Received: (at 48923) by debbugs.gnu.org; 4 Aug 2021 08:25:38 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Aug 04 04:25:38 2021
Received: from localhost ([127.0.0.1]:42652 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1mBCDa-0002rn-1Z
for submit <at> debbugs.gnu.org; Wed, 04 Aug 2021 04:25:38 -0400
Received: from h87-96-130-155.cust.a3fiber.se ([87.96.130.155]:48412
helo=mail.yoctocell.xyz) by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <public@HIDDEN>) id 1mBCDY-0002rb-Mi
for 48923 <at> debbugs.gnu.org; Wed, 04 Aug 2021 04:25:37 -0400
From: Xinglu Chen <public@HIDDEN>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yoctocell.xyz;
s=mail; t=1628065531;
bh=UlSrWG7ijZxWa6hNIl2IIctQKz24IKVJBhFty+YK8Oc=;
h=From:To:Cc:Subject:In-Reply-To:References:Date;
b=QhfG2L3p+JI+PFwu3S9drlpHiJKTjrs20IcD1MWCDGnGEyEQ1r+i9oG5tABuGwhK0
GTjKE/TK2h1+HYi7DMIMlx03VywWjXawjYmZZEw1da6LAEEVXP2gG8ixYghL9UHgkA
yZPs0jn4LQ53ADA6Rofuu9YBOZPyclSMqKTlSvA0=
To: 48923 <at> debbugs.gnu.org
Subject: Re: [bug#48923] [PATCH v2] activation: Add =?utf-8?Q?=E2=80=98cal?=
=?utf-8?Q?l-with-output-file*=E2=80=99?= procedure.
In-Reply-To: <7500e1ba2d55d397d4c105ca189746f78de02d35.1623176839.git.public@HIDDEN>
References: <23ac66d29119c5395fee0e993ea0fe811beefd91.1623166798.git.public@HIDDEN>
<7500e1ba2d55d397d4c105ca189746f78de02d35.1623176839.git.public@HIDDEN>
Date: Wed, 04 Aug 2021 10:25:30 +0200
Message-ID: <878s1h4nwl.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha256; protocol="application/pgp-signature"
X-Spam-Score: 2.9 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Ping! :)
Content analysis details: (2.9 points, 10.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 SPF_PASS SPF: sender matches SPF record
2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs
[URI: yoctocell.xyz (xyz)]
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
0.5 FROM_SUSPICIOUS_NTLD From abused NTLD
0.4 RDNS_DYNAMIC Delivered to internal network by host with
dynamic-looking rDNS
0.0 PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC with FP steps
X-Debbugs-Envelope-To: 48923
Cc: Maxime Devos <maximedevos@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 2.9 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Ping! :)
Content analysis details: (2.9 points, 10.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 SPF_PASS SPF: sender matches SPF record
2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs
[URI: yoctocell.xyz (xyz)]
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
0.5 FROM_SUSPICIOUS_NTLD From abused NTLD
0.4 RDNS_DYNAMIC Delivered to internal network by host with
dynamic-looking rDNS
1.0 BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD
-1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list
manager
0.0 PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC with FP steps
--=-=-=
Content-Type: text/plain
Ping! :)
--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEAVhh4yyK5+SEykIzrPUJmaL7XHkFAmEKTvoVHHB1YmxpY0B5
b2N0b2NlbGwueHl6AAoJEKz1CZmi+1x5TlgP/Rbng1BbATQhbogzK/INHNOQjtSg
bbKCa30rFJvltVmEmNsKNemXfDrS7gndzHl8nZ8QqW8I6PeGSCdg6gWNsvp0SuD7
8ufWuegDBBR/dGLVU7x7nKBfRk/JcXDMRjMepT4aGPzUFQiNzRHzcKzfARRxr+EV
i/If+LOazev18vB8C8v8abtJtujHJaF0KxOXpseqpGjuSp9ergvniBWaVvtX6zrw
+PSEA6jHvE+e8UihBzCo/2B/DUXvSG9hdnOZ7wKlfwsj51r6U9uemlhykTCHkcOQ
3K9n9PAc7sqVi18OehqOA+KI9EnVm8Qf2CZlLfIsn8ngLBzwwYdcLAIkG6fysnmy
FQURVIxwYYHB9oZLW4Mcrlo/MTO52y1rkgq1IfOumDJ8iJeBYj1ziulrsvO3/L5G
pxqK8eKG8XoiP+smgxcIPkmXFxjt1Vj/Bol8R3Gz94LZAoE494AxOl0ClV/yvCow
pC8x1Hc2CgOj9KyL8xEUzO8eNVgPzHEFLiRsr3nZQ/clEpjKsfWNn5uOL/fbo+/d
02BjAiifpSrEJpHYA4ovPP/vTr03wRZydcTvtr5pCl4amxDNF/mzfIZOf2dMiUqJ
I8GZFRp2+Thb3cqiQMNUWQjT71v8yyx1xyd0YZDVss0WD/aBXyZ1+dFUbWlVA1TD
n3RLQKeD84Lu7mv8
=1JjR
-----END PGP SIGNATURE-----
--=-=-=--
guix-patches@HIDDEN:bug#48923; Package guix-patches.
Full text available.
