GNU bug report logs - #31444
'guix health': a tool to report vulnerable packages

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix-patches; Reported by: ludo@HIDDEN (Ludovic Courtès); Keywords: patch; merged with #31442, #31443; dated Sun, 13 May 2018 22:43:02 UTC; Maintainer for guix-patches is guix-patches@HIDDEN.

Message received at 31444 <at> debbugs.gnu.org:


Received: (at 31444) by debbugs.gnu.org; 15 May 2018 07:25:11 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue May 15 03:25:11 2018
Received: from localhost ([127.0.0.1]:34874 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fIUKd-0005hl-55
	for submit <at> debbugs.gnu.org; Tue, 15 May 2018 03:25:11 -0400
Received: from eggs.gnu.org ([208.118.235.92]:58723)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1fIUKb-0005hZ-OD
 for 31444 <at> debbugs.gnu.org; Tue, 15 May 2018 03:25:10 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1fIUKT-0000Nw-GY
 for 31444 <at> debbugs.gnu.org; Tue, 15 May 2018 03:25:04 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_20 autolearn=disabled
 version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:56741)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1fIUKT-0000No-CH; Tue, 15 May 2018 03:25:01 -0400
Received: from [193.50.110.240] (port=56074 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1fIUKS-0008Uu-Tu; Tue, 15 May 2018 03:25:01 -0400
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: Nils Gillmann <ng0@HIDDEN>
Subject: Re: [bug#31444] 'guix health': a tool to report vulnerable packages
References: <87fu2vjj76.fsf@HIDDEN> <20180514164941.kjokoakkooajpunx@abyayala>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 26 =?utf-8?Q?Flor=C3=A9al?= an 226 de la =?utf-8?Q?R?=
 =?utf-8?Q?=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Tue, 15 May 2018 09:24:59 +0200
In-Reply-To: <20180514164941.kjokoakkooajpunx@abyayala> (Nils Gillmann's
 message of "Mon, 14 May 2018 16:49:41 +0000")
Message-ID: <87y3gljs8k.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 31444
Cc: 31444 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.0 (------)

Hi!

Nils Gillmann <ng0@HIDDEN> skribis:

> Did you intend to attach a patch to one of the 3 or 4 messages that made
> it to the bugtracker? I've checked when you've sent the message and today
> and saw no patches. I'm interested in the code, the general idea sounds g=
ood.

They eventually made it there:

  https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D31442

But Debbugs is weird; for some reason for it failed to reply for several
hours.

>> I think that longer-term we probably need to attach this kind of
>> meta-data to packages themselves, by adding a bunch of files in each
>> package, say under PREFIX/guix.  We could do that for search paths as
>> well.
>
> If you mean with metadata what I understand:
> I've started playing with this idea a while back. It would be good to att=
ach
> more information to the package, mentioned in the past was "support the d=
evelopers"
> links (not everyone publishes this on their website).
> Personally I'm going to make use of the "maintainer" function for package=
s,
> so people know where (hopefully relatively) exactly the package came from.

Well this is not the kind of meta-data I had in mind, and for that I
think a field in <package> is good enough.

> Anyways, I have some other package related experiments.. Did you have any=
thing
> else in mind, other than search-paths and CVE information?

Not really, but that would be extensible.

The bigger picture is that of packages that would remain live data
structures, as Ricardo proposed a while back.  I don=E2=80=99t think we can=
 go
this far (in the sense of being able to reconstruct a <package> from its
output), but having some metadata kept around can help.

Thanks,
Ludo=E2=80=99.




Information forwarded to guix-patches@HIDDEN:
bug#31444; Package guix-patches. Full text available.

