Received: (at 31444) by debbugs.gnu.org; 8 Sep 2023 16:26:10 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Sep 08 12:26:10 2023 Received: from localhost ([127.0.0.1]:45327 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qeeJ8-00075s-Av for submit <at> debbugs.gnu.org; Fri, 08 Sep 2023 12:26:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:37626) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1qeeJ3-00075E-Ee; Fri, 08 Sep 2023 12:26:08 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1qeeIv-0007PH-Ex; Fri, 08 Sep 2023 12:25:57 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=wPGpzRRKaSujdxHJ7Bf4v/w76oj7K7LwiNO32zXFnxs=; b=cfvO6N9qj9xjdDhIcMPd gY9aRC1WhVGDeC5udk5XHXYWMgZq0wQVvSk2kFqFWVJw2+5Sk3YwcFQRdbUgo+oBvoNOOrVEoqsKj 6SwsPsN02lJt2CoKy2o23evrRE6fH61V4xU0RjNb602P5t3JSFlz3rIVby71GO1isbw8yUOCWzSi0 Z6KMaFzrP4ro2HwCmNZV4QGCDBuZjYLJpPaj0qfI+aBxrbdm8AOj/poHIKlT31QXKEoSldyFSPVzU mZFhV+zBZ/LiNbuGxnYhD27SEn4wXKUTOuyT9N3/rozPAnt8wgkW4puevkPcKe2cbDzI0dW7P2Q0B o3Ks/gwjmS1xgg==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: Maxim Cournoyer <maxim.cournoyer@HIDDEN> Subject: Re: bug#31444: 'guix health': a tool to report vulnerable packages References: <87fu2vjj76.fsf@HIDDEN> <864knuk8nk.fsf@HIDDEN> <87o7k5i59g.fsf_-_@HIDDEN> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Duodi 22 Fructidor an 231 de la =?utf-8?Q?R=C3=A9vol?= =?utf-8?Q?ution=2C?= jour de la Noisette X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Fri, 08 Sep 2023 18:25:53 +0200 In-Reply-To: <87o7k5i59g.fsf_-_@HIDDEN> (Maxim Cournoyer's message of "Fri, 21 Jul 2023 12:44:11 -0400") Message-ID: <87jzt04ooe.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 31444 Cc: Ricardo Wurmus <rekado@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, 31444 <at> debbugs.gnu.org, 31442 <at> debbugs.gnu.org, zimoun <zimon.toutoune@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Hello! Maxim Cournoyer <maxim.cournoyer@HIDDEN> skribis: > zimoun <zimon.toutoune@HIDDEN> writes: [...] >>> This =E2=80=98guix health=E2=80=99 reports information about =E2=80=9Cl= eaf=E2=80=9D packages in a >>> profile, but not about their dependencies: >> >> Well, I do not know what was the idea at the time. :-) >> (The search http://logs.guix.gnu.org/guix/search?query=3Dnick%3Adavidl >> does not list logs before 2019 for the nickname. Do I miss something?) >> >> And I do not know if the idea is to report only =E2=80=9Cleaf=E2=80=9D p= ackages. Reporting only leaf packages was a limitation, not a goal. The limitation stemmed from the fact that, to determine whether a package is vulnerable, we need to (1) map its store file name to its package name, and (2) map its package name to its CPE name. We can do #1 via manifests, but only for leaf packages (because there=E2=80= =99s no metadata available for other store items). >> Well, instead to create another new command, I think it would be better >> to include the =E2=80=9Cleaf=E2=80=9D packages to =E2=80=9Cguix graph=E2= =80=9D and then pipe to =E2=80=9Cguix >> lint=E2=80=9D. Other said, =E2=80=9Cguix graph=E2=80=9D should help to = manipulate the graph of >> packages. > > I like this idea to allow composing our already existing commands, the > UNIX way. It'd be useful not just for this use case, but to better > exploit the Guix command line API in general. I=E2=80=99m all for composition, who wouldn=E2=80=99t? :-) I think composition works best within a rich language; sending text over pipes is often too limited. [...] > Ludo, if your proposition has gone stale and you don't plan to work on > it anytime soon, feel free to close it. There=E2=80=99s been progress since I posted this patch: manifests now incl= ude provenance info, which means we can map profiles back to package definitions! So we could make a proper =E2=80=98guix health=E2=80=99 at th= is stage. I=E2=80=99d like to say I=E2=80=99ll work on it soon but reality is that I= =E2=80=99m a bit swamped. Anyhow, I think it remains a useful tool, and whether it=E2=80=99= s me or someone else working on it, we should probably aim for it at some point. Thanks, Ludo=E2=80=99.
guix-patches@HIDDEN:bug#31444; Package guix-patches.