Received: (at 48923) by debbugs.gnu.org; 8 Jun 2021 18:30:27 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jun 08 14:30:27 2021
Received: from localhost ([127.0.0.1]:59781 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1lqgUc-0002qq-NP
for submit <at> debbugs.gnu.org; Tue, 08 Jun 2021 14:30:27 -0400
Received: from h87-96-130-155.cust.a3fiber.se ([87.96.130.155]:37574
helo=mail.yoctocell.xyz) by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <public@HIDDEN>) id 1lqgUY-0002qY-Bb
for 48923 <at> debbugs.gnu.org; Tue, 08 Jun 2021 14:30:25 -0400
From: Xinglu Chen <public@HIDDEN>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yoctocell.xyz;
s=mail; t=1623177014;
bh=915n3rghIFKNR72xC75ghfOJjwcE+tnDEMvdJxYZvNk=;
h=From:To:Cc:Subject:In-Reply-To:References:Date;
b=QCWscX/i4wUnCfgCt62AARjsM84PrAXemOJonkG+/fYvoHOxqe4DVc8BnpFACsJm3
1Fay8hISSKJjt1po3ZocpdQZDzxden19HiTneBpx9/C5+tr+9aJXeILX/m7+KlV7Z9
DtkCsL79/+QObsEh7BtQijZap6AxYBckSmFM4zKY=
To: 48923 <at> debbugs.gnu.org
Subject: [PATCH v2] activation: Add =?utf-8?Q?=E2=80=98call-with-output-fi?=
=?utf-8?Q?le*=E2=80=99?= procedure.
In-Reply-To: <23ac66d29119c5395fee0e993ea0fe811beefd91.1623166798.git.public@HIDDEN>
References: <23ac66d29119c5395fee0e993ea0fe811beefd91.1623166798.git.public@HIDDEN>
Message-Id: <7500e1ba2d55d397d4c105ca189746f78de02d35.1623176839.git.public@HIDDEN>
Date: Tue, 08 Jun 2021 20:30:13 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 2.9 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Using ‘call-with-output-file*’ instead of ‘call-with-output-file’
and ‘chmod’ will prevent secrets from being leaked. See <https://issues.guix.gnu.org/48872>.
* guix/build/activation.scm (call-with-output-file*): New procedure. * doc/guix.texi
(Activation): New section; document ‘call-with-output-file*’. --- Changes
since v1:
Content analysis details: (2.9 points, 10.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs
[URI: yoctocell.xyz (xyz)]
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
-0.0 SPF_PASS SPF: sender matches SPF record
0.5 FROM_SUSPICIOUS_NTLD From abused NTLD
0.4 RDNS_DYNAMIC Delivered to internal network by host with
dynamic-looking rDNS
X-Debbugs-Envelope-To: 48923
Cc: Maxime Devos <maximedevos@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 1.9 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Using ‘call-with-output-file*’ instead of ‘call-with-output-file’
and ‘chmod’ will prevent secrets from being leaked. See <https://issues.guix.gnu.org/48872>.
* guix/build/activation.scm (call-with-output-file*): New procedure. * doc/guix.texi
(Activation): New section; document ‘call-with-output-file*’. --- Changes
since v1:
Content analysis details: (1.9 points, 10.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs
[URI: yoctocell.xyz (xyz)]
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
-0.0 SPF_PASS SPF: sender matches SPF record
0.5 FROM_SUSPICIOUS_NTLD From abused NTLD
0.4 RDNS_DYNAMIC Delivered to internal network by host with
dynamic-looking rDNS
-1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list
manager
Using =E2=80=98call-with-output-file*=E2=80=99 instead of =E2=80=98call-wit=
h-output-file=E2=80=99 and =E2=80=98chmod=E2=80=99
will prevent secrets from being leaked. See
<https://issues.guix.gnu.org/48872>.
* guix/build/activation.scm (call-with-output-file*): New procedure.
* doc/guix.texi (Activation): New section; document =E2=80=98call-with-outp=
ut-file*=E2=80=99.
---
Changes since v1:
* Moved =E2=80=98call-with-output-file*=E2=80=99 from (gnu build utils) to =
(gnu build
activation).
* Added a =E2=80=9CActivation=E2=80=9D section in the manual to document th=
e new
procedure.
doc/guix.texi | 31 +++++++++++++++++++++++++++++++
gnu/build/activation.scm | 13 ++++++++++++-
2 files changed, 43 insertions(+), 1 deletion(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 59b4ac11b4..643c7ff126 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -321,6 +321,7 @@ System Configuration
* Invoking guix deploy:: Deploying a system configuration to a remo=
te host.
* Running Guix in a VM:: How to run Guix System in a virtual machin=
e.
* Defining Services:: Adding new service definitions.
+* Activation:: Setting up system-wide files and directori=
es.
=20
Services
=20
@@ -13386,6 +13387,7 @@ instance to support new system services.
* Invoking guix deploy:: Deploying a system configuration to a remo=
te host.
* Running Guix in a VM:: How to run Guix System in a virtual machin=
e.
* Defining Services:: Adding new service definitions.
+* Activation:: Setting up system-wide files and directori=
es.
@end menu
=20
@node Using the Configuration System
@@ -34633,6 +34635,35 @@ system:
This service represents PID@tie{}1.
@end defvr
=20
+@node Activation
+@section Activation
+
+@dfn{Activation} is the process that sets up system-wide files and
+directories so that an @code{operating-system} (@pxref{operating-system
+Reference}) configuration becomes active. This will happen when
+invoking commands like @command{guix system reconfigure} or
+@command{guix system switch-generation}, but not when invoking
+@command{guix system build} (@pxref{Invoking guix system}).
