Received: (at 48923) by debbugs.gnu.org; 4 Aug 2021 08:25:38 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Aug 04 04:25:38 2021 Received: from localhost ([127.0.0.1]:42652 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1mBCDa-0002rn-1Z for submit <at> debbugs.gnu.org; Wed, 04 Aug 2021 04:25:38 -0400 Received: from h87-96-130-155.cust.a3fiber.se ([87.96.130.155]:48412 helo=mail.yoctocell.xyz) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <public@HIDDEN>) id 1mBCDY-0002rb-Mi for 48923 <at> debbugs.gnu.org; Wed, 04 Aug 2021 04:25:37 -0400 From: Xinglu Chen <public@HIDDEN> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yoctocell.xyz; s=mail; t=1628065531; bh=UlSrWG7ijZxWa6hNIl2IIctQKz24IKVJBhFty+YK8Oc=; h=From:To:Cc:Subject:In-Reply-To:References:Date; b=QhfG2L3p+JI+PFwu3S9drlpHiJKTjrs20IcD1MWCDGnGEyEQ1r+i9oG5tABuGwhK0 GTjKE/TK2h1+HYi7DMIMlx03VywWjXawjYmZZEw1da6LAEEVXP2gG8ixYghL9UHgkA yZPs0jn4LQ53ADA6Rofuu9YBOZPyclSMqKTlSvA0= To: 48923 <at> debbugs.gnu.org Subject: Re: [bug#48923] [PATCH v2] activation: Add =?utf-8?Q?=E2=80=98cal?= =?utf-8?Q?l-with-output-file*=E2=80=99?= procedure. In-Reply-To: <7500e1ba2d55d397d4c105ca189746f78de02d35.1623176839.git.public@HIDDEN> References: <23ac66d29119c5395fee0e993ea0fe811beefd91.1623166798.git.public@HIDDEN> <7500e1ba2d55d397d4c105ca189746f78de02d35.1623176839.git.public@HIDDEN> Date: Wed, 04 Aug 2021 10:25:30 +0200 Message-ID: <878s1h4nwl.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: 2.9 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Ping! :) Content analysis details: (2.9 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: yoctocell.xyz (xyz)] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 0.0 PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC with FP steps X-Debbugs-Envelope-To: 48923 Cc: Maxime Devos <maximedevos@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: 2.9 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Ping! :) Content analysis details: (2.9 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: yoctocell.xyz (xyz)] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 1.0 BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager 0.0 PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC with FP steps --=-=-= Content-Type: text/plain Ping! :) --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEAVhh4yyK5+SEykIzrPUJmaL7XHkFAmEKTvoVHHB1YmxpY0B5 b2N0b2NlbGwueHl6AAoJEKz1CZmi+1x5TlgP/Rbng1BbATQhbogzK/INHNOQjtSg bbKCa30rFJvltVmEmNsKNemXfDrS7gndzHl8nZ8QqW8I6PeGSCdg6gWNsvp0SuD7 8ufWuegDBBR/dGLVU7x7nKBfRk/JcXDMRjMepT4aGPzUFQiNzRHzcKzfARRxr+EV i/If+LOazev18vB8C8v8abtJtujHJaF0KxOXpseqpGjuSp9ergvniBWaVvtX6zrw +PSEA6jHvE+e8UihBzCo/2B/DUXvSG9hdnOZ7wKlfwsj51r6U9uemlhykTCHkcOQ 3K9n9PAc7sqVi18OehqOA+KI9EnVm8Qf2CZlLfIsn8ngLBzwwYdcLAIkG6fysnmy FQURVIxwYYHB9oZLW4Mcrlo/MTO52y1rkgq1IfOumDJ8iJeBYj1ziulrsvO3/L5G pxqK8eKG8XoiP+smgxcIPkmXFxjt1Vj/Bol8R3Gz94LZAoE494AxOl0ClV/yvCow pC8x1Hc2CgOj9KyL8xEUzO8eNVgPzHEFLiRsr3nZQ/clEpjKsfWNn5uOL/fbo+/d 02BjAiifpSrEJpHYA4ovPP/vTr03wRZydcTvtr5pCl4amxDNF/mzfIZOf2dMiUqJ I8GZFRp2+Thb3cqiQMNUWQjT71v8yyx1xyd0YZDVss0WD/aBXyZ1+dFUbWlVA1TD n3RLQKeD84Lu7mv8 =1JjR -----END PGP SIGNATURE----- --=-=-=--
guix-patches@HIDDEN
:bug#48923
; Package guix-patches
.