Full text available.Received: (at 31444) by debbugs.gnu.org; 21 Jul 2023 16:44:29 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jul 21 12:44:29 2023 Received: from localhost ([127.0.0.1]:34765 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qMtEy-0007HM-Si for submit <at> debbugs.gnu.org; Fri, 21 Jul 2023 12:44:29 -0400 Received: from mail-qk1-x730.google.com ([2607:f8b0:4864:20::730]:50576) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <maxim.cournoyer@HIDDEN>) id 1qMtEv-0007H3-UE; Fri, 21 Jul 2023 12:44:26 -0400 Received: by mail-qk1-x730.google.com with SMTP id af79cd13be357-76ad8892d49so151896685a.1; Fri, 21 Jul 2023 09:44:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1689957860; x=1690562660; h=content-transfer-encoding:mime-version:user-agent:message-id :in-reply-to:date:references:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=+HL9GtkpeE8XcxP6VpOUafvPTFFTibH/Jc88bbsgFAk=; b=IcevtwkZYBB5MKpU8Ee0jqbM8qktvhmQP6Bv6OUWFfPThL9KKOSU07EKphchmrEshH taHb63PP3SC2JQMlXB94RUN+u4PNolUsoBD17mdJr2F5KvJuT/syVm0F/grqqTZpFtU2 6KTRxusLWWi1kytPtzdxwbMdRggslurtRweju4HQIqG/dBZIIV/gGOAglWpcWZA9Ed0B +iw11vCNdq8JIWe83nDOzx40FkF4jTdlGLuXcXbionLPBHQ2vQ9aRSem9qq7H7nf0m3P YhPtsGI0ZunDpnrvaOrhiuXJXQvTpZxLaKoxx7gRm6m3x/t67ZMC/lgkWsNNa/7TO5Ba Oumw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689957860; x=1690562660; h=content-transfer-encoding:mime-version:user-agent:message-id :in-reply-to:date:references:subject:cc:to:from:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=+HL9GtkpeE8XcxP6VpOUafvPTFFTibH/Jc88bbsgFAk=; b=B6BTEJc9Shcb0d5PAPL9L2KlcqZg+Q2eKSB1EXrXbphD+VMPL0kn+KV6zlBy1Ruqfr eyDbniJ5OS7XLgL62D30NRTESDXH8nLGKp2PszfBhzOo1vubU+70CBXMmcIX+PAsRVeT Ok9Xr/qq2OQg8/PZqBB9VwnxiBPKBOl0Pc1L1oOGMHLWgeuJYK0gJCtrLLWIksjWQynS YjJ0aHOWjbeQ5hlo171Lz6JzNQqt6vEouD2qoe8nLjXVY1mwyi8R8Z9EZiF/ZHjDwrXe FAce54OCp/Y20QMyKhK4ICrwhG5BHMktPN4HVBQM3eY5vhvGOxFrsAcHCCUwzUnfuAAX 1xlQ== X-Gm-Message-State: ABy/qLZHFSfHfAl2VJh3WCwWG5kn/PjWYlrOXhG+j7Qvh2Ec6e3cWzJf ciHnyHZz1Ub8jk5gONoyi/rT1tm0La4= X-Google-Smtp-Source: APBJJlHSyMI5NvxiwzPutOiwRifIMNER0PF+Kmjag8fSb3CI4RslKlcoUjHyBymLbO5zCX94mahbng== X-Received: by 2002:a05:620a:17a7:b0:765:aac3:7667 with SMTP id ay39-20020a05620a17a700b00765aac37667mr707744qkb.0.1689957859958; Fri, 21 Jul 2023 09:44:19 -0700 (PDT) Received: from hurd (dsl-10-135-166.b2b2c.ca. [72.10.135.166]) by smtp.gmail.com with ESMTPSA id m12-20020ae9f20c000000b0075cd80fde9esm1216427qkg.89.2023.07.21.09.44.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 21 Jul 2023 09:44:19 -0700 (PDT) From: Maxim Cournoyer <maxim.cournoyer@HIDDEN> To: zimoun <zimon.toutoune@HIDDEN> Subject: Re: bug#31444: 'guix health': a tool to report vulnerable packages References: <87fu2vjj76.fsf@HIDDEN> <864knuk8nk.fsf@HIDDEN> Date: Fri, 21 Jul 2023 12:44:11 -0400 In-Reply-To: <864knuk8nk.fsf@HIDDEN> (zimoun's message of "Sat, 19 Sep 2020 00:43:59 +0200") Message-ID: <87o7k5i59g.fsf_-_@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 31444 Cc: Ricardo Wurmus <rekado@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, 31444 <at> debbugs.gnu.org, 31442 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Hi Simon, zimoun <zimon.toutoune@HIDDEN> writes: > Hi, > > Digging in old bugs with patches, hit this one. :-) > > > On Mon, 14 May 2018 at 00:15, ludo@HIDDEN (Ludovic Court=C3=A8s) wrote: > >> On IRC davidl shared a shell script that checks the output of =E2=80=98g= uix lint >> -c cve=E2=80=99 and uses that to determine vulnerable packages in a prof= ile. >> That reminds me of the plan for =E2=80=98guix health=E2=80=99 (a tool to= do just that), >> so I went ahead and tried to make it a reality at last. >> >> This =E2=80=98guix health=E2=80=99 reports information about =E2=80=9Cle= af=E2=80=9D packages in a >> profile, but not about their dependencies: > > Well, I do not know what was the idea at the time. :-) > (The search http://logs.guix.gnu.org/guix/search?query=3Dnick%3Adavidl > does not list logs before 2019 for the nickname. Do I miss something?) > > And I do not know if the idea is to report only =E2=80=9Cleaf=E2=80=9D pa= ckages. > > Well, instead to create another new command, I think it would be better > to include the =E2=80=9Cleaf=E2=80=9D packages to =E2=80=9Cguix graph=E2= =80=9D and then pipe to =E2=80=9Cguix > lint=E2=80=9D. Other said, =E2=80=9Cguix graph=E2=80=9D should help to m= anipulate the graph of > packages. I like this idea to allow composing our already existing commands, the UNIX way. It'd be useful not just for this use case, but to better exploit the Guix command line API in general. > I am not sure it fits the idea behind =E2=80=9Cguix health=E2=80=9D but t= he patch #43477 > allows to only output the nodes, for example. > > <http://issues.guix.gnu.org/issue/43477> > > > Here an example, to verify the SWH health of one profile. (Note I > choose the archival checker because it display stuff. :-)) > > $ guix package -p ~/.config/guix/profiles/apps/apps -I | cut -f1 > youtube-dl > mb2md > isync > xournal > ghostscript > imagemagick > mupdf > > $for pkg in \ >> $(guix package -p ~/.config/guix/profiles/apps/apps -I | cut -f1 | xargs= ./pre-inst-env guix graph -b plain); \ >> do guix lint -c archival $pkg ; done > gnu/packages/video.scm:2169:12: youtube-dl@HIDDEN: source not archive= d on Software Heritage > gnu/packages/video.scm:1412:12: ffmpeg@HIDDEN: source not archived on Soft= ware Heritage > gnu/packages/autotools.scm:286:12: automake@HIDDEN: source not archived o= n Software Heritage > guix lint: error: autoconf-wrapper: package not found for version 2.69 > gnu/packages/perl.scm:89:12: perl@HIDDEN: source not archived on Software= Heritage > gnu/packages/guile.scm:141:11: guile@HIDDEN: source not archived on Softw= are Heritage > gnu/packages/ed.scm:32:12: ed@HIDDEN: source not archived on Software Herit= age > > [...] > > gnu/packages/xorg.scm:5280:6: libxcb@HIDDEN: source not archived on Softwar= e Heritage > guix lint: error: tzdata: package not found for version 2019c > gnu/packages/python.scm:514:2: python-minimal@HIDDEN: source not archived = on Software Heritage > gnu/packages/xorg.scm:2140:6: xcb-proto@HIDDEN: source not archived on Soft= ware Heritage > > [...] > > gnu/packages/shells.scm:376:12: tcsh@HIDDEN: source not archived on Soft= ware Heritage > gnu/packages/icu4c.scm:43:11: icu4c@HIDDEN: Software Heritage rate limit re= ached; try again later > C-c > > Obviously, the for-loop should be avoided. But raising an error by > =E2=80=9Cguix lint=E2=80=9D breaks the stream. Well, that=E2=80=99s anot= her story. :-) > > > To summary, instead of =E2=80=9Cguix health=E2=80=9D, I suggest to add = =E2=80=9Cfeatures=E2=80=9C to > =E2=80=98guix graph=E2=80=99 (support manifest files, more facilities to = manipulate/show > the DAG). I like this idea too. > >> The difficulty here is that we need to know a package=E2=80=99s CPE name= before >> we can check the CVE database, and we also need to know whether the >> package already includes fixes for known CVEs. This patch set attaches >> this information to manifest entries, so that =E2=80=98guix health=E2=80= =99 can then >> rely on it. > > Well, I am not sure to understand. Is it not somehow an issue of =E2=80= =98guix > lint -c cve=E2=80=99? This is my understand as well. Ludo, if your proposition has gone stale and you don't plan to work on it anytime soon, feel free to close it. --=20 Thanks, Maxim
guix-patches@HIDDEN:bug#31444; Package guix-patches.
