                             (or (and=> (package-source package)
+                                        origin-patches)
+                                 '()))))
+    (append-map patch-vulnerabilities patches)))
+
 (define (%standard-patch-inputs)
   (let* ((canonical (module-ref (resolve-interface '(gnu packages base))
                                 'canonical-package))
diff --git a/guix/scripts/lint.scm b/guix/scripts/lint.scm
index cd802985d..e477bf0dd 100644
--- a/guix/scripts/lint.scm
+++ b/guix/scripts/lint.scm
@@ -1,7 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2014 Cyril Roelandt <tipecaml@HIDDEN>
 ;;; Copyright © 2014, 2015 Eric Bavier <bavier@HIDDEN>
-;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@HIDDEN>
+;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018 Ludovic Courtès <ludo@HIDDEN>
 ;;; Copyright © 2015, 2016 Mathieu Lirzin <mthl@HIDDEN>
 ;;; Copyright © 2016 Danny Milosavljevic <dannym+a@HIDDEN>
 ;;; Copyright © 2016 Hartmut Goebel <h.goebel@HIDDEN>
@@ -809,15 +809,6 @@ descriptions maintained upstream."
      (emit-warning package (G_ "invalid license field")
                    'license))))
 
-(define (patch-file-name patch)
-  "Return the basename of PATCH's file name, or #f if the file name could not
-be determined."
-  (match patch
-    ((? string?)
-     (basename patch))
-    ((? origin?)
-     (and=> (origin-actual-file-name patch) basename))))
-
 (define (call-with-networking-fail-safe message error-value proc)
   "Call PROC catching any network-related errors.  Upon a networking error,
 display a message including MESSAGE and return ERROR-VALUE."
@@ -878,20 +869,14 @@ the NIST server non-fatal."
       (()
        #t)
       ((vulnerabilities ...)
-       (let* ((patches   (filter-map patch-file-name
-                                     (or (and=> (package-source package)
-                                                origin-patches)
-                                         '())))
+       (let* ((patched    (package-patched-vulnerabilities package))
               (known-safe (or (assq-ref (package-properties package)
                                         'lint-hidden-cve)
                               '()))
               (unpatched (remove (lambda (vuln)
                                    (let ((id (vulnerability-id vuln)))
-                                     (or
-                                       (find (cute string-contains
-                                                   <> id)
-                                             patches)
-                                       (member id known-safe))))
+                                     (or (member id patched)
+                                         (member id known-safe))))
                                  vulnerabilities)))
          (unless (null? unpatched)
            (emit-warning package
diff --git a/tests/packages.scm b/tests/packages.scm
index 9e19c3992..642a3efa5 100644
--- a/tests/packages.scm
+++ b/tests/packages.scm
@@ -941,6 +941,21 @@
                    ((("x" dep))
                     (eq? dep findutils)))))))))
 
+(test-equal "package-patched-vulnerabilities"
+  '(("CVE-2015-1234")
+    ("CVE-2016-1234" "CVE-2018-4567")
+    ())
+  (let ((p1 (dummy-package "pi"
+              (source (dummy-origin
+                       (patches (list "/a/b/pi-CVE-2015-1234.patch"))))))
+        (p2 (dummy-package "pi"
+              (source (dummy-origin
+                       (patches (list
+                                 "/a/b/pi-CVE-2016-1234-CVE-2018-4567.patch"))))))
+        (p3 (dummy-package "pi" (source (dummy-origin)))))
+    (map package-patched-vulnerabilities
+         (list p1 p2 p3))))
+
 (test-eq "fold-packages" hello
   (fold-packages (lambda (p r)
                    (if (string=? (package-name p) "hello")
-- 
2.17.0





Message received at control <at> debbugs.gnu.org:


Received: (at control) by debbugs.gnu.org; 14 May 2018 08:26:28 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 14 04:26:28 2018
Received: from localhost ([127.0.0.1]:33185 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fI8oN-0007aT-T2
	for submit <at> debbugs.gnu.org; Mon, 14 May 2018 04:26:28 -0400
Received: from mail3-relais-sop.national.inria.fr ([192.134.164.104]:58865)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1fI8oM-0007aE-2a
 for control <at> debbugs.gnu.org; Mon, 14 May 2018 04:26:26 -0400
X-IronPort-AV: E=Sophos;i="5.49,399,1520895600"; d="scan'208";a="265096414"
Received: from unknown (HELO ribbon) ([193.50.110.240])
 by mail3-relais-sop.national.inria.fr with ESMTP/TLS/AES256-GCM-SHA384;
 14 May 2018 10:26:19 +0200
Date: Mon, 14 May 2018 10:26:19 +0200
Message-Id: <87wow6bq38.fsf@HIDDEN>
To: control <at> debbugs.gnu.org
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: control message for bug #31442
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: -4.0 (----)
X-Debbugs-Envelope-To: control
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

merge 31442 31443




Message received at control <at> debbugs.gnu.org:


Received: (at control) by debbugs.gnu.org; 14 May 2018 08:26:32 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 14 04:26:31 2018
Received: from localhost ([127.0.0.1]:33189 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fI8oR-0007ai-Ot
	for submit <at> debbugs.gnu.org; Mon, 14 May 2018 04:26:31 -0400
Received: from mail3-relais-sop.national.inria.fr ([192.134.164.104]:58865)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1fI8oP-0007aE-0k
 for control <at> debbugs.gnu.org; Mon, 14 May 2018 04:26:29 -0400
X-IronPort-AV: E=Sophos;i="5.49,399,1520895600"; d="scan'208";a="265096442"
Received: from unknown (HELO ribbon) ([193.50.110.240])
 by mail3-relais-sop.national.inria.fr with ESMTP/TLS/AES256-GCM-SHA384;
 14 May 2018 10:26:28 +0200
Date: Mon, 14 May 2018 10:26:28 +0200
Message-Id: <87vabqbq2z.fsf@HIDDEN>
To: control <at> debbugs.gnu.org
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: control message for bug #31442
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: -4.0 (----)
X-Debbugs-Envelope-To: control
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

merge 31442 31444




Message sent to guix-patches@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: [bug#31442] [PATCH 0/5] 'guix health': a tool to report vulnerable packages
Resent-From: ludo@HIDDEN (Ludovic =?UTF-8?Q?Court=C3=A8s?=)
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Sat, 09 Jun 2018 10:19:01 +0000
Resent-Message-ID: <handler.31442.B31442.152853949725314 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 31442
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 31442 <at> debbugs.gnu.org
Received: via spool by 31442-submit <at> debbugs.gnu.org id=B31442.152853949725314
          (code B ref 31442); Sat, 09 Jun 2018 10:19:01 +0000
Received: (at 31442) by debbugs.gnu.org; 9 Jun 2018 10:18:17 +0000
Received: from localhost ([127.0.0.1]:40343 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fRawr-0006aD-3h
	for submit <at> debbugs.gnu.org; Sat, 09 Jun 2018 06:18:17 -0400
Received: from eggs.gnu.org ([208.118.235.92]:38987)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1fRawp-0006a0-3V
 for 31442 <at> debbugs.gnu.org; Sat, 09 Jun 2018 06:18:15 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1fRawi-0007pK-Vk
 for 31442 <at> debbugs.gnu.org; Sat, 09 Jun 2018 06:18:09 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled
 version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:45543)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1fRawi-0007p2-SM
 for 31442 <at> debbugs.gnu.org; Sat, 09 Jun 2018 06:18:08 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=47936 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>) id 1fRawh-0005BJ-Nm
 for 31442 <at> debbugs.gnu.org; Sat, 09 Jun 2018 06:18:08 -0400
From: ludo@HIDDEN (Ludovic =?UTF-8?Q?Court=C3=A8s?=)
References: <20180513202525.4010-1-ludo@HIDDEN>
Date: Sat, 09 Jun 2018 12:18:06 +0200
In-Reply-To: <20180513202525.4010-1-ludo@HIDDEN> ("Ludovic
 \=\?utf-8\?Q\?Cour\?\= \=\?utf-8\?Q\?t\=C3\=A8s\=22's\?\= message
 of "Sun, 13 May 2018 22:25:25 +0200")
Message-ID: <87po10gt5t.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.0 (------)

Hello,

Ludovic Court=C3=A8s <ludo@HIDDEN> skribis:

>   profiles: Add '%current-profile', 'user-friendly-profile', & co.
>   packages: Add 'package-patched-vulnerabilities'.
>   profiles: Add 'properties' field to manifest entries.
>   profiles: Record fixed vulnerabilities as properties of entries.
>   DRAFT Add 'guix health'.

I=E2=80=99ve just pushed the first three patches and the new =E2=80=98guix =
pull=E2=80=99 uses
properties already.

Ludo=E2=80=99.