Full text available.Received: (at 48923) by debbugs.gnu.org; 8 Jun 2021 18:30:27 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jun 08 14:30:27 2021 Received: from localhost ([127.0.0.1]:59781 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lqgUc-0002qq-NP for submit <at> debbugs.gnu.org; Tue, 08 Jun 2021 14:30:27 -0400 Received: from h87-96-130-155.cust.a3fiber.se ([87.96.130.155]:37574 helo=mail.yoctocell.xyz) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <public@HIDDEN>) id 1lqgUY-0002qY-Bb for 48923 <at> debbugs.gnu.org; Tue, 08 Jun 2021 14:30:25 -0400 From: Xinglu Chen <public@HIDDEN> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yoctocell.xyz; s=mail; t=1623177014; bh=915n3rghIFKNR72xC75ghfOJjwcE+tnDEMvdJxYZvNk=; h=From:To:Cc:Subject:In-Reply-To:References:Date; b=QCWscX/i4wUnCfgCt62AARjsM84PrAXemOJonkG+/fYvoHOxqe4DVc8BnpFACsJm3 1Fay8hISSKJjt1po3ZocpdQZDzxden19HiTneBpx9/C5+tr+9aJXeILX/m7+KlV7Z9 DtkCsL79/+QObsEh7BtQijZap6AxYBckSmFM4zKY= To: 48923 <at> debbugs.gnu.org Subject: [PATCH v2] activation: Add =?utf-8?Q?=E2=80=98call-with-output-fi?= =?utf-8?Q?le*=E2=80=99?= procedure. In-Reply-To: <23ac66d29119c5395fee0e993ea0fe811beefd91.1623166798.git.public@HIDDEN> References: <23ac66d29119c5395fee0e993ea0fe811beefd91.1623166798.git.public@HIDDEN> Message-Id: <7500e1ba2d55d397d4c105ca189746f78de02d35.1623176839.git.public@HIDDEN> Date: Tue, 08 Jun 2021 20:30:13 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 2.9 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Using ‘call-with-output-file*’ instead of ‘call-with-output-file’ and ‘chmod’ will prevent secrets from being leaked. See <https://issues.guix.gnu.org/48872>. * guix/build/activation.scm (call-with-output-file*): New procedure. * doc/guix.texi (Activation): New section; document ‘call-with-output-file*’. --- Changes since v1: Content analysis details: (2.9 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: yoctocell.xyz (xyz)] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS X-Debbugs-Envelope-To: 48923 Cc: Maxime Devos <maximedevos@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: 1.9 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Using ‘call-with-output-file*’ instead of ‘call-with-output-file’ and ‘chmod’ will prevent secrets from being leaked. See <https://issues.guix.gnu.org/48872>. * guix/build/activation.scm (call-with-output-file*): New procedure. * doc/guix.texi (Activation): New section; document ‘call-with-output-file*’. --- Changes since v1: Content analysis details: (1.9 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: yoctocell.xyz (xyz)] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager Using =E2=80=98call-with-output-file*=E2=80=99 instead of =E2=80=98call-wit= h-output-file=E2=80=99 and =E2=80=98chmod=E2=80=99 will prevent secrets from being leaked. See <https://issues.guix.gnu.org/48872>. * guix/build/activation.scm (call-with-output-file*): New procedure. * doc/guix.texi (Activation): New section; document =E2=80=98call-with-outp= ut-file*=E2=80=99. --- Changes since v1: * Moved =E2=80=98call-with-output-file*=E2=80=99 from (gnu build utils) to = (gnu build activation). * Added a =E2=80=9CActivation=E2=80=9D section in the manual to document th= e new procedure. doc/guix.texi | 31 +++++++++++++++++++++++++++++++ gnu/build/activation.scm | 13 ++++++++++++- 2 files changed, 43 insertions(+), 1 deletion(-) diff --git a/doc/guix.texi b/doc/guix.texi index 59b4ac11b4..643c7ff126 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -321,6 +321,7 @@ System Configuration * Invoking guix deploy:: Deploying a system configuration to a remo= te host. * Running Guix in a VM:: How to run Guix System in a virtual machin= e. * Defining Services:: Adding new service definitions. +* Activation:: Setting up system-wide files and directori= es. =20 Services =20 @@ -13386,6 +13387,7 @@ instance to support new system services. * Invoking guix deploy:: Deploying a system configuration to a remo= te host. * Running Guix in a VM:: How to run Guix System in a virtual