Message received at 31444 <at> debbugs.gnu.org:


Received: (at 31444) by debbugs.gnu.org; 14 May 2018 16:49:16 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 14 12:49:16 2018
Received: from localhost ([127.0.0.1]:34615 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fIGex-0000FW-UG
	for submit <at> debbugs.gnu.org; Mon, 14 May 2018 12:49:16 -0400
Received: from static.195.114.201.195.clients.your-server.de
 ([195.201.114.195]:60230 helo=conspiracy.of.n0.is)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ng0@HIDDEN>) id 1fIGeu-0000FM-V2
 for 31444 <at> debbugs.gnu.org; Mon, 14 May 2018 12:49:13 -0400
Received: by conspiracy.of.n0.is (OpenSMTPD) with ESMTPSA id 19600453
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); 
 Mon, 14 May 2018 16:49:10 +0000 (UTC)
Date: Mon, 14 May 2018 16:49:41 +0000
From: Nils Gillmann <ng0@HIDDEN>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: [bug#31444] 'guix health': a tool to report vulnerable packages
Message-ID: <20180514164941.kjokoakkooajpunx@abyayala>
References: <87fu2vjj76.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <87fu2vjj76.fsf@HIDDEN>
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 31444
Cc: 31444 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Ludovic Courtès transcribed 3.4K bytes:
> Hello Guix!
> 
> On IRC davidl shared a shell script that checks the output of ‘guix lint
> -c cve’ and uses that to determine vulnerable packages in a profile.
> That reminds me of the plan for ‘guix health’ (a tool to do just that),
> so I went ahead and tried to make it a reality at last.
> 
> This ‘guix health’ reports information about “leaf” packages in a
> profile, but not about their dependencies:

Did you intend to attach a patch to one of the 3 or 4 messages that made
it to the bugtracker? I've checked when you've sent the message and today
and saw no patches. I'm interested in the code, the general idea sounds good.

> --8<---------------cut here---------------start------------->8---
> $ ./pre-inst-env guix health -p /run/current-system/profile/
> guix health: warning: util-linux@HIDDEN may be vulnerable to CVE-2018-7738
> guix health: warning: util-linux@HIDDEN is available but does not fix any of these
> hint: Run `guix pull' and then re-run `guix health' to see if fixes are available.  If
> none are available, please consider submitting a patch for the package definition of
> 'util-linux'.
> 
> 
> guix health: warning: shadow@HIDDEN may be vulnerable to CVE-2018-7169
> guix health: warning: shadow@HIDDEN is available and fixes CVE-2018-7169, consider ugprading
> guix health: warning: tar@HIDDEN may be vulnerable to CVE-2016-6321
> guix health: warning: tar@HIDDEN is available but does not fix any of these
> hint: Run `guix pull' and then re-run `guix health' to see if fixes are available.  If
> none are available, please consider submitting a patch for the package definition of
> 'tar'.
> --8<---------------cut here---------------end--------------->8---
> 
> The difficulty here is that we need to know a package’s CPE name before
> we can check the CVE database, and we also need to know whether the
> package already includes fixes for known CVEs.  This patch set attaches
> this information to manifest entries, so that ‘guix health’ can then
> rely on it.
> 
> Fundamentally, that means we cannot reliably tell much about
> dependencies: in cases where the CPE name differs from the Guix name, we
> won’t have any match, and more generally, we cannot know what CVE are
> patched in the package; we could infer part of this by looking at the
> same-named package in the current Guix, but that’s hacky.
> 
> I think that longer-term we probably need to attach this kind of
> meta-data to packages themselves, by adding a bunch of files in each
> package, say under PREFIX/guix.  We could do that for search paths as
> well.

If you mean with metadata what I understand:
I've started playing with this idea a while back. It would be good to attach
more information to the package, mentioned in the past was "support the developers"
links (not everyone publishes this on their website).
Personally I'm going to make use of the "maintainer" function for packages,
so people know where (hopefully relatively) exactly the package came from.

Anyways, I have some other package related experiments.. Did you have anything
else in mind, other than search-paths and CVE information?