Message sent to guix-patches@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: [bug#31442] [bug#31444] 'guix health': a tool to report vulnerable packages
Resent-From: zimoun <zimon.toutoune@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Fri, 18 Sep 2020 22:45:02 +0000
Resent-Message-ID: <handler.31442.B31442.16004690493876 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 31442
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: ludo@HIDDEN (Ludovic =?UTF-8?Q?Court=C3=A8s?=)
Cc: Ricardo Wurmus <rekado@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, 31444 <at> debbugs.gnu.org, 31442 <at> debbugs.gnu.org
Received: via spool by 31442-submit <at> debbugs.gnu.org id=B31442.16004690493876
          (code B ref 31442); Fri, 18 Sep 2020 22:45:02 +0000
Received: (at 31442) by debbugs.gnu.org; 18 Sep 2020 22:44:09 +0000
Received: from localhost ([127.0.0.1]:45284 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kJP6u-00010Q-Le
	for submit <at> debbugs.gnu.org; Fri, 18 Sep 2020 18:44:09 -0400
Received: from mail-wr1-f46.google.com ([209.85.221.46]:39503)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zimon.toutoune@HIDDEN>)
 id 1kJP6t-0000zv-CB; Fri, 18 Sep 2020 18:44:07 -0400
Received: by mail-wr1-f46.google.com with SMTP id a17so7058266wrn.6;
 Fri, 18 Sep 2020 15:44:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:references:date:in-reply-to:message-id
 :user-agent:mime-version:content-transfer-encoding;
 bh=SvzKX7GV+wwO4HBRnj4hJaJW9oMNDHZJFLnlYR8wcjE=;
 b=VTSDLCBjQfx3+m186rFL3Bbq5WWxFv33589uNxz+W2SpRQQvyRu2ewpXWQZjpqeLMl
 xImBWtqu5qoBIvd6X2HJ7hxB6OwFM166meWRJmekSozDbxHD5+7DDMlpiFMQJ4y8t6yo
 8Dd0CrMdMxUeCr4PXz/RZi4fP63uo0RPJQjh/kSexjlnDdj5nH3sbND6BUkEc4KoV+a1
 QTO1P+lmP9GK+Mr4NW9WK1mJz26pW93Q3vXHwklx/9fADWCs7Mnm4TH00js9t1EYwBtk
 hqKBYkgXlBg5V33P+AaWm6KPczO0q6dd/mnXosMsjgwbezq0dO6oc4FaQy4aMPaaftAH
 xqHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
 :message-id:user-agent:mime-version:content-transfer-encoding;
 bh=SvzKX7GV+wwO4HBRnj4hJaJW9oMNDHZJFLnlYR8wcjE=;
 b=N+FZdNiomMr489O6/MNSRbnFw3aitY9hdgqxyuhbudYHT6fFnS6k50zsO45aIlwy3L
 r3xUl7MJycccdw6tm//gREQsfR2eraHltDpFloLtxiE129c7w/yhhNwS8hAYUx9xOxKy
 Uet/ycAEft5WTwNYirsZGbaNrW1jXJxERT0/hkD02WEe/xpQQva+nUhrxwfr73iITF1u
 elMB7+RarA7fo099xw/T1SRovRvWfaP0vtkRbPwcc8+W+o0cyasi8Fz6x8G9y4/scr0y
 7w7iKVKyNbQB/tOUZJZ//obkINV6OxdmMH8vPPG8ounTXUeuQummOVDfvbx2Cm6wclbw
 0gCw==
X-Gm-Message-State: AOAM5313UvgPkFiu9Zy2Tp9DOuWt5FovHPhfLrXsQVT8bNFhkN0Fe5Ag
 B6tQeQxWe0BTLBitV/Sbsdc=
X-Google-Smtp-Source: ABdhPJy/VquQB3XuMOTsfnrKeELsp227GwXjZyAoqwBJAlP0cNeQ4rIH7LznHOntXovW/KJO4rNcFA==
X-Received: by 2002:adf:e601:: with SMTP id p1mr42928256wrm.172.1600469041130; 
 Fri, 18 Sep 2020 15:44:01 -0700 (PDT)
Received: from lili ([2a01:e0a:59b:9120:65d2:2476:f637:db1e])
 by smtp.gmail.com with ESMTPSA id q13sm8482475wra.93.2020.09.18.15.44.00
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 18 Sep 2020 15:44:00 -0700 (PDT)
From: zimoun <zimon.toutoune@HIDDEN>
References: <87fu2vjj76.fsf@HIDDEN>
Date: Sat, 19 Sep 2020 00:43:59 +0200
In-Reply-To: <87fu2vjj76.fsf@HIDDEN> ("Ludovic =?UTF-8?Q?Court=C3=A8s?="'s message of "Mon, 14 May 2018 00:15:41 +0200")
Message-ID: <864knuk8nk.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi,

Digging in old bugs with patches, hit this one. :-)


On Mon, 14 May 2018 at 00:15, ludo@HIDDEN (Ludovic Court=C3=A8s) wrote:

> On IRC davidl shared a shell script that checks the output of =E2=80=98gu=
ix lint
> -c cve=E2=80=99 and uses that to determine vulnerable packages in a profi=
le.
> That reminds me of the plan for =E2=80=98guix health=E2=80=99 (a tool to =
do just that),
> so I went ahead and tried to make it a reality at last.
>
> This =E2=80=98guix health=E2=80=99 reports information about =E2=80=9Clea=
f=E2=80=9D packages in a
> profile, but not about their dependencies:

Well, I do not know what was the idea at the time. :-)
(The search http://logs.guix.gnu.org/guix/search?query=3Dnick%3Adavidl
does not list logs before 2019 for the nickname.  Do I miss something?)