machin= e. * Defining Services:: Adding new service definitions. +* Activation:: Setting up system-wide files and directori= es. @end menu =20 @node Using the Configuration System @@ -34633,6 +34635,35 @@ system: This service represents PID@tie{}1. @end defvr =20 +@node Activation +@section Activation + +@dfn{Activation} is the process that sets up system-wide files and +directories so that an @code{operating-system} (@pxref{operating-system +Reference}) configuration becomes active. This will happen when +invoking commands like @command{guix system reconfigure} or +@command{guix system switch-generation}, but not when invoking +@command{guix system build} (@pxref{Invoking guix system}). + +@deffn {Scheme Procedure} call-with-output-file* @var{file} @var{proc} @ + [#:perms #o666] +Open FILE for output, set the file permission bits to @var{perms}, and +call @code{(PROC port)} with the resulting port. + +The advantage of using this procedure compared to something like this + +@lisp +(call-with-output-file "FILE" + (lambda (port) + (display "top secret" port))) +(chmod "FILE" #o400) +@end lisp + +is that, with the latter, an unpriviliged user could open @var{file} +before the permission was changed to @code{#o400}, thus making it +possible to leak sensitive information. +@end deffn + =20 @node Documentation @chapter Documentation diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm index 2af1d44b5f..0054079cb6 100644 --- a/gnu/build/activation.scm +++ b/gnu/build/activation.scm @@ -6,6 +6,7 @@ ;;; Copyright =C2=A9 2018 Arun Isaac <arunisaac@HIDDEN> ;;; Copyright =C2=A9 2018, 2019 Ricardo Wurmus <rekado@HIDDEN> ;;; Copyright =C2=A9 2021 Maxime Devos <maximedevos@HIDDEN> +;;; Copyright =C2=A9 2021 Xinglu Chen <public@HIDDEN> ;;; ;;; This file is part of GNU Guix. ;;; @@ -34,6 +35,7 @@ #:use-module (srfi srfi-1) #:use-module (srfi srfi-11) #:use-module (srfi srfi-26) + #:use-module (srfi srfi-60) #:export (activate-users+groups activate-user-home activate-etc @@ -43,7 +45,8 @@ activate-firmware activate-ptrace-attach activate-current-system - mkdir-p/perms)) + mkdir-p/perms + call-with-output-file*)) =20 ;;; Commentary: ;;; @@ -102,6 +105,14 @@ Warning: this is currently suspect to a TOCTTOU race!" (chown directory (passwd:uid owner) (passwd:gid owner)) (chmod directory bits)) =20 +;; Prevent secrets from leaking, see <https://issues.guix.gnu.org/48872> +(define* (call-with-output-file* file proc #:key (perms #o666)) + "FILE should be string containg the path to a file, PROC should be a pro= cedure +that accepts the port as an argument, and PERMS should be the permission b= its +of the file, the default is 666." + (let ((port (open file (bitwise-ior O_WRONLY O_CREAT) perms))) + (call-with-port port proc))) + (define* (copy-account-skeletons home #:key (directory %skeleton-directory) base-commit: 503c2039a280dd52a751a6852b4157fccd1b4195 --=20 2.32.0
guix-patches@HIDDEN
:bug#48923
; Package guix-patches
.
Full text available.Received: (at 48923) by debbugs.gnu.org; 8 Jun 2021 18:05:16 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jun 08 14:05:16 2021 Received: from localhost ([127.0.0.1]:59752 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lqg6C-0002Cn-Hn for submit <at> debbugs.gnu.org; Tue, 08 Jun 2021 14:05:16 -0400 Received: from h87-96-130-155.cust.a3fiber.se ([87.96.130.155]:37038 helo=mail.yoctocell.xyz) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <public@HIDDEN>) id 1lqg66-0002C1-Ba for 48923 <at> debbugs.gnu.org; Tue, 08 Jun 2021 14:05:10 -0400 From: Xinglu Chen <public@HIDDEN> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yoctocell.xyz; s=mail; t=1623175498; bh=8kvQp0dp38H1cWOWMi5narMYUWfBiL12+TFbmos5K/w=; h=From:To:Subject:In-Reply-To:References:Date; b=M4sX5vDLMl8K1a4FsMSDcs1MDdPIjT+RevvwCyrLMihpdkxYxT+B7xAa0Y0r9jk5+ d1wnr/vPMysfAIIj/r7MiYldJiMprIIaeGJcupbswutvqS0rcyvTkBZ1umT6DHxbzT Hf/RC+CbzBK+pp9mO2xn1nmKvEhPurXJHj0QtyL0= To: Maxime Devos <maximedevos@HIDDEN>, 48923 <at> debbugs.gnu.org Subject: Re: [bug#48923] [PATCH] build: utils: Add =?utf-8?Q?