> Should we satisfy ourselves with the current approach in the meantime?
> Thoughts?
> 
> Besides, support for properties in manifest entries seems useful to me,
> so we may want to keep it regardless of whether we take ‘guix health’
> as-is.
> 
> Ludo’.
> 
> Ludovic Courtès (5):
>   profiles: Add '%current-profile', 'user-friendly-profile', & co.
>   packages: Add 'package-patched-vulnerabilities'.
>   profiles: Add 'properties' field to manifest entries.
>   profiles: Record fixed vulnerabilities as properties of entries.
>   DRAFT Add 'guix health'.
> 
>  Makefile.am              |   1 +
>  guix/packages.scm        |  28 +++++++
>  guix/profiles.scm        |  91 ++++++++++++++++++++--
>  guix/scripts/health.scm  | 158 +++++++++++++++++++++++++++++++++++++++
>  guix/scripts/lint.scm    |  23 +-----
>  guix/scripts/package.scm |  40 ----------
>  po/guix/POTFILES.in      |   1 +
>  tests/packages.scm       |  15 ++++
>  tests/profiles.scm       |  22 ++++++
>  9 files changed, 312 insertions(+), 67 deletions(-)
>  create mode 100644 guix/scripts/health.scm
> 
> -- 
> 2.17.0
> 
> 
> 




Information forwarded to guix-patches@HIDDEN:
bug#31444; Package guix-patches. Full text available.

Message received at 31444 <at> debbugs.gnu.org:


Received: (at 31444) by debbugs.gnu.org; 14 May 2018 09:07:26 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 14 05:07:26 2018
Received: from localhost ([127.0.0.1]:33280 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fI9S2-00029F-5Z
	for submit <at> debbugs.gnu.org; Mon, 14 May 2018 05:07:26 -0400
Received: from eggs.gnu.org ([208.118.235.92]:56075)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1fI9Ry-000290-6G
 for 31444 <at> debbugs.gnu.org; Mon, 14 May 2018 05:07:22 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1fI9Rq-0003Lo-06
 for 31444 <at> debbugs.gnu.org; Mon, 14 May 2018 05:07:17 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_20 autolearn=disabled
 version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:33066)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1fI9Rp-0003Li-S6; Mon, 14 May 2018 05:07:13 -0400
Received: from [193.50.110.240] (port=54250 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1fI9Rn-0008K2-SX; Mon, 14 May 2018 05:07:12 -0400
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: Martin Castillo <castilma@HIDDEN>
Subject: Re: [bug#31444] 'guix health': a tool to report vulnerable packages
References: <87fu2vjj76.fsf@HIDDEN>
 <f7776a30-f164-3b78-5164-3df5d7d84718@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 25 =?utf-8?Q?Flor=C3=A9al?= an 226 de la =?utf-8?Q?R?=
 =?utf-8?Q?=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Mon, 14 May 2018 11:07:10 +0200
In-Reply-To: <f7776a30-f164-3b78-5164-3df5d7d84718@HIDDEN> (Martin
 Castillo's message of "Mon, 14 May 2018 10:06:46 +0200")
Message-ID: <87r2mea9mp.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 31444
Cc: 31444 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.0 (------)

Hello,

Martin Castillo <castilma@HIDDEN> skribis:

> On 14.05.2018 00:15, Ludovic Court=C3=A8s wrote:
>> [...] shadow@HIDDEN is available and fixes CVE-2018-7169, consider ugprading
>                                                                   ^typo
>
>> Should we satisfy ourselves with the current approach in the meantime?
>
> Release early and often would say yes. But I'm not an experienced develop=
er.

OK.

> I have the feeling that guix lint does not cache the CVEs it fetches. I
> think it should.

It does: it caches them in ~/.cache/guix/http and then uses
=E2=80=98If-Modified-Since=E2=80=99 to avoid re-fetching the database if th=
e cached copy
is up-to-date.

Now the 2018 database obviously keeps changing, so caching helps when
you=E2=80=99re running =E2=80=98guix lint=E2=80=99 several times in a row (=
say while reviewing
packages), but it doesn=E2=80=99t help much if you run it once a day or les=
s.