Full text available.Received: (at 31444) by debbugs.gnu.org; 25 Sep 2020 16:34:15 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Sep 25 12:34:15 2020 Received: from localhost ([127.0.0.1]:45203 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1kLqfm-0003Tu-Of for submit <at> debbugs.gnu.org; Fri, 25 Sep 2020 12:34:15 -0400 Received: from eggs.gnu.org ([209.51.188.92]:43818) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1kLqfl-0003Td-2o; Fri, 25 Sep 2020 12:34:13 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:40372) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1kLqff-0008LF-Go; Fri, 25 Sep 2020 12:34:07 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=33264 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from <ludo@HIDDEN>) id 1kLqfa-00006j-8e; Fri, 25 Sep 2020 12:34:03 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: zimoun <zimon.toutoune@HIDDEN> Subject: Re: [bug#31444] 'guix health': a tool to report vulnerable packages References: <87fu2vjj76.fsf@HIDDEN> <864knuk8nk.fsf@HIDDEN> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 4 =?utf-8?Q?Vend=C3=A9miaire?= an 229 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Fri, 25 Sep 2020 18:34:00 +0200 In-Reply-To: <864knuk8nk.fsf@HIDDEN> (zimoun's message of "Sat, 19 Sep 2020 00:43:59 +0200") Message-ID: <87a6xdiznr.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 31444 Cc: Ricardo Wurmus <rekado@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, 31444 <at> debbugs.gnu.org, 31442 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Hi! zimoun <zimon.toutoune@HIDDEN> skribis: > Well, instead to create another new command, I think it would be better > to include the =E2=80=9Cleaf=E2=80=9D packages to =E2=80=9Cguix graph=E2= =80=9D and then pipe to =E2=80=9Cguix > lint=E2=80=9D. Other said, =E2=80=9Cguix graph=E2=80=9D should help to m= anipulate the graph of > packages. I don=E2=80=99t think so. One reason is that =E2=80=98guix lint=E2=80=99 is really a generic tool for= package developers that happens to include a =E2=80=98cve=E2=80=99 checker; apart f= rom that, it=E2=80=99s not designed for CVE handling. More importantly, =E2=80=98guix health=E2=80=99 needs info not available in= the output of =E2=80=98guix lint=E2=80=99: it needs the CPE name of each package in th= e graph, along with the list of known-fixed CVEs. >> Fundamentally, that means we cannot reliably tell much about >> dependencies: in cases where the CPE name differs from the Guix name, we >> won=E2=80=99t have any match, and more generally, we cannot know what CV= E are >> patched in the package; we could infer part of this by looking at the >> same-named package in the current Guix, but that=E2=80=99s hacky. >> >> I think that longer-term we probably need to attach this kind of >> meta-data to packages themselves, by adding a bunch of files in each >> package, say under PREFIX/guix. We could do that for search paths as >> well. > > What is the status of this idea? The idea is still up in the air. :-) In the meantime, package metadata is added to manifest entries. Ludo=E2=80=99.
guix-patches@HIDDEN:bug#31444; Package guix-patches.
Full text available.
Received: (at 31444) by debbugs.gnu.org; 18 Sep 2020 22:44:13 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Sep 18 18:44:13 2020
Received: from localhost ([127.0.0.1]:45286 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1kJP6v-00010T-2H
for submit <at> debbugs.gnu.org; Fri, 18 Sep 2020 18:44:13 -0400
Received: from mail-wr1-f46.google.com ([209.85.221.46]:39503)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <zimon.toutoune@HIDDEN>)
id 1kJP6t-0000zv-CB; Fri, 18 Sep 2020 18:44:07 -0400
Received: by mail-wr1-f46.google.com with SMTP id a17so7058266wrn.6;
Fri, 18 Sep 2020 15:44:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=from:to:cc:subject:references:date:in-reply-to:message-id
:user-agent:mime-version:content-transfer-encoding;
bh=SvzKX7GV+wwO4HBRnj4hJaJW9oMNDHZJFLnlYR8wcjE=;
b=VTSDLCBjQfx3+m186rFL3Bbq5WWxFv33589uNxz+W2SpRQQvyRu2ewpXWQZjpqeLMl
xImBWtqu5qoBIvd6X2HJ7hxB6OwFM166meWRJmekSozDbxHD5+7DDMlpiFMQJ4y8t6yo
8Dd0CrMdMxUeCr4PXz/RZi4fP63uo0RPJQjh/kSexjlnDdj5nH3sbND6BUkEc4KoV+a1
QTO1P+lmP9GK+Mr4NW9WK1mJz26pW93Q3vXHwklx/9fADWCs7Mnm4TH00js9t1EYwBtk
hqKBYkgXlBg5V33P+AaWm6KPczO0q6dd/mnXosMsjgwbezq0dO6oc4FaQy4aMPaaftAH
xqHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
:message-id:user-agent:mime-version:content-transfer-encoding;
bh=SvzKX7GV+wwO4HBRnj4hJaJW9oMNDHZJFLnlYR8wcjE=;
b=N+FZdNiomMr489O6/MNSRbnFw3aitY9hdgqxyuhbudYHT6fFnS6k50zsO45aIlwy3L
r3xUl7MJycccdw6tm//gREQsfR2eraHltDpFloLtxiE129c7w/yhhNwS8hAYUx9xOxKy
Uet/ycAEft5WTwNYirsZGbaNrW1jXJxERT0/hkD02WEe/xpQQva+nUhrxwfr73iITF1u
elMB7+RarA7fo099xw/T1SRovRvWfaP0vtkRbPwcc8+W+o0cyasi8Fz6x8G9y4/scr0y
7w7iKVKyNbQB/tOUZJZ//obkINV6OxdmMH8vPPG8ounTXUeuQummOVDfvbx2Cm6wclbw
0gCw==
X-Gm-Message-State: AOAM5313UvgPkFiu9Zy2Tp9DOuWt5FovHPhfLrXsQVT8bNFhkN0Fe5Ag
B6tQeQxWe0BTLBitV/Sbsdc=
X-Google-Smtp-Source: ABdhPJy/VquQB3XuMOTsfnrKeELsp227GwXjZyAoqwBJAlP0cNeQ4rIH7LznHOntXovW/KJO4rNcFA==
X-Received: by 2002:adf:e601:: with SMTP id p1mr42928256wrm.172.1600469041130;
Fri, 18 Sep 2020 15:44:01 -0700 (PDT)
Received: from lili ([2a01:e0a:59b:9120:65d2:2476:f637:db1e])
by smtp.gmail.com with ESMTPSA id q13sm8482475wra.93.2020.09.18.15.44.00
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Fri, 18 Sep 2020 15:44:00 -0700 (PDT)
From: zimoun <zimon.toutoune@HIDDEN>
To: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: [bug#31444] 'guix health': a tool to report vulnerable packages
References: <87fu2vjj76.fsf@HIDDEN>
Date: Sat, 19 Sep 2020 00:43:59 +0200
In-Reply-To: <87fu2vjj76.fsf@HIDDEN> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?=
=?utf-8?Q?s?= message of "Mon, 14 May 2018 00:15:41 +0200")
Message-ID: <864knuk8nk.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 31444
Cc: Ricardo Wurmus <rekado@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>,
31444 <at> debbugs.gnu.org, 31442 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Hi,
Digging in old bugs with patches, hit this one. :-)
On Mon, 14 May 2018 at 00:15, ludo@HIDDEN (Ludovic Court=C3=A8s) wrote:
> On IRC davidl shared a shell script that checks the output of =E2=80=98gu=
ix lint
> -c cve=E2=80=99 and uses that to determine vulnerable packages in a profi=
le.