=E2=80=98call?= =?utf-8?Q?-with-outp?= In-Reply-To: <38b69976891db7870992091d9eb3aa7aeb20e471.camel@HIDDEN> References: <23ac66d29119c5395fee0e993ea0fe811beefd91.1623166798.git.public@HIDDEN> <a0972b8b687b465ceb341454a6a01a16bf4a444a.camel@HIDDEN> <871r9cgsxk.fsf@HIDDEN> <38b69976891db7870992091d9eb3aa7aeb20e471.camel@HIDDEN> Date: Tue, 08 Jun 2021 20:04:57 +0200 Message-ID: <87wnr4fd12.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: 2.9 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Tue, Jun 08 2021, Maxime Devos wrote: >> > > diff --git a/guix/build/utils.scm b/guix/build/utils.scm >> > > index 419c10195b..df960eee84 100644 >> > > --- a/guix/build/utils.scm >> > > +++ b/guix/build/utils.scm >> > > @@ -5,6 +5,7 @@ >> [...] Content analysis details: (2.9 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: yoctocell.xyz (xyz)] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS X-Debbugs-Envelope-To: 48923 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: 2.9 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Tue, Jun 08 2021, Maxime Devos wrote: >> > > diff --git a/guix/build/utils.scm b/guix/build/utils.scm >> > > index 419c10195b..df960eee84 100644 >> > > --- a/guix/build/utils.scm >> > > +++ b/guix/build/utils.scm >> > > @@ -5,6 +5,7 @@ >> [...] Content analysis details: (2.9 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: yoctocell.xyz (xyz)] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 1.0 BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On Tue, Jun 08 2021, Maxime Devos wrote: >> > > diff --git a/guix/build/utils.scm b/guix/build/utils.scm >> > > index 419c10195b..df960eee84 100644 >> > > --- a/guix/build/utils.scm >> > > +++ b/guix/build/utils.scm >> > > @@ -5,6 +5,7 @@ >> >=20 >> > Modifying (guix build utils) entails a world-rebuild, as >> > (guix build utils) is used by the build code of practically >> > every package. I would suggest placing it in (gnu build activation) >> > instead. >>=20 >> Oh, I didn=E2=80=99t think about that. Moving it to (gnu build activati= on) >> seems like a good option. >>=20 >> Should I create a new =E2=80=9CActivation=E2=80=9D section in the manual= , or should I >> keep it in the =E2=80=9CBuild Utilities=E2=80=9D section? > > The procedure isn't available during package building > (well, (gnu build activation) _could_ be imported in a package definition > using #:imported-modules & #:modules but it is not supposed to be used li= ke > that), so =E2=80=98Build Utilities=E2=80=99 doesn't seem appropriate, thu= s I'd suggest creating > an "Activation" section in the manual. > > Maybe under =E2=80=98Programming Reference=E2=80=99, or after =E2=80=98De= fining Services=E2=80=99 in > the =E2=80=98System configuration=E2=80=99 chapter? OK, sounds good to me! --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEAVhh4yyK5+SEykIzrPUJmaL7XHkFAmC/sUkVHHB1YmxpY0B5 b2N0b2NlbGwueHl6AAoJEKz1CZmi+1x5EKoP/jHfDpk2/kjtkbb6LnheSR3cXudo oyL2Z07XYZAUWZZ/s/Qx8xixf/o2mluedFofoOZqOHP4997+AUgRVi7FGOTDJU4h qWfx8BOrAHCtuRQ9dNcJgLpudKxQM50hWyy0Y3EywKWGTMTFOvrKGbDHihRXw8ll twT7pZuUVyuhnz4ohhUMzDGtLyqFN5/d61SZOuDOc7ir6PPwvfAkkp09KIhVnuUW mDpyCyYvDnqeEbGNxMOiEyZEydi7/7Ry8jv4NR5YmvTRRgb/7c2txrd7dPKU/3fN Qdr986F6qbuIBZp6YmvFZufmR6MDuorYRhreR7xke8sLwQ3K88dKjICxnD/FKSht lSjB7Yif/KtIOT0Fh4Q8OELT+xHwMpqiUmUIF/BHuOKazZ+jFSVZAPQnQ94haag6 sO4OZknEgnbQZ5kWVhAsAUCkPQVgdUAY5idgDmPHnCv1nUDqjBJSPjF9Mpf0ANS9 qO4Abl/qs2ndyqzapx4SilIsOy1k2MerMWnsiSGAldHePaZF9ZPktjXd9I0CYFm1 8uQiIwnPh4dr6g0/hn7hp6QviR93FrZHiPrGXVNjNctmArh3/+MYCz4z9iXmXupp 8UvB7AKfDvbYBkmOwps7bdeTicAZL6e40In+QJOfVw/uRs2MeeXTvzhRrODXDlBF z4cjnvNh0PeSLQeX =DeU2 -----END PGP SIGNATURE----- --=-=-=--
guix-patches@HIDDEN
:bug#48923
; Package guix-patches
.