Also, it fetches the whole database for a year.  I think they publish
diffs as well, but using them seems tricky.

Ludo=E2=80=99.




Information forwarded to guix-patches@HIDDEN:
bug#31444; Package guix-patches. Full text available.
Merged 31442 31443 31444. Request was from ludo@HIDDEN (Ludovic Courtès) to control <at> debbugs.gnu.org. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 14 May 2018 08:07:15 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 14 04:07:15 2018
Received: from localhost ([127.0.0.1]:33154 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fI8Vn-00077G-5w
	for submit <at> debbugs.gnu.org; Mon, 14 May 2018 04:07:15 -0400
Received: from eggs.gnu.org ([208.118.235.92]:42377)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <castilma@HIDDEN>) id 1fI8Vj-000772-Bg
 for submit <at> debbugs.gnu.org; Mon, 14 May 2018 04:07:11 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <castilma@HIDDEN>) id 1fI8Vd-0005oH-GM
 for submit <at> debbugs.gnu.org; Mon, 14 May 2018 04:07:06 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_05,T_DKIM_INVALID
 autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:52548)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <castilma@HIDDEN>)
 id 1fI8Vd-0005o5-Ae
 for submit <at> debbugs.gnu.org; Mon, 14 May 2018 04:07:05 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:33343)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <castilma@HIDDEN>) id 1fI8Vc-00066r-35
 for guix-patches@HIDDEN; Mon, 14 May 2018 04:07:04 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <castilma@HIDDEN>) id 1fI8VY-0005ij-Uu
 for guix-patches@HIDDEN; Mon, 14 May 2018 04:07:04 -0400
Received: from gabriel-vm-2.zfn.uni-bremen.de ([134.102.50.10]:48514
 helo=smtp.uni-bremen.de)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <castilma@HIDDEN>)
 id 1fI8VY-0005ac-FX
 for guix-patches@HIDDEN; Mon, 14 May 2018 04:07:00 -0400
Received: from [192.168.42.241] (ip4d171518.dynamic.kabel-deutschland.de
 [77.23.21.24])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by smtp.uni-bremen.de (Postfix) with ESMTPSA id 46CC8242EC
 for <guix-patches@HIDDEN>; Mon, 14 May 2018 10:06:52 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=uni-bremen.de; s=dkim;
 t=1526285212; bh=w/wmQuYtOnm0IS2kWim+N4lUwMVWxdHBjaVi1/8G6jk=;
 h=To:References:From:Date:In-Reply-To;
 b=JP6PdNR6WmCGxh03tTOKzqsYDCFGHCc49OKu6HM/oIajzQ3V4iyGq9z9CucyC65VO
 CqCdvQl7as5W6QVOUWCmawu1jTgTN5pEAA5UHpA2Axh/LeKOM1hBlngEwrRthzM3GW
 ooGi7QCS2pOL+BZ/EhhdvYxF/wzjJpMULXAFv1+8=
Subject: Re: [bug#31444] 'guix health': a tool to report vulnerable packages
To: guix-patches@HIDDEN