+
+@deffn {Scheme Procedure} call-with-output-file* @var{file} @var{proc} @
+ [#:perms #o666]
+Open FILE for output, set the file permission bits to @var{perms}, and
+call @code{(PROC port)} with the resulting port.
+
+The advantage of using this procedure compared to something like this
+
+@lisp
+(call-with-output-file "FILE"
+ (lambda (port)
+ (display "top secret" port)))
+(chmod "FILE" #o400)
+@end lisp
+
+is that, with the latter, an unpriviliged user could open @var{file}
+before the permission was changed to @code{#o400}, thus making it
+possible to leak sensitive information.
+@end deffn
+
=20
@node Documentation
@chapter Documentation
diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm
index 2af1d44b5f..0054079cb6 100644
--- a/gnu/build/activation.scm
+++ b/gnu/build/activation.scm
@@ -6,6 +6,7 @@
;;; Copyright =C2=A9 2018 Arun Isaac <arunisaac@HIDDEN>
;;; Copyright =C2=A9 2018, 2019 Ricardo Wurmus <rekado@HIDDEN>
;;; Copyright =C2=A9 2021 Maxime Devos <maximedevos@HIDDEN>
+;;; Copyright =C2=A9 2021 Xinglu Chen <public@HIDDEN>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -34,6 +35,7 @@
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-11)
#:use-module (srfi srfi-26)
+ #:use-module (srfi srfi-60)
#:export (activate-users+groups
activate-user-home
activate-etc
@@ -43,7 +45,8 @@
activate-firmware
activate-ptrace-attach
activate-current-system
- mkdir-p/perms))
+ mkdir-p/perms
+ call-with-output-file*))
=20
;;; Commentary:
;;;
@@ -102,6 +105,14 @@ Warning: this is currently suspect to a TOCTTOU race!"
(chown directory (passwd:uid owner) (passwd:gid owner))
(chmod directory bits))
=20
+;; Prevent secrets from leaking, see <https://issues.guix.gnu.org/48872>
+(define* (call-with-output-file* file proc #:key (perms #o666))
+ "FILE should be string containg the path to a file, PROC should be a pro=
cedure
+that accepts the port as an argument, and PERMS should be the permission b=
its
+of the file, the default is 666."
+ (let ((port (open file (bitwise-ior O_WRONLY O_CREAT) perms)))
+ (call-with-port port proc)))
+
(define* (copy-account-skeletons home
#:key
(directory %skeleton-directory)
base-commit: 503c2039a280dd52a751a6852b4157fccd1b4195
--=20
2.32.0
guix-patches@HIDDEN:bug#48923; Package guix-patches.
Full text available.
Received: (at 48923) by debbugs.gnu.org; 8 Jun 2021 18:05:16 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jun 08 14:05:16 2021
Received: from localhost ([127.0.0.1]:59752 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1lqg6C-0002Cn-Hn
for submit <at> debbugs.gnu.org; Tue, 08 Jun 2021 14:05:16 -0400
Received: from h87-96-130-155.cust.a3fiber.se ([87.96.130.155]:37038
helo=mail.yoctocell.xyz) by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <public@HIDDEN>) id 1lqg66-0002C1-Ba
for 48923 <at> debbugs.gnu.org; Tue, 08 Jun 2021 14:05:10 -0400
From: Xinglu Chen <public@HIDDEN>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yoctocell.xyz;
s=mail; t=1623175498;
bh=8kvQp0dp38H1cWOWMi5narMYUWfBiL12+TFbmos5K/w=;
h=From:To:Subject:In-Reply-To:References:Date;
b=M4sX5vDLMl8K1a4FsMSDcs1MDdPIjT+RevvwCyrLMihpdkxYxT+B7xAa0Y0r9jk5+
d1wnr/vPMysfAIIj/r7MiYldJiMprIIaeGJcupbswutvqS0rcyvTkBZ1umT6DHxbzT
Hf/RC+CbzBK+pp9mO2xn1nmKvEhPurXJHj0QtyL0=
To: Maxime Devos <maximedevos@HIDDEN>, 48923 <at> debbugs.gnu.org
Subject: Re: [bug#48923] [PATCH] build: utils: Add =?utf-8?Q?=E2=80=98call?=
=?utf-8?Q?-with-outp?=
In-Reply-To: <38b69976891db7870992091d9eb3aa7aeb20e471.camel@HIDDEN>
References: <23ac66d29119c5395fee0e993ea0fe811beefd91.1623166798.git.public@HIDDEN>
<a0972b8b687b465ceb341454a6a01a16bf4a444a.camel@HIDDEN>
<871r9cgsxk.fsf@HIDDEN>
<38b69976891db7870992091d9eb3aa7aeb20e471.camel@HIDDEN>
Date: Tue, 08 Jun 2021 20:04:57 +0200
Message-ID: <87wnr4fd12.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha256; protocol="application/pgp-signature"
X-Spam-Score: 2.9 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: On Tue, Jun 08 2021, Maxime Devos wrote: >> > > diff --git
a/guix/build/utils.scm b/guix/build/utils.scm >> > > index
419c10195b..df960eee84
100644 >> > > --- a/guix/build/utils.scm >> > > +++ b/guix/build/utils.scm
>> > > @@ -5,6 +5,7 @@ >> [...]