Full text available.Received: (at 48923) by debbugs.gnu.org; 8 Jun 2021 17:46:07 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jun 08 13:46:07 2021 Received: from localhost ([127.0.0.1]:59729 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lqfnf-0001ij-Cd for submit <at> debbugs.gnu.org; Tue, 08 Jun 2021 13:46:06 -0400 Received: from albert.telenet-ops.be ([195.130.137.90]:48404) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <maximedevos@HIDDEN>) id 1lqfnZ-0001hl-G2 for 48923 <at> debbugs.gnu.org; Tue, 08 Jun 2021 13:46:01 -0400 Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d]) by albert.telenet-ops.be with bizsmtp id Ehlv250090mfAB406hlvCz; Tue, 08 Jun 2021 19:45:55 +0200 Message-ID: <38b69976891db7870992091d9eb3aa7aeb20e471.camel@HIDDEN> Subject: Re: [bug#48923] [PATCH] build: utils: Add =?UTF-8?Q?=E2=80=98call-with-outp?= From: Maxime Devos <maximedevos@HIDDEN> To: Xinglu Chen <public@HIDDEN>, 48923 <at> debbugs.gnu.org Date: Tue, 08 Jun 2021 19:45:49 +0200 In-Reply-To: <871r9cgsxk.fsf@HIDDEN> References: <23ac66d29119c5395fee0e993ea0fe811beefd91.1623166798.git.public@HIDDEN> <a0972b8b687b465ceb341454a6a01a16bf4a444a.camel@HIDDEN> <871r9cgsxk.fsf@HIDDEN> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-2OpVFUCOWBmnTF+zCPtt" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1623174355; bh=3w+A25UCK3nmU3MpdW6IqmLyfWqIADrDOrGQJ1rGRDU=; h=Subject:From:To:Date:In-Reply-To:References; b=BQ6qXhEru7zHAgkt7LYMjdA2pGfiRJrREljFkByq3oRch2rgTTJwYGauNNdjXbvzF taOVygrj1WAffd83/YTMub/S1lIZLIyTyA8ba2kSrztNdPawqTKxeRo9xHkfbVHcvc LmfLBq3rVbm0ZSErVKofJ/P0QvwsxzrM2nq2FTt47XU5iw7znHg/eJH9IdV+8cxcl0 o79lfSEdFUYBcoRvVQwQw3bgbHMxToLV5PpRgddcBIFZos1hi63P7HZEzmsj+W52X3 1nxVpeBoA8sBmk+oI3oUCGSpxJGgy5KaTy4D1q+U1HJ63RhFIgYx7+Y2HyJWjxFKA3 AHkZFQW4/qWQQ== X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 48923 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) --=-2OpVFUCOWBmnTF+zCPtt Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Xinglu Chen schreef op di 08-06-2021 om 19:36 [+0200]: > On Tue, Jun 08 2021, Maxime Devos wrote: >=20 > > Xinglu Chen schreef op di 08-06-2021 om 17:40 [+0200]: > > > Using =E2=80=98call-with-output-file*=E2=80=99 instead of =E2=80=98ca= ll-with-output-file=E2=80=99 and =E2=80=98chmod=E2=80=99 > > > will prevent secrets from being leaked. See > > > <https://issues.guix.gnu.org/48872>;;. > >=20 > > This procedure LGTM (but I didn't test). > > However, > >=20 > > > diff --git a/guix/build/utils.scm b/guix/build/utils.scm > > > index 419c10195b..df960eee84 100644 > > > --- a/guix/build/utils.scm > > > +++ b/guix/build/utils.scm > > > @@ -5,6 +5,7 @@ > >=20 > > Modifying (guix build utils) entails a world-rebuild, as > > (guix build utils) is used by the build code of practically > > every package. I would suggest placing it in (gnu build activation) > > instead. >=20 > Oh, I didn=E2=80=99t think about that. Moving it to (gnu build activatio= n) > seems like a good option. >=20 > Should I create a new =E2=80=9CActivation=E2=80=9D section in the manual,= or should I > keep it in the =E2=80=9CBuild Utilities=E2=80=9D section? The procedure isn't available during package building (well, (gnu build activation) _could_ be imported in a package definition using #:imported-modules & #:modules but it is not supposed to be used like that), so =E2=80=98Build Utilities=E2=80=99 doesn't seem appropriate, thus = I'd suggest creating an "Activation" section in the manual. Maybe under =E2=80=98Programming Reference=E2=80=99, or after =E2=80=98Defi= ning Services=E2=80=99 in the =E2=80=98System configuration=E2=80=99 chapter? Greetings, Maxime. --=-2OpVFUCOWBmnTF+zCPtt Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYL+szRccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7pQ5AQCEOJH3eY571Igmx7W/uXxmVMYE SahmUcwWkpIyGdcXDgEAhwmsk2gyHJ3JQItn0atQA8r2Mq/zslgVvFp6L1q4GAI= =AWlF -----END PGP SIGNATURE----- --=-2OpVFUCOWBmnTF+zCPtt--
guix-patches@HIDDEN
:bug#48923
; Package guix-patches
.