And I do not know if the idea is to report only =E2=80=9Cleaf=E2=80=9D pack=
ages.

Well, instead to create another new command, I think it would be better
to include the =E2=80=9Cleaf=E2=80=9D packages to =E2=80=9Cguix graph=E2=80=
=9D and then pipe to =E2=80=9Cguix
lint=E2=80=9D.  Other said, =E2=80=9Cguix graph=E2=80=9D should help to man=
ipulate the graph of
packages.

I am not sure it fits the idea behind =E2=80=9Cguix health=E2=80=9D but the=
 patch #43477
allows to only output the nodes, for example.

  <http://issues.guix.gnu.org/issue/43477>


Here an example, to verify the SWH health of one profile.  (Note I
choose the archival checker because it display stuff. :-))

--8<---------------cut here---------------start------------->8---
$ guix package -p ~/.config/guix/profiles/apps/apps -I | cut -f1
youtube-dl
mb2md
isync
xournal
ghostscript
imagemagick
mupdf

$for pkg in \
> $(guix package -p ~/.config/guix/profiles/apps/apps -I | cut -f1 | xargs =
./pre-inst-env guix graph -b plain); \
> do guix lint -c archival $pkg ; done
gnu/packages/video.scm:2169:12: youtube-dl@HIDDEN: source not archived =
on Software Heritage
gnu/packages/video.scm:1412:12: ffmpeg@HIDDEN: source not archived on Softwa=
re Heritage
gnu/packages/autotools.scm:286:12: automake@HIDDEN: source not archived on =
Software Heritage
guix lint: error: autoconf-wrapper: package not found for version 2.69
gnu/packages/perl.scm:89:12: perl@HIDDEN: source not archived on Software H=
eritage
gnu/packages/guile.scm:141:11: guile@HIDDEN: source not archived on Softwar=
e Heritage
gnu/packages/ed.scm:32:12: ed@HIDDEN: source not archived on Software Heritage

[...]

gnu/packages/xorg.scm:5280:6: libxcb@HIDDEN: source not archived on Software =
Heritage
guix lint: error: tzdata: package not found for version 2019c
gnu/packages/python.scm:514:2: python-minimal@HIDDEN: source not archived on=
 Software Heritage
gnu/packages/xorg.scm:2140:6: xcb-proto@HIDDEN: source not archived on Softwa=
re Heritage

[...]

gnu/packages/shells.scm:376:12: tcsh@HIDDEN: source not archived on Softwa=
re Heritage
gnu/packages/icu4c.scm:43:11: icu4c@HIDDEN: Software Heritage rate limit reac=
hed; try again later
C-c
--8<---------------cut here---------------end--------------->8---

Obviously, the for-loop should be avoided.  But raising an error by
=E2=80=9Cguix lint=E2=80=9D breaks the stream.  Well, that=E2=80=99s anothe=
r story. :-)


To summary, instead of =E2=80=9Cguix health=E2=80=9D, I suggest to add =E2=
=80=9Cfeatures=E2=80=9C to
=E2=80=98guix graph=E2=80=99 (support manifest files, more facilities to ma=
nipulate/show
the DAG).


> The difficulty here is that we need to know a package=E2=80=99s CPE name =
before
> we can check the CVE database, and we also need to know whether the
> package already includes fixes for known CVEs.  This patch set attaches
> this information to manifest entries, so that =E2=80=98guix health=E2=80=
=99 can then
> rely on it.

Well, I am not sure to understand.  Is it not somehow an issue of =E2=80=98=
guix
lint -c cve=E2=80=99?


> Fundamentally, that means we cannot reliably tell much about
> dependencies: in cases where the CPE name differs from the Guix name, we
> won=E2=80=99t have any match, and more generally, we cannot know what CVE=
 are
> patched in the package; we could infer part of this by looking at the
> same-named package in the current Guix, but that=E2=80=99s hacky.
>
> I think that longer-term we probably need to attach this kind of
> meta-data to packages themselves, by adding a bunch of files in each
> package, say under PREFIX/guix.  We could do that for search paths as
> well.

What is the status of this idea?


> Should we satisfy ourselves with the current approach in the meantime?
> Thoughts?
>
> Besides, support for properties in manifest entries seems useful to me,
> so we may want to keep it regardless of whether we take =E2=80=98guix hea=
lth=E2=80=99
> as-is.