References: <87fu2vjj76.fsf@HIDDEN>
From: Martin Castillo <castilma@HIDDEN>
Openpgp: preference=signencrypt
Autocrypt: addr=castilma@HIDDEN; prefer-encrypt=mutual; keydata=
 xsBNBFXp3VwBCACz5FpcoKuJTL5fndn8CSApG22k/Tmpy2hur38IQKAeIFlk82Z4tvrConIM
 31JeFulbBXIxHyiW6Y3358YUPe1FLnG6x3bzO0Dlhb72cgb1KZtrrfNE4tahjPTzBaTqwuvg
 O2OOAwDhHDv1OyBz/7wS4yUiEoNmjHYMieu7kzGnC4w3sjNESDYKoKqoNN1bx4XZMNPnUG1D
 +p5IOfhRD3fIMEJcnkIjQmR0mKLdlCZmpH7rYDbqg/aF7n0RsDoJ8dAVxLTKMG0HB7w5hI37
 9nJfcIziTfmyd8QM2TN7nEDokRqUMs5jXohzScyo4AL8/dKxPMgJih+muGbTMvbvLmdbABEB
 AAHNLE1hcnRpbiBDYXN0aWxsbyA8TWFydGluLkNhc3RpbGxvQGZyZWVuZXQuZGU+wsCBBBMB
 AgArAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUJENTBQQUCWZY2KwIZAQAKCRDME0jx
 5kQI7HbJB/9W6FpUV8SjrRLntlboZAhxoK/myrQCDWCk3yHJtHJGTabaEx44Ti7AaRm54O5W
 LORmlmL3ck+ReNzrR8u/xIVZ/gCRdt+GnEtDwm5FLZjRXbbaTFovlOQWLu0IW1iUllizGV7F
 aHjPdBoWjkLLLMA9aHDtfkzAxO4qlQZvjXSKvJHGp05AlPuPmtfqNSIXH0bh9rxOmKDMCj8J
 rHtnDzyVjzjBaakNYoQS+DNvjzLkzvcBZZ6Q99d/O0w5esRCaqAKFzSilxFT85Q8gpWIqLkP
 h9ylQ0HxjB03bQqQzV9BpVQ+Qv4Ovf+K9yptTUANxD3xY70RHzeQNvrS3FV3mKjPzsBNBFXp
 3VwBCADTmylgxDM50a78oW4RJYuDRPq1nDj0R5Kw7SvmH3Du00jy+Mo2I6+4fKGogLEKH+HS
 gn9iSZFX09scxQEcQuZk0j+fAcbdY4gEBZpTE87Mc2y3C/q2gnMLkwKUb5Cx0WNx5HnWLIse
 G6sa4cHzj3CtsS6H/YDJver69eEIfNac0HC98HKhKV4WrcY1JG0lfNnLJ8frf7pEQv+/KIOt
 C/QE742DO5p1fAvaKtuNxAzJP1I5iWc8zp9fe5cA7zc0wXgpNBDxGfs3ww2+VJkSTVbCKoen
 J8WEhqBnvPq8i2ogF3C7c45DulIb3CBYNtttIoLQ5D/1e7JSYUF9iIPxUdTjABEBAAHCwGUE
 GAECAA8CGwwFAlmWN64FCRDUwtIACgkQzBNI8eZECOwkiwf8DpOJmziCx2QauLK7olxOq1U2
 S81nD9UZfaycw7hQ6L+oCYPZuG/0v1losqfSBgAZSlY3f2SmTbg/uOJEepV6000SEcm+6shu
 LZ3qLNM+pQr2dX09Ch0lX9nrwIua3Lkbo6XEgN/h6wc0psr7GmmutAGzVG3dnBiRnXYqw4bR
 ab05xMBWY82GTUnGtKmVXAUJxkhUftWDR1uXUxeJnQToBw72XQ5nxGU3K6xOYhtY9+tMo0um
 kcN4sJf/I/Y/A8Gbc6+Ry7f16RtCTZ4+PnF/GaQ1ec9kpF6IV6nAFhOdrVnvEANmqcvGMx5c
 sutNKoih/YzfyhoLbkvUkgoAQIuZ6g==
Message-ID: <f7776a30-f164-3b78-5164-3df5d7d84718@HIDDEN>
Date: Mon, 14 May 2018 10:06:46 +0200
MIME-Version: 1.0
In-Reply-To: <87fu2vjj76.fsf@HIDDEN>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="fPIkjPkMy4SHVs0lDLSlMWAKPrNUG9XJ6"
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.0 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--fPIkjPkMy4SHVs0lDLSlMWAKPrNUG9XJ6
Content-Type: multipart/mixed; boundary="Gf0pCbkAT8l4e6b3jXBsv5gzrZgAMbG7S";
 protected-headers="v1"
From: Martin Castillo <castilma@HIDDEN>
To: guix-patches@HIDDEN
Message-ID: <f7776a30-f164-3b78-5164-3df5d7d84718@HIDDEN>
Subject: Re: [bug#31444] 'guix health': a tool to report vulnerable packages
References: <87fu2vjj76.fsf@HIDDEN>
In-Reply-To: <87fu2vjj76.fsf@HIDDEN>