Content analysis details: (2.9 points, 10.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs
[URI: yoctocell.xyz (xyz)]
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
-0.0 SPF_PASS SPF: sender matches SPF record
0.5 FROM_SUSPICIOUS_NTLD From abused NTLD
0.4 RDNS_DYNAMIC Delivered to internal network by host with
dynamic-looking rDNS
X-Debbugs-Envelope-To: 48923
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 2.9 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: On Tue, Jun 08 2021, Maxime Devos wrote: >> > > diff --git
a/guix/build/utils.scm b/guix/build/utils.scm >> > > index 419c10195b..df960eee84
100644 >> > > --- a/guix/build/utils.scm >> > > +++ b/guix/build/utils.scm
>> > > @@ -5,6 +5,7 @@ >> [...]
Content analysis details: (2.9 points, 10.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs
[URI: yoctocell.xyz (xyz)]
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
-0.0 SPF_PASS SPF: sender matches SPF record
0.5 FROM_SUSPICIOUS_NTLD From abused NTLD
0.4 RDNS_DYNAMIC Delivered to internal network by host with
dynamic-looking rDNS
1.0 BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD
-1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list
manager
--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
On Tue, Jun 08 2021, Maxime Devos wrote:
>> > > diff --git a/guix/build/utils.scm b/guix/build/utils.scm
>> > > index 419c10195b..df960eee84 100644
>> > > --- a/guix/build/utils.scm
>> > > +++ b/guix/build/utils.scm
>> > > @@ -5,6 +5,7 @@
>> >=20
>> > Modifying (guix build utils) entails a world-rebuild, as
>> > (guix build utils) is used by the build code of practically
>> > every package. I would suggest placing it in (gnu build activation)
>> > instead.
>>=20
>> Oh, I didn=E2=80=99t think about that. Moving it to (gnu build activati=
on)
>> seems like a good option.
>>=20
>> Should I create a new =E2=80=9CActivation=E2=80=9D section in the manual=
, or should I
>> keep it in the =E2=80=9CBuild Utilities=E2=80=9D section?
>
> The procedure isn't available during package building
> (well, (gnu build activation) _could_ be imported in a package definition
> using #:imported-modules & #:modules but it is not supposed to be used li=
ke
> that), so =E2=80=98Build Utilities=E2=80=99 doesn't seem appropriate, thu=
s I'd suggest creating
> an "Activation" section in the manual.
>
> Maybe under =E2=80=98Programming Reference=E2=80=99, or after =E2=80=98De=
fining Services=E2=80=99 in
> the =E2=80=98System configuration=E2=80=99 chapter?
OK, sounds good to me!
--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEAVhh4yyK5+SEykIzrPUJmaL7XHkFAmC/sUkVHHB1YmxpY0B5
b2N0b2NlbGwueHl6AAoJEKz1CZmi+1x5EKoP/jHfDpk2/kjtkbb6LnheSR3cXudo
oyL2Z07XYZAUWZZ/s/Qx8xixf/o2mluedFofoOZqOHP4997+AUgRVi7FGOTDJU4h
qWfx8BOrAHCtuRQ9dNcJgLpudKxQM50hWyy0Y3EywKWGTMTFOvrKGbDHihRXw8ll
twT7pZuUVyuhnz4ohhUMzDGtLyqFN5/d61SZOuDOc7ir6PPwvfAkkp09KIhVnuUW
mDpyCyYvDnqeEbGNxMOiEyZEydi7/7Ry8jv4NR5YmvTRRgb/7c2txrd7dPKU/3fN
Qdr986F6qbuIBZp6YmvFZufmR6MDuorYRhreR7xke8sLwQ3K88dKjICxnD/FKSht
lSjB7Yif/KtIOT0Fh4Q8OELT+xHwMpqiUmUIF/BHuOKazZ+jFSVZAPQnQ94haag6
sO4OZknEgnbQZ5kWVhAsAUCkPQVgdUAY5idgDmPHnCv1nUDqjBJSPjF9Mpf0ANS9
qO4Abl/qs2ndyqzapx4SilIsOy1k2MerMWnsiSGAldHePaZF9ZPktjXd9I0CYFm1
8uQiIwnPh4dr6g0/hn7hp6QviR93FrZHiPrGXVNjNctmArh3/+MYCz4z9iXmXupp
8UvB7AKfDvbYBkmOwps7bdeTicAZL6e40In+QJOfVw/uRs2MeeXTvzhRrODXDlBF
z4cjnvNh0PeSLQeX
=DeU2
-----END PGP SIGNATURE-----
--=-=-=--
guix-patches@HIDDEN:bug#48923; Package guix-patches.