Full text available.Received: (at 48923) by debbugs.gnu.org; 8 Jun 2021 17:36:19 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jun 08 13:36:19 2021 Received: from localhost ([127.0.0.1]:59712 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lqfeF-0001Ss-6t for submit <at> debbugs.gnu.org; Tue, 08 Jun 2021 13:36:19 -0400 Received: from h87-96-130-155.cust.a3fiber.se ([87.96.130.155]:36402 helo=mail.yoctocell.xyz) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <public@HIDDEN>) id 1lqfeD-0001SY-5G for 48923 <at> debbugs.gnu.org; Tue, 08 Jun 2021 13:36:18 -0400 From: Xinglu Chen <public@HIDDEN> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yoctocell.xyz; s=mail; t=1623173768; bh=SB2I+jzambV+p46cyMJ//DCt+wy08caNkwgjDaZ/8is=; h=From:To:Subject:In-Reply-To:References:Date; b=CQ3UgJMOTRSaXpv2Ok5qt1uhJZ4Tb98C/ymc83UCwYrm6irlpy9ETJUBFEnRWIX7/ vCZGholscxhx7B4qvLORpG02JrVq0gPw6az+0yDiRnVhzUwshFVc930CVbc4vYc0/6 dxTmrK77w+QZaJXTUtbK6Z7VlEtMsqP+2h/tG7xs= To: Maxime Devos <maximedevos@HIDDEN>, 48923 <at> debbugs.gnu.org Subject: Re: [bug#48923] [PATCH] build: utils: Add =?utf-8?Q?=E2=80=98call?= =?utf-8?Q?-with-outp?= In-Reply-To: <a0972b8b687b465ceb341454a6a01a16bf4a444a.camel@HIDDEN> References: <23ac66d29119c5395fee0e993ea0fe811beefd91.1623166798.git.public@HIDDEN> <a0972b8b687b465ceb341454a6a01a16bf4a444a.camel@HIDDEN> Date: Tue, 08 Jun 2021 19:36:07 +0200 Message-ID: <871r9cgsxk.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: 2.9 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Tue, Jun 08 2021, Maxime Devos wrote: > Xinglu Chen schreef op di 08-06-2021 om 17:40 [+0200]: >> Using ‘call-with-output-file*’ instead of ‘call-with-output-file’ and ‘chmod’ >> will prevent secrets from being leaked. See >> [...] Content analysis details: (2.9 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: yoctocell.xyz (xyz)] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS X-Debbugs-Envelope-To: 48923 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: 2.9 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Tue, Jun 08 2021, Maxime Devos wrote: > Xinglu Chen schreef op di 08-06-2021 om 17:40 [+0200]: >> Using ‘call-with-output-file*’ instead of ‘call-with-output-file’ and ‘chmod’ >> will prevent secrets from being leaked. See >> [...] Content analysis details: (2.9 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: yoctocell.xyz (xyz)] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 1.0 BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On Tue, Jun 08 2021, Maxime Devos wrote: > Xinglu Chen schreef op di 08-06-2021 om 17:40 [+0200]: >> Using =E2=80=98call-with-output-file*=E2=80=99 instead of =E2=80=98call-= with-output-file=E2=80=99 and =E2=80=98chmod=E2=80=99 >> will prevent secrets from being leaked. See >> <https://issues.guix.gnu.org/48872>;. > > This procedure LGTM (but I didn't test). > However, > >> diff --git a/guix/build/utils.scm b/guix/build/utils.scm >> index 419c10195b..df960eee84 100644 >> --- a/guix/build/utils.scm >> +++ b/guix/build/utils.scm >> @@ -5,6 +5,7 @@ > > Modifying (guix build utils) entails a world-rebuild, as > (guix build utils) is used by the build code of practically > every package. I would suggest placing it in (gnu build activation) > instead. Oh, I didn=E2=80=99t think about that. Moving it to (gnu build activation) seems like a good option. Should I create a new =E2=80=9CActivation=E2=80=9D section in the manual, o= r should I keep it in the =E2=80=9CBuild Utilities=E2=80=9D section? --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEAVhh4yyK5+SEykIzrPUJmaL7XHkFAmC/qocVHHB1YmxpY0B5 b2N0b2NlbGwueHl6AAoJEKz1CZmi+1x5TC4P/j1np4RF2NXviS/KT3BtcK8dyZkX qUM/pKqCQECwde6hdl1WqDBbMTGdIN0Lrm6YeAcS7OQ7cvzmXyTz7zR/PPd9C3sc /Z9hRzWDa/7WvecgzRJpd/UDwN3bY3Z0OxDDVnKJd0fIGO4fahQgoTzyumEN/DbP 5QTKIVoSFt4jcxj6yDU97Juz2hx4C8+6puqe+d3taNebMgv+hPcg+4dvjuyLCRMd vmBHZJR+vsNKraqr5jA8TZc/i8wHczM6UqxDRhzjwGZz+qGkwFq81BjmDrH/3OSK MD5LM+QgTVuK9+WmkmB+pF0+256+Z6B8pq6NL7u3LT+jZIP5flQWZe4jM4zWzcR8 XK2FbWJQNzbXeXYUNLSVp5QoC3oNjil8f4kZg5RC3zqozdoM2KwPmbN9vdfvu97t XOpVPwm0iF/2FfXbeHLUX2XyJ1gqlOElqfNf29MxOl95n/4s0QggPVmVgY5aUfDQ M4FlNUuxZVf9N2CpJZSC1XKpd8dE0Tv/+p9wE97bVeQzGxYUsGkVpHYZ/LNH6Qqj ENlmVCJMh17hReLj540emht/fZeEhqkBO56WRS0lDb1kNXNz+TQTlCzBaH0dx968 A8y7COq9+XZOUZZI5z/8b4bxyYZF+80p+Sca6wKSHz6175UowKq5GFfnSaxQvWud TRhzOF7zmKV6jMW9 =OrPB -----END PGP SIGNATURE----- --=-=-=--
guix-patches@HIDDEN
:bug#48923
; Package guix-patches
.