I am not sure that my email is relevant, but at least it will ping for
=E2=80=98guix health=E2=80=99. :-)


Cheers,
simon




Message sent to guix-patches@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: [bug#31442] [bug#31444] 'guix health': a tool to report vulnerable packages
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Fri, 25 Sep 2020 16:35:02 +0000
Resent-Message-ID: <handler.31442.B31442.160105165413389 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 31442
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: zimoun <zimon.toutoune@HIDDEN>
Cc: Ricardo Wurmus <rekado@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, 31444 <at> debbugs.gnu.org, 31442 <at> debbugs.gnu.org
Received: via spool by 31442-submit <at> debbugs.gnu.org id=B31442.160105165413389
          (code B ref 31442); Fri, 25 Sep 2020 16:35:02 +0000
Received: (at 31442) by debbugs.gnu.org; 25 Sep 2020 16:34:14 +0000
Received: from localhost ([127.0.0.1]:45201 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kLqfm-0003Ts-Fx
	for submit <at> debbugs.gnu.org; Fri, 25 Sep 2020 12:34:14 -0400
Received: from eggs.gnu.org ([209.51.188.92]:43818)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>)
 id 1kLqfl-0003Td-2o; Fri, 25 Sep 2020 12:34:13 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:40372)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@HIDDEN>)
 id 1kLqff-0008LF-Go; Fri, 25 Sep 2020 12:34:07 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=33264 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1kLqfa-00006j-8e; Fri, 25 Sep 2020 12:34:03 -0400
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
References: <87fu2vjj76.fsf@HIDDEN> <864knuk8nk.fsf@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 4 =?UTF-8?Q?Vend=C3=A9miaire?= an 229 de la
 =?UTF-8?Q?R=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Fri, 25 Sep 2020 18:34:00 +0200
In-Reply-To: <864knuk8nk.fsf@HIDDEN> (zimoun's message of "Sat, 19 Sep 2020
 00:43:59 +0200")
Message-ID: <87a6xdiznr.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi!

zimoun <zimon.toutoune@HIDDEN> skribis:

> Well, instead to create another new command, I think it would be better
> to include the =E2=80=9Cleaf=E2=80=9D packages to =E2=80=9Cguix graph=E2=
=80=9D and then pipe to =E2=80=9Cguix
> lint=E2=80=9D.  Other said, =E2=80=9Cguix graph=E2=80=9D should help to m=
anipulate the graph of
> packages.

I don=E2=80=99t think so.

One reason is that =E2=80=98guix lint=E2=80=99 is really a generic tool for=
 package
developers that happens to include a =E2=80=98cve=E2=80=99 checker; apart f=
rom that,
it=E2=80=99s not designed for CVE handling.

More importantly, =E2=80=98guix health=E2=80=99 needs info not available in=
 the output
of =E2=80=98guix lint=E2=80=99: it needs the CPE name of each package in th=
e graph,
along with the list of known-fixed CVEs.

>> Fundamentally, that means we cannot reliably tell much about
>> dependencies: in cases where the CPE name differs from the Guix name, we
>> won=E2=80=99t have any match, and more generally, we cannot know what CV=
E are
>> patched in the package; we could infer part of this by looking at the
>> same-named package in the current Guix, but that=E2=80=99s hacky.
>>
>> I think that longer-term we probably need to attach this kind of
>> meta-data to packages themselves, by adding a bunch of files in each
>> package, say under PREFIX/guix.  We could do that for search paths as
>> well.
>
> What is the status of this idea?

The idea is still up in the air.  :-)

In the meantime, package metadata is added to manifest entries.

Ludo=E2=80=99.