Full text available.Received: (at 48923) by debbugs.gnu.org; 8 Jun 2021 17:46:07 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jun 08 13:46:07 2021 Received: from localhost ([127.0.0.1]:59729 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lqfnf-0001ij-Cd for submit <at> debbugs.gnu.org; Tue, 08 Jun 2021 13:46:06 -0400 Received: from albert.telenet-ops.be ([195.130.137.90]:48404) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <maximedevos@HIDDEN>) id 1lqfnZ-0001hl-G2 for 48923 <at> debbugs.gnu.org; Tue, 08 Jun 2021 13:46:01 -0400 Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d]) by albert.telenet-ops.be with bizsmtp id Ehlv250090mfAB406hlvCz; Tue, 08 Jun 2021 19:45:55 +0200 Message-ID: <38b69976891db7870992091d9eb3aa7aeb20e471.camel@HIDDEN> Subject: Re: [bug#48923] [PATCH] build: utils: Add =?UTF-8?Q?=E2=80=98call-with-outp?= From: Maxime Devos <maximedevos@HIDDEN> To: Xinglu Chen <public@HIDDEN>, 48923 <at> debbugs.gnu.org Date: Tue, 08 Jun 2021 19:45:49 +0200 In-Reply-To: <871r9cgsxk.fsf@HIDDEN> References: <23ac66d29119c5395fee0e993ea0fe811beefd91.1623166798.git.public@HIDDEN> <a0972b8b687b465ceb341454a6a01a16bf4a444a.camel@HIDDEN> <871r9cgsxk.fsf@HIDDEN> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-2OpVFUCOWBmnTF+zCPtt" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1623174355; bh=3w+A25UCK3nmU3MpdW6IqmLyfWqIADrDOrGQJ1rGRDU=; h=Subject:From:To:Date:In-Reply-To:References; b=BQ6qXhEru7zHAgkt7LYMjdA2pGfiRJrREljFkByq3oRch2rgTTJwYGauNNdjXbvzF taOVygrj1WAffd83/YTMub/S1lIZLIyTyA8ba2kSrztNdPawqTKxeRo9xHkfbVHcvc LmfLBq3rVbm0ZSErVKofJ/P0QvwsxzrM2nq2FTt47XU5iw7znHg/eJH9IdV+8cxcl0 o79lfSEdFUYBcoRvVQwQw3bgbHMxToLV5PpRgddcBIFZos1hi63P7HZEzmsj+W52X3 1nxVpeBoA8sBmk+oI3oUCGSpxJGgy5KaTy4D1q+U1HJ63RhFIgYx7+Y2HyJWjxFKA3 AHkZFQW4/qWQQ== X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 48923 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) --=-2OpVFUCOWBmnTF+zCPtt Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Xinglu Chen schreef op di 08-06-2021 om 19:36 [+0200]: > On Tue, Jun 08 2021, Maxime Devos wrote: >=20 > > Xinglu Chen schreef op di 08-06-2021 om 17:40 [+0200]: > > > Using =E2=80=98call-with-output-file*=E2=80=99 instead of =E2=80=98ca= ll-with-output-file=E2=80=99 and =E2=80=98chmod=E2=80=99 > > > will prevent secrets from being leaked. See > > > <https://issues.guix.gnu.org/48872>;;. > >=20 > > This procedure LGTM (but I didn't test). > > However, > >=20 > > > diff --git a/guix/build/utils.scm b/guix/build/utils.scm > > > index 419c10195b..df960eee84 100644 > > > --- a/guix/build/utils.scm > > > +++ b/guix/build/utils.scm > > > @@ -5,6 +5,7 @@ > >=20 > > Modifying (guix build utils) entails a world-rebuild, as > > (guix build utils) is used by the build code of practically > > every package. I would suggest placing it in (gnu build activation) > > instead. >=20 > Oh, I didn=E2=80=99t think about that. Moving it to (gnu build activatio= n) > seems like a good option. >=20 > Should I create a new =E2=80=9CActivation=E2=80=9D section in the manual,= or should I > keep it in the =E2=80=9CBuild Utilities=E2=80=9D section? The procedure isn't available during package building (well, (gnu build activation) _could_ be imported in a package definition using #:imported-modules & #:modules but it is not supposed to be used like that), so =E2=80=98Build Utilities=E2=80=99 doesn't seem appropriate, thus = I'd suggest creating an "Activation" section in the manual. Maybe under =E2=80=98Programming Reference=E2=80=99, or after =E2=80=98Defi= ning Services=E2=80=99 in the =E2=80=98System configuration=E2=80=99 chapter? Greetings, Maxime. --=-2OpVFUCOWBmnTF+zCPtt Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYL+szRccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7pQ5AQCEOJH3eY571Igmx7W/uXxmVMYE SahmUcwWkpIyGdcXDgEAhwmsk2gyHJ3JQItn0atQA8r2Mq/zslgVvFp6L1q4GAI= =AWlF -----END PGP SIGNATURE----- --=-2OpVFUCOWBmnTF+zCPtt--
guix-patches@HIDDEN:bug#48923; Package guix-patches.
Full text available.
Received: (at 48923) by debbugs.gnu.org; 8 Jun 2021 17:36:19 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jun 08 13:36:19 2021
Received: from localhost ([127.0.0.1]:59712 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1lqfeF-0001Ss-6t
for submit <at> debbugs.gnu.org; Tue, 08 Jun 2021 13:36:19 -0400
Received: from h87-96-130-155.cust.a3fiber.se ([87.96.130.155]:36402
helo=mail.yoctocell.xyz) by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <public@HIDDEN>) id 1lqfeD-0001SY-5G
for 48923 <at> debbugs.gnu.org; Tue, 08 Jun 2021 13:36:18 -0400
From: Xinglu Chen <public@HIDDEN>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yoctocell.xyz;
s=mail; t=1623173768;
bh=SB2I+jzambV+p46cyMJ//DCt+wy08caNkwgjDaZ/8is=;
h=From:To:Subject:In-Reply-To:References:Date;
b=CQ3UgJMOTRSaXpv2Ok5qt1uhJZ4Tb98C/ymc83UCwYrm6irlpy9ETJUBFEnRWIX7/
vCZGholscxhx7B4qvLORpG02JrVq0gPw6az+0yDiRnVhzUwshFVc930CVbc4vYc0/6
dxTmrK77w+QZaJXTUtbK6Z7VlEtMsqP+2h/tG7xs=
To: Maxime Devos <maximedevos@HIDDEN>, 48923 <at> debbugs.gnu.org
Subject: Re: [bug#48923] [PATCH] build: utils: Add =?utf-8?Q?=E2=80=98call?=
=?utf-8?Q?-with-outp?=
In-Reply-To: <a0972b8b687b465ceb341454a6a01a16bf4a444a.camel@HIDDEN>
References: <23ac66d29119c5395fee0e993ea0fe811beefd91.1623166798.git.public@HIDDEN>
<a0972b8b687b465ceb341454a6a01a16bf4a444a.camel@HIDDEN>
Date: Tue, 08 Jun 2021 19:36:07 +0200
Message-ID: <871r9cgsxk.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha256; protocol="application/pgp-signature"
X-Spam-Score: 2.9 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: On Tue, Jun 08 2021, Maxime Devos wrote: > Xinglu Chen schreef
op di 08-06-2021 om 17:40 [+0200]: >> Using ‘call-with-output-file*’
instead of ‘call-with-output-file’ and ‘chmod’ >> will prevent secrets
from being leaked. See >> [...]