Full text available.Received: (at submit) by debbugs.gnu.org; 8 Jun 2021 16:04:56 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jun 08 12:04:56 2021 Received: from localhost ([127.0.0.1]:59594 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lqeDo-0005Mo-Aa for submit <at> debbugs.gnu.org; Tue, 08 Jun 2021 12:04:56 -0400 Received: from lists.gnu.org ([209.51.188.17]:58576) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <maximedevos@HIDDEN>) id 1lqeDm-0005Mh-HQ for submit <at> debbugs.gnu.org; Tue, 08 Jun 2021 12:04:55 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57666) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <maximedevos@HIDDEN>) id 1lqeDm-0003az-B5 for guix-patches@HIDDEN; Tue, 08 Jun 2021 12:04:54 -0400 Received: from xavier.telenet-ops.be ([2a02:1800:120:4::f00:14]:55484) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <maximedevos@HIDDEN>) id 1lqeDh-0001wg-Jk for guix-patches@HIDDEN; Tue, 08 Jun 2021 12:04:53 -0400 Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d]) by xavier.telenet-ops.be with bizsmtp id Eg4l2500J0mfAB401g4mLU; Tue, 08 Jun 2021 18:04:46 +0200 Message-ID: <a0972b8b687b465ceb341454a6a01a16bf4a444a.camel@HIDDEN> Subject: Re: [PATCH] build: utils: Add =?UTF-8?Q?=E2=80=98call-with-outp?= From: Maxime Devos <maximedevos@HIDDEN> To: Xinglu Chen <public@HIDDEN>, guix-patches@HIDDEN Date: Tue, 08 Jun 2021 18:04:40 +0200 In-Reply-To: <23ac66d29119c5395fee0e993ea0fe811beefd91.1623166798.git.public@HIDDEN> References: <23ac66d29119c5395fee0e993ea0fe811beefd91.1623166798.git.public@HIDDEN> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-/bDaNhRY8gVMLRXAsvIH" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1623168286; bh=IAfs37uc0vDJ4XT/2XbJsvK8bCC8/r6PlioQDLiRlAs=; h=Subject:From:To:Date:In-Reply-To:References; b=Uv08md+IARxk2pEDFO1Q9/rSS2DijW7yZjXptzdlgMD1xekVOnZOfvO0lSkzvv01Y r4YDf0IYPPD2gWhB/PexT1GC8Sf/GD5FOMTEZdXlSxyDbYOgVlssCTZmb+pLyMKUbt wFPvgas3NU39Bt1SfyKU7E1VIUfx7bd7cW/fMTmd9vYjo+OPepmdysVLCRQFXYXjEw Hp8YI+XeFqqX5Or/VWU1RYiz/AP+/UGCZi98GBAO7fqWNQeAgMeruyIm6xA6Ez1A4U IrkvCfHodIbo0PsZt79QgTvlr6Lh02Z2ZaIhML39zAmZ9Y3hgOIV40AxViM2JlXKyB 5JaRJ+aWOISDA== Received-SPF: pass client-ip=2a02:1800:120:4::f00:14; envelope-from=maximedevos@HIDDEN; helo=xavier.telenet-ops.be X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -2.3 (--) --=-/bDaNhRY8gVMLRXAsvIH Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Xinglu Chen schreef op di 08-06-2021 om 17:40 [+0200]: > Using =E2=80=98call-with-output-file*=E2=80=99 instead of =E2=80=98call-w= ith-output-file=E2=80=99 and =E2=80=98chmod=E2=80=99 > will prevent secrets from being leaked. See > <https://issues.guix.gnu.org/48872>;. This procedure LGTM (but I didn't test). However, > diff --git a/guix/build/utils.scm b/guix/build/utils.scm > index 419c10195b..df960eee84 100644 > --- a/guix/build/utils.scm > +++ b/guix/build/utils.scm > @@ -5,6 +5,7 @@ Modifying (guix build utils) entails a world-rebuild, as (guix build utils) is used by the build code of practically every package. I would suggest placing it in (gnu build activation) instead. Greetings, Maxime. --=-/bDaNhRY8gVMLRXAsvIH Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYL+VGBccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7sn3AP9Q6pKw5YWetMIVgjeWgCN42uaU scRe8qFqFsUznGaPIAD9HpI3QNX1R1oQDIRQD0GWztPZFSDdyo2Dv2phcVrsLAM= =2xze -----END PGP SIGNATURE----- --=-/bDaNhRY8gVMLRXAsvIH--
guix-patches@HIDDEN
:bug#48923
; Package guix-patches
.