Message sent to guix-patches@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: [bug#31442] bug#31444: 'guix health': a tool to report vulnerable packages
Resent-From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Fri, 21 Jul 2023 16:45:02 +0000
Resent-Message-ID: <handler.31442.B31442.168995786927987 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 31442
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: zimoun <zimon.toutoune@HIDDEN>
Cc: Ricardo Wurmus <rekado@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, 31444 <at> debbugs.gnu.org, 31442 <at> debbugs.gnu.org
Received: via spool by 31442-submit <at> debbugs.gnu.org id=B31442.168995786927987
          (code B ref 31442); Fri, 21 Jul 2023 16:45:02 +0000
Received: (at 31442) by debbugs.gnu.org; 21 Jul 2023 16:44:29 +0000
Received: from localhost ([127.0.0.1]:34763 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qMtEy-0007HK-DM
	for submit <at> debbugs.gnu.org; Fri, 21 Jul 2023 12:44:28 -0400
Received: from mail-qk1-x730.google.com ([2607:f8b0:4864:20::730]:50576)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>)
 id 1qMtEv-0007H3-UE; Fri, 21 Jul 2023 12:44:26 -0400
Received: by mail-qk1-x730.google.com with SMTP id
 af79cd13be357-76ad8892d49so151896685a.1; 
 Fri, 21 Jul 2023 09:44:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1689957860; x=1690562660;
 h=content-transfer-encoding:mime-version:user-agent:message-id
 :in-reply-to:date:references:subject:cc:to:from:from:to:cc:subject
 :date:message-id:reply-to;
 bh=+HL9GtkpeE8XcxP6VpOUafvPTFFTibH/Jc88bbsgFAk=;
 b=IcevtwkZYBB5MKpU8Ee0jqbM8qktvhmQP6Bv6OUWFfPThL9KKOSU07EKphchmrEshH
 taHb63PP3SC2JQMlXB94RUN+u4PNolUsoBD17mdJr2F5KvJuT/syVm0F/grqqTZpFtU2
 6KTRxusLWWi1kytPtzdxwbMdRggslurtRweju4HQIqG/dBZIIV/gGOAglWpcWZA9Ed0B
 +iw11vCNdq8JIWe83nDOzx40FkF4jTdlGLuXcXbionLPBHQ2vQ9aRSem9qq7H7nf0m3P
 YhPtsGI0ZunDpnrvaOrhiuXJXQvTpZxLaKoxx7gRm6m3x/t67ZMC/lgkWsNNa/7TO5Ba
 Oumw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1689957860; x=1690562660;
 h=content-transfer-encoding:mime-version:user-agent:message-id
 :in-reply-to:date:references:subject:cc:to:from:x-gm-message-state
 :from:to:cc:subject:date:message-id:reply-to;
 bh=+HL9GtkpeE8XcxP6VpOUafvPTFFTibH/Jc88bbsgFAk=;
 b=B6BTEJc9Shcb0d5PAPL9L2KlcqZg+Q2eKSB1EXrXbphD+VMPL0kn+KV6zlBy1Ruqfr
 eyDbniJ5OS7XLgL62D30NRTESDXH8nLGKp2PszfBhzOo1vubU+70CBXMmcIX+PAsRVeT
 Ok9Xr/qq2OQg8/PZqBB9VwnxiBPKBOl0Pc1L1oOGMHLWgeuJYK0gJCtrLLWIksjWQynS
 YjJ0aHOWjbeQ5hlo171Lz6JzNQqt6vEouD2qoe8nLjXVY1mwyi8R8Z9EZiF/ZHjDwrXe
 FAce54OCp/Y20QMyKhK4ICrwhG5BHMktPN4HVBQM3eY5vhvGOxFrsAcHCCUwzUnfuAAX
 1xlQ==
X-Gm-Message-State: ABy/qLZHFSfHfAl2VJh3WCwWG5kn/PjWYlrOXhG+j7Qvh2Ec6e3cWzJf
 ciHnyHZz1Ub8jk5gONoyi/rT1tm0La4=
X-Google-Smtp-Source: APBJJlHSyMI5NvxiwzPutOiwRifIMNER0PF+Kmjag8fSb3CI4RslKlcoUjHyBymLbO5zCX94mahbng==
X-Received: by 2002:a05:620a:17a7:b0:765:aac3:7667 with SMTP id
 ay39-20020a05620a17a700b00765aac37667mr707744qkb.0.1689957859958; 
 Fri, 21 Jul 2023 09:44:19 -0700 (PDT)
Received: from hurd (dsl-10-135-166.b2b2c.ca. [72.10.135.166])
 by smtp.gmail.com with ESMTPSA id
 m12-20020ae9f20c000000b0075cd80fde9esm1216427qkg.89.2023.07.21.09.44.16
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 21 Jul 2023 09:44:19 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
References: <87fu2vjj76.fsf@HIDDEN> <864knuk8nk.fsf@HIDDEN>
Date: Fri, 21 Jul 2023 12:44:11 -0400
In-Reply-To: <864knuk8nk.fsf@HIDDEN> (zimoun's message of "Sat, 19 Sep 2020
 00:43:59 +0200")
Message-ID: <87o7k5i59g.fsf_-_@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Simon,

zimoun <zimon.toutoune@HIDDEN> writes:

> Hi,
>
> Digging in old bugs with patches, hit this one. :-)
>
>
> On Mon, 14 May 2018 at 00:15, ludo@HIDDEN (Ludovic Court=C3=A8s) wrote:
>
>> On IRC davidl shared a shell script that checks the output of =E2=80=98g=
uix lint
>> -c cve=E2=80=99 and uses that to determine vulnerable packages in a prof=
ile.
>> That reminds me of the plan for =E2=80=98guix health=E2=80=99 (a tool to=
 do just that),
>> so I went ahead and tried to make it a reality at last.
>>
>> This =E2=80=98guix health=E2=80=99 reports information about =E2=80=9Cle=
af=E2=80=9D packages in a
>> profile, but not about their dependencies:
>
> Well, I do not know what was the idea at the time. :-)
> (The search http://logs.guix.gnu.org/guix/search?query=3Dnick%3Adavidl
> does not list logs before 2019 for the nickname.  Do I miss something?)
>
> And I do not know if the idea is to report only =E2=80=9Cleaf=E2=80=9D pa=
ckages.
>
> Well, instead to create another new command, I think it would be better
> to include the =E2=80=9Cleaf=E2=80=9D packages to =E2=80=9Cguix graph=E2=
=80=9D and then pipe to =E2=80=9Cguix
> lint=E2=80=9D.  Other said, =E2=80=9Cguix graph=E2=80=9D should help to m=
anipulate the graph of
> packages.

I like this idea to allow composing our already existing commands, the
UNIX way.  It'd be useful not just for this use case, but to better
exploit the Guix command line API in general.

> I am not sure it fits the idea behind =E2=80=9Cguix health=E2=80=9D but t=
he patch #43477
> allows to only output the nodes, for example.
>
>   <http://issues.guix.gnu.org/issue/43477>
>
>
> Here an example, to verify the SWH health of one profile.  (Note I
> choose the archival checker because it display stuff. :-))
>
> $ guix package -p ~/.config/guix/profiles/apps/apps -I | cut -f1
> youtube-dl
> mb2md
> isync
> xournal
> ghostscript
> imagemagick
> mupdf
>
> $for pkg in \
>> $(guix package -p ~/.config/guix/profiles/apps/apps -I | cut -f1 | xargs=
 ./pre-inst-env guix graph -b plain); \
>> do guix lint -c archival $pkg ; done
> gnu/packages/video.scm:2169:12: youtube-dl@HIDDEN: source not archive=
d on Software Heritage
> gnu/packages/video.scm:1412:12: ffmpeg@HIDDEN: source not archived on Soft=
ware Heritage
> gnu/packages/autotools.scm:286:12: automake@HIDDEN: source not archived o=
n Software Heritage
> guix lint: error: autoconf-wrapper: package not found for version 2.69
> gnu/packages/perl.scm:89:12: perl@HIDDEN: source not archived on Software=
 Heritage
> gnu/packages/guile.scm:141:11: guile@HIDDEN: source not archived on Softw=
are Heritage
> gnu/packages/ed.scm:32:12: ed@HIDDEN: source not archived on Software Herit=
age
>
> [...]
>
> gnu/packages/xorg.scm:5280:6: libxcb@HIDDEN: source not archived on Softwar=
e Heritage
> guix lint: error: tzdata: package not found for version 2019c
> gnu/packages/python.scm:514:2: python-minimal@HIDDEN: source not archived =
on Software Heritage
> gnu/packages/xorg.scm:2140:6: xcb-proto@HIDDEN: source not archived on Soft=
ware Heritage
>
> [...]
>
> gnu/packages/shells.scm:376:12: tcsh@HIDDEN: source not archived on Soft=
ware Heritage
> gnu/packages/icu4c.scm:43:11: icu4c@HIDDEN: Software Heritage rate limit re=
ached; try again later
> C-c
>
> Obviously, the for-loop should be avoided.  But raising an error by
> =E2=80=9Cguix lint=E2=80=9D breaks the stream.  Well, that=E2=80=99s anot=
her story. :-)
>
>
> To summary, instead of =E2=80=9Cguix health=E2=80=9D, I suggest to add =
=E2=80=9Cfeatures=E2=80=9C to
> =E2=80=98guix graph=E2=80=99 (support manifest files, more facilities to =
manipulate/show
> the DAG).

I like this idea too.

>
>> The difficulty here is that we need to know a package=E2=80=99s CPE name=
 before
>> we can check the CVE database, and we also need to know whether the
>> package already includes fixes for known CVEs.  This patch set attaches
>> this information to manifest entries, so that =E2=80=98guix health=E2=80=
=99 can then
>> rely on it.
>
> Well, I am not sure to understand.  Is it not somehow an issue of =E2=80=
=98guix
> lint -c cve=E2=80=99?

This is my understand as well.

Ludo, if your proposition has gone stale and you don't plan to work on
it anytime soon, feel free to close it.