> That reminds me of the plan for =E2=80=98guix health=E2=80=99 (a tool to =
do just that),
> so I went ahead and tried to make it a reality at last.
>
> This =E2=80=98guix health=E2=80=99 reports information about =E2=80=9Clea=
f=E2=80=9D packages in a
> profile, but not about their dependencies:
Well, I do not know what was the idea at the time. :-)
(The search http://logs.guix.gnu.org/guix/search?query=3Dnick%3Adavidl
does not list logs before 2019 for the nickname. Do I miss something?)
And I do not know if the idea is to report only =E2=80=9Cleaf=E2=80=9D pack=
ages.
Well, instead to create another new command, I think it would be better
to include the =E2=80=9Cleaf=E2=80=9D packages to =E2=80=9Cguix graph=E2=80=
=9D and then pipe to =E2=80=9Cguix
lint=E2=80=9D. Other said, =E2=80=9Cguix graph=E2=80=9D should help to man=
ipulate the graph of
packages.
I am not sure it fits the idea behind =E2=80=9Cguix health=E2=80=9D but the=
patch #43477
allows to only output the nodes, for example.
<http://issues.guix.gnu.org/issue/43477>
Here an example, to verify the SWH health of one profile. (Note I
choose the archival checker because it display stuff. :-))
--8<---------------cut here---------------start------------->8---
$ guix package -p ~/.config/guix/profiles/apps/apps -I | cut -f1
youtube-dl
mb2md
isync
xournal
ghostscript
imagemagick
mupdf
$for pkg in \
> $(guix package -p ~/.config/guix/profiles/apps/apps -I | cut -f1 | xargs =
./pre-inst-env guix graph -b plain); \
> do guix lint -c archival $pkg ; done
gnu/packages/video.scm:2169:12: youtube-dl@HIDDEN: source not archived =
on Software Heritage
gnu/packages/video.scm:1412:12: ffmpeg@HIDDEN: source not archived on Softwa=
re Heritage
gnu/packages/autotools.scm:286:12: automake@HIDDEN: source not archived on =
Software Heritage
guix lint: error: autoconf-wrapper: package not found for version 2.69
gnu/packages/perl.scm:89:12: perl@HIDDEN: source not archived on Software H=
eritage
gnu/packages/guile.scm:141:11: guile@HIDDEN: source not archived on Softwar=
e Heritage
gnu/packages/ed.scm:32:12: ed@HIDDEN: source not archived on Software Heritage
[...]
gnu/packages/xorg.scm:5280:6: libxcb@HIDDEN: source not archived on Software =
Heritage
guix lint: error: tzdata: package not found for version 2019c
gnu/packages/python.scm:514:2: python-minimal@HIDDEN: source not archived on=
Software Heritage
gnu/packages/xorg.scm:2140:6: xcb-proto@HIDDEN: source not archived on Softwa=
re Heritage
[...]
gnu/packages/shells.scm:376:12: tcsh@HIDDEN: source not archived on Softwa=
re Heritage
gnu/packages/icu4c.scm:43:11: icu4c@HIDDEN: Software Heritage rate limit reac=
hed; try again later
C-c
--8<---------------cut here---------------end--------------->8---
Obviously, the for-loop should be avoided. But raising an error by
=E2=80=9Cguix lint=E2=80=9D breaks the stream. Well, that=E2=80=99s anothe=
r story. :-)
To summary, instead of =E2=80=9Cguix health=E2=80=9D, I suggest to add =E2=
=80=9Cfeatures=E2=80=9C to
=E2=80=98guix graph=E2=80=99 (support manifest files, more facilities to ma=
nipulate/show
the DAG).
> The difficulty here is that we need to know a package=E2=80=99s CPE name =
before
> we can check the CVE database, and we also need to know whether the
> package already includes fixes for known CVEs. This patch set attaches
> this information to manifest entries, so that =E2=80=98guix health=E2=80=
=99 can then
> rely on it.
Well, I am not sure to understand. Is it not somehow an issue of =E2=80=98=
guix
lint -c cve=E2=80=99?
> Fundamentally, that means we cannot reliably tell much about
> dependencies: in cases where the CPE name differs from the Guix name, we
> won=E2=80=99t have any match, and more generally, we cannot know what CVE=
are
> patched in the package; we could infer part of this by looking at the
> same-named package in the current Guix, but that=E2=80=99s hacky.
>
> I think that longer-term we probably need to attach this kind of
> meta-data to packages themselves, by adding a bunch of files in each
> package, say under PREFIX/guix. We could do that for search paths as
> well.
What is the status of this idea?
> Should we satisfy ourselves with the current approach in the meantime?
> Thoughts?
>
> Besides, support for properties in manifest entries seems useful to me,
> so we may want to keep it regardless of whether we take =E2=80=98guix hea=
lth=E2=80=99
> as-is.