Content analysis details: (2.9 points, 10.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs
[URI: yoctocell.xyz (xyz)]
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
-0.0 SPF_PASS SPF: sender matches SPF record
0.5 FROM_SUSPICIOUS_NTLD From abused NTLD
0.4 RDNS_DYNAMIC Delivered to internal network by host with
dynamic-looking rDNS
X-Debbugs-Envelope-To: 48923
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 2.9 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: On Tue, Jun 08 2021, Maxime Devos wrote: > Xinglu Chen schreef
op di 08-06-2021 om 17:40 [+0200]: >> Using ‘call-with-output-file*’
instead of ‘call-with-output-file’ and ‘chmod’ >> will prevent secrets
from being leaked. See >> [...]
Content analysis details: (2.9 points, 10.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs
[URI: yoctocell.xyz (xyz)]
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
-0.0 SPF_PASS SPF: sender matches SPF record
0.5 FROM_SUSPICIOUS_NTLD From abused NTLD
0.4 RDNS_DYNAMIC Delivered to internal network by host with
dynamic-looking rDNS
1.0 BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD
-1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list
manager
--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
On Tue, Jun 08 2021, Maxime Devos wrote:
> Xinglu Chen schreef op di 08-06-2021 om 17:40 [+0200]:
>> Using =E2=80=98call-with-output-file*=E2=80=99 instead of =E2=80=98call-=
with-output-file=E2=80=99 and =E2=80=98chmod=E2=80=99
>> will prevent secrets from being leaked. See
>> <https://issues.guix.gnu.org/48872>;.
>
> This procedure LGTM (but I didn't test).
> However,
>
>> diff --git a/guix/build/utils.scm b/guix/build/utils.scm
>> index 419c10195b..df960eee84 100644
>> --- a/guix/build/utils.scm
>> +++ b/guix/build/utils.scm
>> @@ -5,6 +5,7 @@
>
> Modifying (guix build utils) entails a world-rebuild, as
> (guix build utils) is used by the build code of practically
> every package. I would suggest placing it in (gnu build activation)
> instead.
Oh, I didn=E2=80=99t think about that. Moving it to (gnu build activation)
seems like a good option.
Should I create a new =E2=80=9CActivation=E2=80=9D section in the manual, o=
r should I
keep it in the =E2=80=9CBuild Utilities=E2=80=9D section?
--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEAVhh4yyK5+SEykIzrPUJmaL7XHkFAmC/qocVHHB1YmxpY0B5
b2N0b2NlbGwueHl6AAoJEKz1CZmi+1x5TC4P/j1np4RF2NXviS/KT3BtcK8dyZkX
qUM/pKqCQECwde6hdl1WqDBbMTGdIN0Lrm6YeAcS7OQ7cvzmXyTz7zR/PPd9C3sc
/Z9hRzWDa/7WvecgzRJpd/UDwN3bY3Z0OxDDVnKJd0fIGO4fahQgoTzyumEN/DbP
5QTKIVoSFt4jcxj6yDU97Juz2hx4C8+6puqe+d3taNebMgv+hPcg+4dvjuyLCRMd
vmBHZJR+vsNKraqr5jA8TZc/i8wHczM6UqxDRhzjwGZz+qGkwFq81BjmDrH/3OSK
MD5LM+QgTVuK9+WmkmB+pF0+256+Z6B8pq6NL7u3LT+jZIP5flQWZe4jM4zWzcR8
XK2FbWJQNzbXeXYUNLSVp5QoC3oNjil8f4kZg5RC3zqozdoM2KwPmbN9vdfvu97t
XOpVPwm0iF/2FfXbeHLUX2XyJ1gqlOElqfNf29MxOl95n/4s0QggPVmVgY5aUfDQ
M4FlNUuxZVf9N2CpJZSC1XKpd8dE0Tv/+p9wE97bVeQzGxYUsGkVpHYZ/LNH6Qqj
ENlmVCJMh17hReLj540emht/fZeEhqkBO56WRS0lDb1kNXNz+TQTlCzBaH0dx968
A8y7COq9+XZOUZZI5z/8b4bxyYZF+80p+Sca6wKSHz6175UowKq5GFfnSaxQvWud
TRhzOF7zmKV6jMW9
=OrPB
-----END PGP SIGNATURE-----
--=-=-=--
guix-patches@HIDDEN:bug#48923; Package guix-patches.