--=20
Thanks,
Maxim




Message sent to guix-patches@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: [bug#31442] bug#31444: 'guix health': a tool to report vulnerable packages
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Fri, 08 Sep 2023 16:27:01 +0000
Resent-Message-ID: <handler.31442.B31442.169419037027275 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 31442
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
Cc: Ricardo Wurmus <rekado@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, 31444 <at> debbugs.gnu.org, 31442 <at> debbugs.gnu.org, zimoun <zimon.toutoune@HIDDEN>
Received: via spool by 31442-submit <at> debbugs.gnu.org id=B31442.169419037027275
          (code B ref 31442); Fri, 08 Sep 2023 16:27:01 +0000
Received: (at 31442) by debbugs.gnu.org; 8 Sep 2023 16:26:10 +0000
Received: from localhost ([127.0.0.1]:45325 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qeeJ7-00075q-Vu
	for submit <at> debbugs.gnu.org; Fri, 08 Sep 2023 12:26:10 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:37626)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>)
 id 1qeeJ3-00075E-Ee; Fri, 08 Sep 2023 12:26:08 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1qeeIv-0007PH-Ex; Fri, 08 Sep 2023 12:25:57 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To:
 From; bh=wPGpzRRKaSujdxHJ7Bf4v/w76oj7K7LwiNO32zXFnxs=; b=cfvO6N9qj9xjdDhIcMPd
 gY9aRC1WhVGDeC5udk5XHXYWMgZq0wQVvSk2kFqFWVJw2+5Sk3YwcFQRdbUgo+oBvoNOOrVEoqsKj
 6SwsPsN02lJt2CoKy2o23evrRE6fH61V4xU0RjNb602P5t3JSFlz3rIVby71GO1isbw8yUOCWzSi0
 Z6KMaFzrP4ro2HwCmNZV4QGCDBuZjYLJpPaj0qfI+aBxrbdm8AOj/poHIKlT31QXKEoSldyFSPVzU
 mZFhV+zBZ/LiNbuGxnYhD27SEn4wXKUTOuyT9N3/rozPAnt8wgkW4puevkPcKe2cbDzI0dW7P2Q0B
 o3Ks/gwjmS1xgg==;
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
References: <87fu2vjj76.fsf@HIDDEN> <864knuk8nk.fsf@HIDDEN>
 <87o7k5i59g.fsf_-_@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: Duodi 22 Fructidor an 231 de la =?UTF-8?Q?R=C3=A9volution,?= jour de la Noisette
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Fri, 08 Sep 2023 18:25:53 +0200
In-Reply-To: <87o7k5i59g.fsf_-_@HIDDEN> (Maxim Cournoyer's message of "Fri, 
 21 Jul 2023 12:44:11 -0400")
Message-ID: <87jzt04ooe.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hello!

Maxim Cournoyer <maxim.cournoyer@HIDDEN> skribis:

> zimoun <zimon.toutoune@HIDDEN> writes:

[...]

>>> This =E2=80=98guix health=E2=80=99 reports information about =E2=80=9Cl=
eaf=E2=80=9D packages in a
>>> profile, but not about their dependencies:
>>
>> Well, I do not know what was the idea at the time. :-)
>> (The search http://logs.guix.gnu.org/guix/search?query=3Dnick%3Adavidl
>> does not list logs before 2019 for the nickname.  Do I miss something?)
>>
>> And I do not know if the idea is to report only =E2=80=9Cleaf=E2=80=9D p=
ackages.

Reporting only leaf packages was a limitation, not a goal.  The
limitation stemmed from the fact that, to determine whether a package is
vulnerable, we need to (1) map its store file name to its package name,
and (2) map its package name to its CPE name.

We can do #1 via manifests, but only for leaf packages (because there=E2=80=
=99s
no metadata available for other store items).

>> Well, instead to create another new command, I think it would be better
>> to include the =E2=80=9Cleaf=E2=80=9D packages to =E2=80=9Cguix graph=E2=
=80=9D and then pipe to =E2=80=9Cguix
>> lint=E2=80=9D.  Other said, =E2=80=9Cguix graph=E2=80=9D should help to =
manipulate the graph of
>> packages.
>
> I like this idea to allow composing our already existing commands, the
> UNIX way.  It'd be useful not just for this use case, but to better
> exploit the Guix command line API in general.

I=E2=80=99m all for composition, who wouldn=E2=80=99t?  :-)

I think composition works best within a rich language; sending text over
pipes is often too limited.

[...]

> Ludo, if your proposition has gone stale and you don't plan to work on
> it anytime soon, feel free to close it.

There=E2=80=99s been progress since I posted this patch: manifests now incl=
ude
provenance info, which means we can map profiles back to package
definitions!  So we could make a proper =E2=80=98guix health=E2=80=99 at th=
is stage.

I=E2=80=99d like to say I=E2=80=99ll work on it soon but reality is that I=
=E2=80=99m a bit
swamped.  Anyhow, I think it remains a useful tool, and whether it=E2=80=99=
s me
or someone else working on it, we should probably aim for it at some
point.

Thanks,
Ludo=E2=80=99.





Last modified: Fri, 8 Sep 2023 16:30:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.