I am not sure that my email is relevant, but at least it will ping for
=E2=80=98guix health=E2=80=99. :-)
Cheers,
simon
guix-patches@HIDDEN:bug#31444; Package guix-patches.
Full text available.Received: (at 31444) by debbugs.gnu.org; 15 May 2018 07:25:11 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue May 15 03:25:11 2018 Received: from localhost ([127.0.0.1]:34874 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1fIUKd-0005hl-55 for submit <at> debbugs.gnu.org; Tue, 15 May 2018 03:25:11 -0400 Received: from eggs.gnu.org ([208.118.235.92]:58723) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1fIUKb-0005hZ-OD for 31444 <at> debbugs.gnu.org; Tue, 15 May 2018 03:25:10 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from <ludo@HIDDEN>) id 1fIUKT-0000Nw-GY for 31444 <at> debbugs.gnu.org; Tue, 15 May 2018 03:25:04 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_20 autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:56741) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>) id 1fIUKT-0000No-CH; Tue, 15 May 2018 03:25:01 -0400 Received: from [193.50.110.240] (port=56074 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from <ludo@HIDDEN>) id 1fIUKS-0008Uu-Tu; Tue, 15 May 2018 03:25:01 -0400 From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Nils Gillmann <ng0@HIDDEN> Subject: Re: [bug#31444] 'guix health': a tool to report vulnerable packages References: <87fu2vjj76.fsf@HIDDEN> <20180514164941.kjokoakkooajpunx@abyayala> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 26 =?utf-8?Q?Flor=C3=A9al?= an 226 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 15 May 2018 09:24:59 +0200 In-Reply-To: <20180514164941.kjokoakkooajpunx@abyayala> (Nils Gillmann's message of "Mon, 14 May 2018 16:49:41 +0000") Message-ID: <87y3gljs8k.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 31444 Cc: 31444 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -6.0 (------) Hi! Nils Gillmann <ng0@HIDDEN> skribis: > Did you intend to attach a patch to one of the 3 or 4 messages that made > it to the bugtracker? I've checked when you've sent the message and today > and saw no patches. I'm interested in the code, the general idea sounds g= ood. They eventually made it there: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D31442 But Debbugs is weird; for some reason for it failed to reply for several hours. >> I think that longer-term we probably need to attach this kind of >> meta-data to packages themselves, by adding a bunch of files in each >> package, say under PREFIX/guix. We could do that for search paths as >> well. > > If you mean with metadata what I understand: > I've started playing with this idea a while back. It would be good to att= ach > more information to the package, mentioned in the past was "support the d= evelopers" > links (not everyone publishes this on their website). > Personally I'm going to make use of the "maintainer" function for package= s, > so people know where (hopefully relatively) exactly the package came from. Well this is not the kind of meta-data I had in mind, and for that I think a field in <package> is good enough. > Anyways, I have some other package related experiments.. Did you have any= thing > else in mind, other than search-paths and CVE information? Not really, but that would be extensible. The bigger picture is that of packages that would remain live data structures, as Ricardo proposed a while back. I don=E2=80=99t think we can= go this far (in the sense of being able to reconstruct a <package> from its output), but having some metadata kept around can help. Thanks, Ludo=E2=80=99.
guix-patches@HIDDEN:bug#31444; Package guix-patches.
Full text available.Received: (at 31444) by debbugs.gnu.org; 14 May 2018 16:49:16 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 14 12:49:16 2018 Received: from localhost ([127.0.0.1]:34615 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1fIGex-0000FW-UG for submit <at> debbugs.gnu.org; Mon, 14 May 2018 12:49:16 -0400 Received: from static.195.114.201.195.clients.your-server.de ([195.201.114.195]:60230 helo=conspiracy.of.n0.is) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ng0@HIDDEN>) id 1fIGeu-0000FM-V2 for 31444 <at> debbugs.gnu.org; Mon, 14 May 2018 12:49:13 -0400 Received: by conspiracy.of.n0.is (OpenSMTPD) with ESMTPSA id 19600453 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Mon, 14 May 2018 16:49:10 +0000 (UTC) Date: Mon, 14 May 2018 16:49:41 +0000 From: Nils Gillmann <ng0@HIDDEN> To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN> Subject: Re: [bug#31444] 'guix health': a tool to report vulnerable packages Message-ID: <20180514164941.kjokoakkooajpunx@abyayala> References: <87fu2vjj76.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87fu2vjj76.fsf@HIDDEN> X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 31444 Cc: 31444 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Ludovic Courtès transcribed 3.4K bytes: > Hello Guix! > > On IRC davidl shared a shell script that checks the output of ‘guix lint > -c cve’ and uses that to determine vulnerable packages in a profile. > That reminds me of the plan for ‘guix health’ (a tool to do just that), > so I went ahead and tried to make it a reality at last. > > This ‘guix health’ reports information about “leaf” packages in a > profile, but not about their dependencies: Did you intend to attach a patch to one of the 3 or 4 messages that made it to the bugtracker? I've checked when you've sent the message and today and saw no patches. I'm interested in the code, the general idea sounds good. > --8<---------------cut here---------------start------------->8--- > $ ./pre-inst-env guix health -p /run/current-system/profile/ > guix health: warning: util-linux@HIDDEN may be vulnerable to CVE-2018-7738 > guix health: warning: util-linux@HIDDEN is available but does not fix any of these > hint: Run `guix pull' and then re-run `guix health' to see if fixes are available. If > none are available, please consider submitting a patch for the package definition of > 'util-linux'. > > > guix health: warning: shadow@HIDDEN may be vulnerable to CVE-2018-7169 > guix health: warning: shadow@HIDDEN is available and fixes CVE-2018-7169, consider ugprading > guix health: warning: tar@HIDDEN may be vulnerable to CVE-2016-6321 > guix health: warning: tar@HIDDEN is available but does not fix any of these > hint: Run `guix pull' and then re-run `guix health' to see if fixes are available. If > none are available, please consider submitting a patch for the package definition of > 'tar'. > --8<---------------cut here---------------end--------------->8--- > > The difficulty here is that we need to know a package’s CPE name before > we can check the CVE database, and we also need to know whether the > package already includes fixes for known CVEs. This patch set attaches > this information to manifest entries, so that ‘guix health’ can then > rely on it. > > Fundamentally, that means we cannot reliably tell much about > dependencies: in cases where the CPE name differs from the Guix name, we > won’t have any match, and more generally, we cannot know what CVE are > patched in the package; we could infer part of this by looking at the > same-named package in the current Guix, but that’s hacky. > > I think that longer-term we probably need to attach this kind of > meta-data to packages themselves, by adding a bunch of files in each > package, say under PREFIX/guix. We could do that for search paths as > well. If you mean with metadata what I understand: I've started playing with this idea a while back. It would be good to attach more information to the package, mentioned in the past was "support the developers" links (not everyone publishes this on their website). Personally I'm going to make use of the "maintainer" function for packages, so people know where (hopefully relatively) exactly the package came from. Anyways, I have some other package related experiments.. Did you have anything else in mind, other than search-paths and CVE information? > Should we satisfy ourselves with the current approach in the meantime? > Thoughts? > > Besides, support for properties in manifest entries seems useful to me, > so we may want to keep it regardless of whether we take ‘guix health’ > as-is. > > Ludo’. > > Ludovic Courtès (5): > profiles: Add '%current-profile', 'user-friendly-profile', & co. > packages: Add 'package-patched-vulnerabilities'. > profiles: Add 'properties' field to manifest entries. > profiles: Record fixed vulnerabilities as properties of entries. > DRAFT Add 'guix health'. > > Makefile.am | 1 + > guix/packages.scm | 28 +++++++ > guix/profiles.scm | 91 ++++++++++++++++++++-- > guix/scripts/health.scm | 158 +++++++++++++++++++++++++++++++++++++++ > guix/scripts/lint.scm | 23 +----- > guix/scripts/package.scm | 40 ---------- > po/guix/POTFILES.in | 1 + > tests/packages.scm | 15 ++++ > tests/profiles.scm | 22 ++++++ > 9 files changed, 312 insertions(+), 67 deletions(-) > create mode 100644 guix/scripts/health.scm > > -- > 2.17.0 > > >
guix-patches@HIDDEN:bug#31444; Package guix-patches.