--Gf0pCbkAT8l4e6b3jXBsv5gzrZgAMbG7S
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable



On 14.05.2018 00:15, Ludovic Court=C3=A8s wrote:
> [...] shadow@HIDDEN is available and fixes CVE-2018-7169, consider ugpradi=
ng
                                                                  ^typo

> Should we satisfy ourselves with the current approach in the meantime?

Release early and often would say yes. But I'm not an experienced develop=
er.

I have the feeling that guix lint does not cache the CVEs it fetches. I
think it should.

--=20
GPG: 7FDE 7190 2F73 2C50 236E  403D CC13 48F1 E644 08EC


--Gf0pCbkAT8l4e6b3jXBsv5gzrZgAMbG7S--

--fPIkjPkMy4SHVs0lDLSlMWAKPrNUG9XJ6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE61CTslYA+K5btSvb61vedmKoYVkFAlr5Q5wACgkQ61vedmKo
YVnGJQf/V244szB3Ma415bDD+aMxnGPGJMgu2Rw0/73hC6LpdNFYIyPKGApc6E5P
1AXNHFTVoHIgnhRjMJrM1vPTcrheCUZkn7f4GAL2h0lRbqSm3PV8xGHgoZm4rbDS
YJhd2WdDaaNVSTVSfRFEx59QU+sQ0tIAelHyNveFmL5Pot/KkKicmCIkYCU76zPm
4zASmFd4RsRt6D9HZVGx6mZUc/8MaD3L4JudI2gcnrJMDL/f34/0Xn6nJx7mA/1R
nXl1eLb2zoSkBqQ1l0Ji7QRcWyDygRsQ7/nWGqjmX/GPe3//GcZ/ici0KDduiDi+
X8Jr8pGulBfAGw8ZLcSI5/7XrfNkZw==
=RZZm
-----END PGP SIGNATURE-----

--fPIkjPkMy4SHVs0lDLSlMWAKPrNUG9XJ6--




Information forwarded to guix-patches@HIDDEN:
bug#31444; Package guix-patches. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 13 May 2018 22:42:54 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun May 13 18:42:54 2018
Received: from localhost ([127.0.0.1]:32866 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fHzhe-0008Tb-CL
	for submit <at> debbugs.gnu.org; Sun, 13 May 2018 18:42:54 -0400
Received: from eggs.gnu.org ([208.118.235.92]:35704)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1fHzhc-0008TO-U9
 for submit <at> debbugs.gnu.org; Sun, 13 May 2018 18:42:53 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1fHzhW-0004tf-S4
 for submit <at> debbugs.gnu.org; Sun, 13 May 2018 18:42:47 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled
 version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:45059)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <ludo@HIDDEN>) id 1fHzhW-0004tX-OW
 for submit <at> debbugs.gnu.org; Sun, 13 May 2018 18:42:46 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54897)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1fHzhV-0004K4-D3
 for guix-patches@HIDDEN; Sun, 13 May 2018 18:42:46 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1fHzHL-0001s5-Hr
 for guix-patches@HIDDEN; Sun, 13 May 2018 18:15:44 -0400
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:52386)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1fHzHL-0001s1-Ct
 for guix-patches@HIDDEN; Sun, 13 May 2018 18:15:43 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=50500 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>) id 1fHzHK-0003b1-Un
 for guix-patches@HIDDEN; Sun, 13 May 2018 18:15:43 -0400
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: guix-patches@HIDDEN
Subject: 'guix health': a tool to report vulnerable packages
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 25 =?utf-8?Q?Flor=C3=A9al?= an 226 de la =?utf-8?Q?R?=
 =?utf-8?Q?=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Mon, 14 May 2018 00:15:41 +0200
Message-ID: <87fu2vjj76.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.0 (------)

Hello Guix!