Full text available.Received: (at submit) by debbugs.gnu.org; 8 Jun 2021 15:41:15 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jun 08 11:41:15 2021 Received: from localhost ([127.0.0.1]:59555 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lqdqp-0002a8-T5 for submit <at> debbugs.gnu.org; Tue, 08 Jun 2021 11:41:15 -0400 Received: from lists.gnu.org ([209.51.188.17]:36280) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <public@HIDDEN>) id 1lqdql-0002Zx-FP for submit <at> debbugs.gnu.org; Tue, 08 Jun 2021 11:41:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52356) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <public@HIDDEN>) id 1lqdql-0002K0-03 for guix-patches@HIDDEN; Tue, 08 Jun 2021 11:41:07 -0400 Received: from h87-96-130-155.cust.a3fiber.se ([87.96.130.155]:53820 helo=mail.yoctocell.xyz) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <public@HIDDEN>) id 1lqdqh-0002ow-Hf for guix-patches@HIDDEN; Tue, 08 Jun 2021 11:41:06 -0400 From: Xinglu Chen <public@HIDDEN> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yoctocell.xyz; s=mail; t=1623166852; bh=Cyr65nQYbBHMn8TBQX4HCVmfJ8FIw82qXbvPu88NHlI=; h=From:To:Cc:Subject:Date; b=hNBlMkTAOYihLPoeG5XM3Td5EGlxkdDE3wyNJeFOjVlIMLhF5xnTvuYEPmgECz3NN xvtj1ChvQVQcXo3U0YKDIsbvfDxGS2bz6d9e6CYTNON71DiHcBbY6wZYMDIKY0WgRL UcBqXHjdYplHd7xDTCZzqYczkPQhKK4tiym2DpSw= To: guix-patches@HIDDEN Subject: [PATCH] =?UTF-8?q?build:=20utils:=20Add=20=E2=80=98call-with-outp?= Message-Id: <23ac66d29119c5395fee0e993ea0fe811beefd91.1623166798.git.public@HIDDEN> Date: Tue, 08 Jun 2021 17:40:52 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=87.96.130.155; envelope-from=public@HIDDEN; helo=mail.yoctocell.xyz X-Spam_score_int: 29 X-Spam_score: 2.9 X-Spam_bar: ++ X-Spam_report: (2.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_SUSPICIOUS_NTLD=0.498, FROM_SUSPICIOUS_NTLD_FP=1.563, PDS_OTHER_BAD_TLD=1.997, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: 2.7 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Using ‘call-with-output-file*’ instead of ‘call-with-output-file’ and ‘chmod’ will prevent secrets from being leaked. See <https://issues.guix.gnu.org/48872>. * guix/build/utils.scm (call-with-output-file*): New procedure. * doc/guix.texi (Build Utilities): Document it. --- doc/guix.texi | 19 +++++++++++++++++++ guix/build/utils.scm | 10 ++++++++++ 2 files [...] Content analysis details: (2.7 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: yoctocell.xyz (xyz)] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [209.51.188.17 listed in wl.mailspike.net] -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [209.51.188.17 listed in list.dnswl.org] 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 1.6 FROM_SUSPICIOUS_NTLD_FP From abused NTLD X-Debbugs-Envelope-To: submit Cc: Maxime Devos <maximedevos@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: 0.2 (/) Using =E2=80=98call-with-output-file*=E2=80=99 instead of =E2=80=98call-wit= h-output-file=E2=80=99 and =E2=80=98chmod=E2=80=99 will prevent secrets from being leaked. See <https://issues.guix.gnu.org/48872>. * guix/build/utils.scm (call-with-output-file*): New procedure. * doc/guix.texi (Build Utilities): Document it. --- doc/guix.texi | 19 +++++++++++++++++++ guix/build/utils.scm | 10 ++++++++++ 2 files changed, 29 insertions(+) diff --git a/doc/guix.texi b/doc/guix.texi index 59b4ac11b4..7e15cd9e92 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -8612,6 +8612,25 @@ Be careful about using @code{$} to match the end of = a line; by itself it won't match the terminating newline of a line. @end deffn =20 +@deffn {Scheme Procedure} call-with-output-file* @var{file} @var{proc} @ + [#:perms #o666] +Open FILE for output, set the file permission bits to @var{perms}, and +call @code{(PROC port)} with the resulting port. + +The advantage of using this procedure compared to something like this + +@lisp +(call-with-output-file "FILE" + (lambda (port) + (display "top secret" port))) +(chmod "FILE" #o400) +@end lisp + +is that, with the latter, an unpriviliged user could open @var{file} +before the permission was changed to @code{#o400}, thus making it +possible to leak sensitive information. +@end deffn + @subsection File Search =20 @cindex file, searching diff --git a/guix/build/utils.scm b/guix/build/utils.scm index 419c10195b..df960eee84 100644 --- a/guix/build/utils.scm +++ b/guix/build/utils.scm @@ -5,6 +5,7 @@ ;;; Copyright =C2=A9 2015, 2018 Mark H Weaver <mhw@HIDDEN> ;;; Copyright =C2=A9 2018 Arun Isaac <arunisaac@HIDDEN> ;;; Copyright =C2=A9 2018, 2019 Ricardo Wurmus <rekado@HIDDEN> +;;; Copyright =C2=A9 2021 Xinglu Chen <public@HIDDEN> ;;; ;;; This file is part of GNU Guix. ;;; @@ -66,6 +67,7 @@ file-name-predicate find-files false-if-file-not-found + call-with-output-file* =20 search-path-as-list set-path-environment-variable @@ -448,6 +450,14 @@ also be included. If FAIL-ON-ERROR? is true, raise an= exception upon error." #f (apply throw args))))) =20 +;; Prevent secrets from leaking, see <https://issues.guix.gnu.org/48872> +(define* (call-with-output-file* file proc #:key (perms #o666)) + "FILE should be string containg the path to a file, PROC should be a pro= cedure +that accepts the port as an argument, and PERMS should be the permission b= its +of the file, the default is 666." + (let ((port (open file (bitwise-ior O_WRONLY O_CREAT) perms))) + (call-with-port port proc))) + ;;; ;;; Search paths. base-commit: 503c2039a280dd52a751a6852b4157fccd1b4195 --=20 2.32.0
Xinglu Chen <public@HIDDEN>
:guix-patches@HIDDEN
.
Full text available.guix-patches@HIDDEN
:bug#48923
; Package guix-patches
.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.