Full text available.Received: (at 31444) by debbugs.gnu.org; 14 May 2018 09:07:26 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 14 05:07:26 2018 Received: from localhost ([127.0.0.1]:33280 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1fI9S2-00029F-5Z for submit <at> debbugs.gnu.org; Mon, 14 May 2018 05:07:26 -0400 Received: from eggs.gnu.org ([208.118.235.92]:56075) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1fI9Ry-000290-6G for 31444 <at> debbugs.gnu.org; Mon, 14 May 2018 05:07:22 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from <ludo@HIDDEN>) id 1fI9Rq-0003Lo-06 for 31444 <at> debbugs.gnu.org; Mon, 14 May 2018 05:07:17 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_20 autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:33066) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>) id 1fI9Rp-0003Li-S6; Mon, 14 May 2018 05:07:13 -0400 Received: from [193.50.110.240] (port=54250 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from <ludo@HIDDEN>) id 1fI9Rn-0008K2-SX; Mon, 14 May 2018 05:07:12 -0400 From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Martin Castillo <castilma@HIDDEN> Subject: Re: [bug#31444] 'guix health': a tool to report vulnerable packages References: <87fu2vjj76.fsf@HIDDEN> <f7776a30-f164-3b78-5164-3df5d7d84718@HIDDEN> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 25 =?utf-8?Q?Flor=C3=A9al?= an 226 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 14 May 2018 11:07:10 +0200 In-Reply-To: <f7776a30-f164-3b78-5164-3df5d7d84718@HIDDEN> (Martin Castillo's message of "Mon, 14 May 2018 10:06:46 +0200") Message-ID: <87r2mea9mp.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 31444 Cc: 31444 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -6.0 (------) Hello, Martin Castillo <castilma@HIDDEN> skribis: > On 14.05.2018 00:15, Ludovic Court=C3=A8s wrote: >> [...] shadow@HIDDEN is available and fixes CVE-2018-7169, consider ugprading > ^typo > >> Should we satisfy ourselves with the current approach in the meantime? > > Release early and often would say yes. But I'm not an experienced develop= er. OK. > I have the feeling that guix lint does not cache the CVEs it fetches. I > think it should. It does: it caches them in ~/.cache/guix/http and then uses =E2=80=98If-Modified-Since=E2=80=99 to avoid re-fetching the database if th= e cached copy is up-to-date. Now the 2018 database obviously keeps changing, so caching helps when you=E2=80=99re running =E2=80=98guix lint=E2=80=99 several times in a row (= say while reviewing packages), but it doesn=E2=80=99t help much if you run it once a day or les= s. Also, it fetches the whole database for a year. I think they publish diffs as well, but using them seems tricky. Ludo=E2=80=99.
guix-patches@HIDDEN:bug#31444; Package guix-patches.
Full text available.ludo@HIDDEN (Ludovic Courtès)
to control <at> debbugs.gnu.org.
Full text available.