On IRC davidl shared a shell script that checks the output of =E2=80=98guix=
 lint
-c cve=E2=80=99 and uses that to determine vulnerable packages in a profile.
That reminds me of the plan for =E2=80=98guix health=E2=80=99 (a tool to do=
 just that),
so I went ahead and tried to make it a reality at last.

This =E2=80=98guix health=E2=80=99 reports information about =E2=80=9Cleaf=
=E2=80=9D packages in a
profile, but not about their dependencies:

--8<---------------cut here---------------start------------->8---
$ ./pre-inst-env guix health -p /run/current-system/profile/
guix health: warning: util-linux@HIDDEN may be vulnerable to CVE-2018-7738
guix health: warning: util-linux@HIDDEN is available but does not fix any o=
f these
hint: Run `guix pull' and then re-run `guix health' to see if fixes are ava=
ilable.  If
none are available, please consider submitting a patch for the package defi=
nition of
'util-linux'.


guix health: warning: shadow@HIDDEN may be vulnerable to CVE-2018-7169
guix health: warning: shadow@HIDDEN is available and fixes CVE-2018-7169, cons=
ider ugprading
guix health: warning: tar@HIDDEN may be vulnerable to CVE-2016-6321
guix health: warning: tar@HIDDEN is available but does not fix any of these
hint: Run `guix pull' and then re-run `guix health' to see if fixes are ava=
ilable.  If
none are available, please consider submitting a patch for the package defi=
nition of
'tar'.
--8<---------------cut here---------------end--------------->8---

The difficulty here is that we need to know a package=E2=80=99s CPE name be=
fore
we can check the CVE database, and we also need to know whether the
package already includes fixes for known CVEs.  This patch set attaches
this information to manifest entries, so that =E2=80=98guix health=E2=80=99=
 can then
rely on it.

Fundamentally, that means we cannot reliably tell much about
dependencies: in cases where the CPE name differs from the Guix name, we
won=E2=80=99t have any match, and more generally, we cannot know what CVE a=
re
patched in the package; we could infer part of this by looking at the
same-named package in the current Guix, but that=E2=80=99s hacky.

I think that longer-term we probably need to attach this kind of
meta-data to packages themselves, by adding a bunch of files in each
package, say under PREFIX/guix.  We could do that for search paths as
well.

Should we satisfy ourselves with the current approach in the meantime?
Thoughts?

Besides, support for properties in manifest entries seems useful to me,
so we may want to keep it regardless of whether we take =E2=80=98guix healt=
h=E2=80=99
as-is.

Ludo=E2=80=99.

Ludovic Court=C3=A8s (5):
  profiles: Add '%current-profile', 'user-friendly-profile', & co.
  packages: Add 'package-patched-vulnerabilities'.
  profiles: Add 'properties' field to manifest entries.
  profiles: Record fixed vulnerabilities as properties of entries.
  DRAFT Add 'guix health'.

 Makefile.am              |   1 +
 guix/packages.scm        |  28 +++++++
 guix/profiles.scm        |  91 ++++++++++++++++++++--
 guix/scripts/health.scm  | 158 +++++++++++++++++++++++++++++++++++++++
 guix/scripts/lint.scm    |  23 +-----
 guix/scripts/package.scm |  40 ----------
 po/guix/POTFILES.in      |   1 +
 tests/packages.scm       |  15 ++++
 tests/profiles.scm       |  22 ++++++
 9 files changed, 312 insertions(+), 67 deletions(-)
 create mode 100644 guix/scripts/health.scm

--=20
2.17.0




Acknowledgement sent to ludo@HIDDEN (Ludovic Courtès):
New bug report received and forwarded. Copy sent to guix-patches@HIDDEN. Full text available.
Report forwarded to guix-patches@HIDDEN:
bug#31444; Package guix-patches. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Mon, 25 Nov 2019 12:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.