Full text available.Received: (at submit) by debbugs.gnu.org; 8 Jun 2021 16:04:56 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jun 08 12:04:56 2021 Received: from localhost ([127.0.0.1]:59594 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lqeDo-0005Mo-Aa for submit <at> debbugs.gnu.org; Tue, 08 Jun 2021 12:04:56 -0400 Received: from lists.gnu.org ([209.51.188.17]:58576) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <maximedevos@HIDDEN>) id 1lqeDm-0005Mh-HQ for submit <at> debbugs.gnu.org; Tue, 08 Jun 2021 12:04:55 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57666) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <maximedevos@HIDDEN>) id 1lqeDm-0003az-B5 for guix-patches@HIDDEN; Tue, 08 Jun 2021 12:04:54 -0400 Received: from xavier.telenet-ops.be ([2a02:1800:120:4::f00:14]:55484) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <maximedevos@HIDDEN>) id 1lqeDh-0001wg-Jk for guix-patches@HIDDEN; Tue, 08 Jun 2021 12:04:53 -0400 Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d]) by xavier.telenet-ops.be with bizsmtp id Eg4l2500J0mfAB401g4mLU; Tue, 08 Jun 2021 18:04:46 +0200 Message-ID: <a0972b8b687b465ceb341454a6a01a16bf4a444a.camel@HIDDEN> Subject: Re: [PATCH] build: utils: Add =?UTF-8?Q?=E2=80=98call-with-outp?= From: Maxime Devos <maximedevos@HIDDEN> To: Xinglu Chen <public@HIDDEN>, guix-patches@HIDDEN Date: Tue, 08 Jun 2021 18:04:40 +0200 In-Reply-To: <23ac66d29119c5395fee0e993ea0fe811beefd91.1623166798.git.public@HIDDEN> References: <23ac66d29119c5395fee0e993ea0fe811beefd91.1623166798.git.public@HIDDEN> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-/bDaNhRY8gVMLRXAsvIH" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1623168286; bh=IAfs37uc0vDJ4XT/2XbJsvK8bCC8/r6PlioQDLiRlAs=; h=Subject:From:To:Date:In-Reply-To:References; b=Uv08md+IARxk2pEDFO1Q9/rSS2DijW7yZjXptzdlgMD1xekVOnZOfvO0lSkzvv01Y r4YDf0IYPPD2gWhB/PexT1GC8Sf/GD5FOMTEZdXlSxyDbYOgVlssCTZmb+pLyMKUbt wFPvgas3NU39Bt1SfyKU7E1VIUfx7bd7cW/fMTmd9vYjo+OPepmdysVLCRQFXYXjEw Hp8YI+XeFqqX5Or/VWU1RYiz/AP+/UGCZi98GBAO7fqWNQeAgMeruyIm6xA6Ez1A4U IrkvCfHodIbo0PsZt79QgTvlr6Lh02Z2ZaIhML39zAmZ9Y3hgOIV40AxViM2JlXKyB 5JaRJ+aWOISDA== Received-SPF: pass client-ip=2a02:1800:120:4::f00:14; envelope-from=maximedevos@HIDDEN; helo=xavier.telenet-ops.be X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -2.3 (--) --=-/bDaNhRY8gVMLRXAsvIH Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Xinglu Chen schreef op di 08-06-2021 om 17:40 [+0200]: > Using =E2=80=98call-with-output-file*=E2=80=99 instead of =E2=80=98call-w= ith-output-file=E2=80=99 and =E2=80=98chmod=E2=80=99 > will prevent secrets from being leaked. See > <https://issues.guix.gnu.org/48872>;. This procedure LGTM (but I didn't test). However, > diff --git a/guix/build/utils.scm b/guix/build/utils.scm > index 419c10195b..df960eee84 100644 > --- a/guix/build/utils.scm > +++ b/guix/build/utils.scm > @@ -5,6 +5,7 @@ Modifying (guix build utils) entails a world-rebuild, as (guix build utils) is used by the build code of practically every package. I would suggest placing it in (gnu build activation) instead. Greetings, Maxime. --=-/bDaNhRY8gVMLRXAsvIH Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYL+VGBccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7sn3AP9Q6pKw5YWetMIVgjeWgCN42uaU scRe8qFqFsUznGaPIAD9HpI3QNX1R1oQDIRQD0GWztPZFSDdyo2Dv2phcVrsLAM= =2xze -----END PGP SIGNATURE----- --=-/bDaNhRY8gVMLRXAsvIH--
guix-patches@HIDDEN:bug#48923; Package guix-patches.
Full text available.