Received: (at submit) by debbugs.gnu.org; 14 May 2018 08:07:15 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 14 04:07:15 2018
Received: from localhost ([127.0.0.1]:33154 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1fI8Vn-00077G-5w
for submit <at> debbugs.gnu.org; Mon, 14 May 2018 04:07:15 -0400
Received: from eggs.gnu.org ([208.118.235.92]:42377)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <castilma@HIDDEN>) id 1fI8Vj-000772-Bg
for submit <at> debbugs.gnu.org; Mon, 14 May 2018 04:07:11 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
(envelope-from <castilma@HIDDEN>) id 1fI8Vd-0005oH-GM
for submit <at> debbugs.gnu.org; Mon, 14 May 2018 04:07:06 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level:
X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_05,T_DKIM_INVALID
autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:52548)
by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
(Exim 4.71) (envelope-from <castilma@HIDDEN>)
id 1fI8Vd-0005o5-Ae
for submit <at> debbugs.gnu.org; Mon, 14 May 2018 04:07:05 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:33343)
by lists.gnu.org with esmtp (Exim 4.71)
(envelope-from <castilma@HIDDEN>) id 1fI8Vc-00066r-35
for guix-patches@HIDDEN; Mon, 14 May 2018 04:07:04 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
(envelope-from <castilma@HIDDEN>) id 1fI8VY-0005ij-Uu
for guix-patches@HIDDEN; Mon, 14 May 2018 04:07:04 -0400
Received: from gabriel-vm-2.zfn.uni-bremen.de ([134.102.50.10]:48514
helo=smtp.uni-bremen.de)
by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
(Exim 4.71) (envelope-from <castilma@HIDDEN>)
id 1fI8VY-0005ac-FX
for guix-patches@HIDDEN; Mon, 14 May 2018 04:07:00 -0400
Received: from [192.168.42.241] (ip4d171518.dynamic.kabel-deutschland.de
[77.23.21.24])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by smtp.uni-bremen.de (Postfix) with ESMTPSA id 46CC8242EC
for <guix-patches@HIDDEN>; Mon, 14 May 2018 10:06:52 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=uni-bremen.de; s=dkim;
t=1526285212; bh=w/wmQuYtOnm0IS2kWim+N4lUwMVWxdHBjaVi1/8G6jk=;
h=To:References:From:Date:In-Reply-To;
b=JP6PdNR6WmCGxh03tTOKzqsYDCFGHCc49OKu6HM/oIajzQ3V4iyGq9z9CucyC65VO
CqCdvQl7as5W6QVOUWCmawu1jTgTN5pEAA5UHpA2Axh/LeKOM1hBlngEwrRthzM3GW
ooGi7QCS2pOL+BZ/EhhdvYxF/wzjJpMULXAFv1+8=
Subject: Re: [bug#31444] 'guix health': a tool to report vulnerable packages
To: guix-patches@HIDDEN
References: <87fu2vjj76.fsf@HIDDEN>
From: Martin Castillo <castilma@HIDDEN>
Openpgp: preference=signencrypt
Autocrypt: addr=castilma@HIDDEN; prefer-encrypt=mutual; keydata=
xsBNBFXp3VwBCACz5FpcoKuJTL5fndn8CSApG22k/Tmpy2hur38IQKAeIFlk82Z4tvrConIM
31JeFulbBXIxHyiW6Y3358YUPe1FLnG6x3bzO0Dlhb72cgb1KZtrrfNE4tahjPTzBaTqwuvg
O2OOAwDhHDv1OyBz/7wS4yUiEoNmjHYMieu7kzGnC4w3sjNESDYKoKqoNN1bx4XZMNPnUG1D
+p5IOfhRD3fIMEJcnkIjQmR0mKLdlCZmpH7rYDbqg/aF7n0RsDoJ8dAVxLTKMG0HB7w5hI37
9nJfcIziTfmyd8QM2TN7nEDokRqUMs5jXohzScyo4AL8/dKxPMgJih+muGbTMvbvLmdbABEB
AAHNLE1hcnRpbiBDYXN0aWxsbyA8TWFydGluLkNhc3RpbGxvQGZyZWVuZXQuZGU+wsCBBBMB
AgArAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUJENTBQQUCWZY2KwIZAQAKCRDME0jx
5kQI7HbJB/9W6FpUV8SjrRLntlboZAhxoK/myrQCDWCk3yHJtHJGTabaEx44Ti7AaRm54O5W
LORmlmL3ck+ReNzrR8u/xIVZ/gCRdt+GnEtDwm5FLZjRXbbaTFovlOQWLu0IW1iUllizGV7F
aHjPdBoWjkLLLMA9aHDtfkzAxO4qlQZvjXSKvJHGp05AlPuPmtfqNSIXH0bh9rxOmKDMCj8J
rHtnDzyVjzjBaakNYoQS+DNvjzLkzvcBZZ6Q99d/O0w5esRCaqAKFzSilxFT85Q8gpWIqLkP
h9ylQ0HxjB03bQqQzV9BpVQ+Qv4Ovf+K9yptTUANxD3xY70RHzeQNvrS3FV3mKjPzsBNBFXp
3VwBCADTmylgxDM50a78oW4RJYuDRPq1nDj0R5Kw7SvmH3Du00jy+Mo2I6+4fKGogLEKH+HS
gn9iSZFX09scxQEcQuZk0j+fAcbdY4gEBZpTE87Mc2y3C/q2gnMLkwKUb5Cx0WNx5HnWLIse
G6sa4cHzj3CtsS6H/YDJver69eEIfNac0HC98HKhKV4WrcY1JG0lfNnLJ8frf7pEQv+/KIOt
C/QE742DO5p1fAvaKtuNxAzJP1I5iWc8zp9fe5cA7zc0wXgpNBDxGfs3ww2+VJkSTVbCKoen
J8WEhqBnvPq8i2ogF3C7c45DulIb3CBYNtttIoLQ5D/1e7JSYUF9iIPxUdTjABEBAAHCwGUE
GAECAA8CGwwFAlmWN64FCRDUwtIACgkQzBNI8eZECOwkiwf8DpOJmziCx2QauLK7olxOq1U2
S81nD9UZfaycw7hQ6L+oCYPZuG/0v1losqfSBgAZSlY3f2SmTbg/uOJEepV6000SEcm+6shu
LZ3qLNM+pQr2dX09Ch0lX9nrwIua3Lkbo6XEgN/h6wc0psr7GmmutAGzVG3dnBiRnXYqw4bR
ab05xMBWY82GTUnGtKmVXAUJxkhUftWDR1uXUxeJnQToBw72XQ5nxGU3K6xOYhtY9+tMo0um
kcN4sJf/I/Y/A8Gbc6+Ry7f16RtCTZ4+PnF/GaQ1ec9kpF6IV6nAFhOdrVnvEANmqcvGMx5c
sutNKoih/YzfyhoLbkvUkgoAQIuZ6g==
Message-ID: <f7776a30-f164-3b78-5164-3df5d7d84718@HIDDEN>
Date: Mon, 14 May 2018 10:06:46 +0200
MIME-Version: 1.0
In-Reply-To: <87fu2vjj76.fsf@HIDDEN>
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="fPIkjPkMy4SHVs0lDLSlMWAKPrNUG9XJ6"
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
[fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.0 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--fPIkjPkMy4SHVs0lDLSlMWAKPrNUG9XJ6
Content-Type: multipart/mixed; boundary="Gf0pCbkAT8l4e6b3jXBsv5gzrZgAMbG7S";
protected-headers="v1"
From: Martin Castillo <castilma@HIDDEN>
To: guix-patches@HIDDEN
Message-ID: <f7776a30-f164-3b78-5164-3df5d7d84718@HIDDEN>
Subject: Re: [bug#31444] 'guix health': a tool to report vulnerable packages
References: <87fu2vjj76.fsf@HIDDEN>
In-Reply-To: <87fu2vjj76.fsf@HIDDEN>
--Gf0pCbkAT8l4e6b3jXBsv5gzrZgAMbG7S
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
On 14.05.2018 00:15, Ludovic Court=C3=A8s wrote:
> [...] shadow@HIDDEN is available and fixes CVE-2018-7169, consider ugpradi=
ng
^typo
> Should we satisfy ourselves with the current approach in the meantime?
Release early and often would say yes. But I'm not an experienced develop=
er.
I have the feeling that guix lint does not cache the CVEs it fetches. I
think it should.
--=20
GPG: 7FDE 7190 2F73 2C50 236E 403D CC13 48F1 E644 08EC
--Gf0pCbkAT8l4e6b3jXBsv5gzrZgAMbG7S--
--fPIkjPkMy4SHVs0lDLSlMWAKPrNUG9XJ6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE61CTslYA+K5btSvb61vedmKoYVkFAlr5Q5wACgkQ61vedmKo
YVnGJQf/V244szB3Ma415bDD+aMxnGPGJMgu2Rw0/73hC6LpdNFYIyPKGApc6E5P
1AXNHFTVoHIgnhRjMJrM1vPTcrheCUZkn7f4GAL2h0lRbqSm3PV8xGHgoZm4rbDS
YJhd2WdDaaNVSTVSfRFEx59QU+sQ0tIAelHyNveFmL5Pot/KkKicmCIkYCU76zPm
4zASmFd4RsRt6D9HZVGx6mZUc/8MaD3L4JudI2gcnrJMDL/f34/0Xn6nJx7mA/1R
nXl1eLb2zoSkBqQ1l0Ji7QRcWyDygRsQ7/nWGqjmX/GPe3//GcZ/ici0KDduiDi+
X8Jr8pGulBfAGw8ZLcSI5/7XrfNkZw==
=RZZm
-----END PGP SIGNATURE-----
--fPIkjPkMy4SHVs0lDLSlMWAKPrNUG9XJ6--
guix-patches@HIDDEN:bug#31444; Package guix-patches.
Full text available.Received: (at submit) by debbugs.gnu.org; 13 May 2018 22:42:54 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun May 13 18:42:54 2018 Received: from localhost ([127.0.0.1]:32866 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1fHzhe-0008Tb-CL for submit <at> debbugs.gnu.org; Sun, 13 May 2018 18:42:54 -0400 Received: from eggs.gnu.org ([208.118.235.92]:35704) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1fHzhc-0008TO-U9 for submit <at> debbugs.gnu.org; Sun, 13 May 2018 18:42:53 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from <ludo@HIDDEN>) id 1fHzhW-0004tf-S4 for submit <at> debbugs.gnu.org; Sun, 13 May 2018 18:42:47 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:45059) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from <ludo@HIDDEN>) id 1fHzhW-0004tX-OW for submit <at> debbugs.gnu.org; Sun, 13 May 2018 18:42:46 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54897) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>) id 1fHzhV-0004K4-D3 for guix-patches@HIDDEN; Sun, 13 May 2018 18:42:46 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from <ludo@HIDDEN>) id 1fHzHL-0001s5-Hr for guix-patches@HIDDEN; Sun, 13 May 2018 18:15:44 -0400 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:52386) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>) id 1fHzHL-0001s1-Ct for guix-patches@HIDDEN; Sun, 13 May 2018 18:15:43 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=50500 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from <ludo@HIDDEN>) id 1fHzHK-0003b1-Un for guix-patches@HIDDEN; Sun, 13 May 2018 18:15:43 -0400 From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: guix-patches@HIDDEN Subject: 'guix health': a tool to report vulnerable packages X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 25 =?utf-8?Q?Flor=C3=A9al?= an 226 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 14 May 2018 00:15:41 +0200 Message-ID: <87fu2vjj76.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -6.0 (------) Hello Guix! On IRC davidl shared a shell script that checks the output of =E2=80=98guix= lint -c cve=E2=80=99 and uses that to determine vulnerable packages in a profile. That reminds me of the plan for =E2=80=98guix health=E2=80=99 (a tool to do= just that), so I went ahead and tried to make it a reality at last. This =E2=80=98guix health=E2=80=99 reports information about =E2=80=9Cleaf= =E2=80=9D packages in a profile, but not about their dependencies: --8<---------------cut here---------------start------------->8--- $ ./pre-inst-env guix health -p /run/current-system/profile/ guix health: warning: util-linux@HIDDEN may be vulnerable to CVE-2018-7738 guix health: warning: util-linux@HIDDEN is available but does not fix any o= f these hint: Run `guix pull' and then re-run `guix health' to see if fixes are ava= ilable. If none are available, please consider submitting a patch for the package defi= nition of 'util-linux'. guix health: warning: shadow@HIDDEN may be vulnerable to CVE-2018-7169 guix health: warning: shadow@HIDDEN is available and fixes CVE-2018-7169, cons= ider ugprading guix health: warning: tar@HIDDEN may be vulnerable to CVE-2016-6321 guix health: warning: tar@HIDDEN is available but does not fix any of these hint: Run `guix pull' and then re-run `guix health' to see if fixes are ava= ilable. If none are available, please consider submitting a patch for the package defi= nition of 'tar'. --8<---------------cut here---------------end--------------->8--- The difficulty here is that we need to know a package=E2=80=99s CPE name be= fore we can check the CVE database, and we also need to know whether the package already includes fixes for known CVEs. This patch set attaches this information to manifest entries, so that =E2=80=98guix health=E2=80=99= can then rely on it. Fundamentally, that means we cannot reliably tell much about dependencies: in cases where the CPE name differs from the Guix name, we won=E2=80=99t have any match, and more generally, we cannot know what CVE a= re patched in the package; we could infer part of this by looking at the same-named package in the current Guix, but that=E2=80=99s hacky. I think that longer-term we probably need to attach this kind of meta-data to packages themselves, by adding a bunch of files in each package, say under PREFIX/guix. We could do that for search paths as well. Should we satisfy ourselves with the current approach in the meantime? Thoughts? Besides, support for properties in manifest entries seems useful to me, so we may want to keep it regardless of whether we take =E2=80=98guix healt= h=E2=80=99 as-is. Ludo=E2=80=99. Ludovic Court=C3=A8s (5): profiles: Add '%current-profile', 'user-friendly-profile', & co. packages: Add 'package-patched-vulnerabilities'. profiles: Add 'properties' field to manifest entries. profiles: Record fixed vulnerabilities as properties of entries. DRAFT Add 'guix health'. Makefile.am | 1 + guix/packages.scm | 28 +++++++ guix/profiles.scm | 91 ++++++++++++++++++++-- guix/scripts/health.scm | 158 +++++++++++++++++++++++++++++++++++++++ guix/scripts/lint.scm | 23 +----- guix/scripts/package.scm | 40 ---------- po/guix/POTFILES.in | 1 + tests/packages.scm | 15 ++++ tests/profiles.scm | 22 ++++++ 9 files changed, 312 insertions(+), 67 deletions(-) create mode 100644 guix/scripts/health.scm --=20 2.17.0
ludo@HIDDEN (Ludovic Courtès):guix-patches@HIDDEN.
Full text available.guix-patches@HIDDEN:bug#31444; Package guix-patches.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.