Received: (at submit) by debbugs.gnu.org; 8 Jun 2021 15:41:15 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jun 08 11:41:15 2021
Received: from localhost ([127.0.0.1]:59555 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1lqdqp-0002a8-T5
for submit <at> debbugs.gnu.org; Tue, 08 Jun 2021 11:41:15 -0400
Received: from lists.gnu.org ([209.51.188.17]:36280)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <public@HIDDEN>) id 1lqdql-0002Zx-FP
for submit <at> debbugs.gnu.org; Tue, 08 Jun 2021 11:41:10 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:52356)
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <public@HIDDEN>)
id 1lqdql-0002K0-03
for guix-patches@HIDDEN; Tue, 08 Jun 2021 11:41:07 -0400
Received: from h87-96-130-155.cust.a3fiber.se ([87.96.130.155]:53820
helo=mail.yoctocell.xyz)
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <public@HIDDEN>)
id 1lqdqh-0002ow-Hf
for guix-patches@HIDDEN; Tue, 08 Jun 2021 11:41:06 -0400
From: Xinglu Chen <public@HIDDEN>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yoctocell.xyz;
s=mail; t=1623166852;
bh=Cyr65nQYbBHMn8TBQX4HCVmfJ8FIw82qXbvPu88NHlI=;
h=From:To:Cc:Subject:Date;
b=hNBlMkTAOYihLPoeG5XM3Td5EGlxkdDE3wyNJeFOjVlIMLhF5xnTvuYEPmgECz3NN
xvtj1ChvQVQcXo3U0YKDIsbvfDxGS2bz6d9e6CYTNON71DiHcBbY6wZYMDIKY0WgRL
UcBqXHjdYplHd7xDTCZzqYczkPQhKK4tiym2DpSw=
To: guix-patches@HIDDEN
Subject: [PATCH] =?UTF-8?q?build:=20utils:=20Add=20=E2=80=98call-with-outp?=
Message-Id: <23ac66d29119c5395fee0e993ea0fe811beefd91.1623166798.git.public@HIDDEN>
Date: Tue, 08 Jun 2021 17:40:52 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=87.96.130.155; envelope-from=public@HIDDEN;
helo=mail.yoctocell.xyz
X-Spam_score_int: 29
X-Spam_score: 2.9
X-Spam_bar: ++
X-Spam_report: (2.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_SUSPICIOUS_NTLD=0.498,
FROM_SUSPICIOUS_NTLD_FP=1.563, PDS_OTHER_BAD_TLD=1.997, RDNS_DYNAMIC=0.982,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 2.7 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Using ‘call-with-output-file*’ instead of ‘call-with-output-file’
and ‘chmod’ will prevent secrets from being leaked. See <https://issues.guix.gnu.org/48872>.
* guix/build/utils.scm (call-with-output-file*): New procedure. * doc/guix.texi
(Build Utilities): Document it. --- doc/guix.texi | 19 +++++++++++++++++++
guix/build/utils.scm | 10 ++++++++++ 2 files [...]
Content analysis details: (2.7 points, 10.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs
[URI: yoctocell.xyz (xyz)]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4)
[209.51.188.17 listed in wl.mailspike.net]
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/,
medium trust
[209.51.188.17 listed in list.dnswl.org]
0.5 FROM_SUSPICIOUS_NTLD From abused NTLD
0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
1.6 FROM_SUSPICIOUS_NTLD_FP From abused NTLD
X-Debbugs-Envelope-To: submit
Cc: Maxime Devos <maximedevos@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.2 (/)
Using =E2=80=98call-with-output-file*=E2=80=99 instead of =E2=80=98call-wit=
h-output-file=E2=80=99 and =E2=80=98chmod=E2=80=99
will prevent secrets from being leaked. See
<https://issues.guix.gnu.org/48872>.
* guix/build/utils.scm (call-with-output-file*): New procedure.
* doc/guix.texi (Build Utilities): Document it.
---
doc/guix.texi | 19 +++++++++++++++++++
guix/build/utils.scm | 10 ++++++++++
2 files changed, 29 insertions(+)
diff --git a/doc/guix.texi b/doc/guix.texi
index 59b4ac11b4..7e15cd9e92 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -8612,6 +8612,25 @@ Be careful about using @code{$} to match the end of =
a line; by itself it
won't match the terminating newline of a line.
@end deffn
=20
+@deffn {Scheme Procedure} call-with-output-file* @var{file} @var{proc} @
+ [#:perms #o666]
+Open FILE for output, set the file permission bits to @var{perms}, and
+call @code{(PROC port)} with the resulting port.
+
+The advantage of using this procedure compared to something like this
+
+@lisp
+(call-with-output-file "FILE"
+ (lambda (port)
+ (display "top secret" port)))
+(chmod "FILE" #o400)
+@end lisp
+
+is that, with the latter, an unpriviliged user could open @var{file}
+before the permission was changed to @code{#o400}, thus making it
+possible to leak sensitive information.
+@end deffn
+
@subsection File Search
=20
@cindex file, searching
diff --git a/guix/build/utils.scm b/guix/build/utils.scm
index 419c10195b..df960eee84 100644
--- a/guix/build/utils.scm
+++ b/guix/build/utils.scm
@@ -5,6 +5,7 @@
;;; Copyright =C2=A9 2015, 2018 Mark H Weaver <mhw@HIDDEN>
;;; Copyright =C2=A9 2018 Arun Isaac <arunisaac@HIDDEN>
;;; Copyright =C2=A9 2018, 2019 Ricardo Wurmus <rekado@HIDDEN>
+;;; Copyright =C2=A9 2021 Xinglu Chen <public@HIDDEN>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -66,6 +67,7 @@
file-name-predicate
find-files
false-if-file-not-found
+ call-with-output-file*
=20
search-path-as-list
set-path-environment-variable
@@ -448,6 +450,14 @@ also be included. If FAIL-ON-ERROR? is true, raise an=
exception upon error."
#f
(apply throw args)))))
=20
+;; Prevent secrets from leaking, see <https://issues.guix.gnu.org/48872>
+(define* (call-with-output-file* file proc #:key (perms #o666))
+ "FILE should be string containg the path to a file, PROC should be a pro=
cedure
+that accepts the port as an argument, and PERMS should be the permission b=
its
+of the file, the default is 666."
+ (let ((port (open file (bitwise-ior O_WRONLY O_CREAT) perms)))
+ (call-with-port port proc)))
+
;;;
;;; Search paths.
base-commit: 503c2039a280dd52a751a6852b4157fccd1b4195
--=20
2.32.0
Xinglu Chen <public@HIDDEN>:guix-patches@HIDDEN.
Full text available.guix-patches@HIDDEN:bug#48923; Package guix-patches.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.