From: Bengt Richter <bokr@bokr.com>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: 37744@debbugs.gnu.org
Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)
Date: Fri, 18 Oct 2019 18:32:01 -0700 [thread overview]
Message-ID: <20191018224519.GA81713@PhantoNv4ArchGx.localdomain> (raw)
In-Reply-To: <877e5215ox.fsf@gnu.org>
Hi Ludo,
On +2019-10-18 16:36:30 +0200, Ludovic Courtès wrote:
> Bengt Richter <bokr@bokr.com> skribis:
>
> > On +2019-10-17 22:25:58 +0200, Ludovic Courtès wrote:
>
> [...]
>
> >> > Imperialist nitpick: why list the foreigners first? :-)
> >> >
> >> > Anti-imperialist nitpick: reversing the two allows using ‘other
> >> > distributions’ instead of ‘foreign’ which always sounds a bit
> >> > dismissive to my ears.
> >> >
> >> > End nitpick.
> >>
> >> That makes sense to me; I’m not satisfied with “foreign” either (I think
> >> the inspiration came from FFIs, but still). Maybe “fellow distros”?
> >> :-)
> >
> > Is not the important distinction whether the "foreign distro" can be generated
> > with pure guix libre components using a pure guix tool chain vs not?
>
> “Foreign distro” designates any distro other than Guix System. From a
> technical viewpoint, it’s sometimes useful to be able to make that
> distinction.
>
> HTH,
> Ludo’.
I was trying to get to a more exact definition of "that distinction" :)
I have read the page at "info guix installation", where "foreign" is explained:
---------------------------
Note: We recommend the use of this shell installer script
(https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.sh)
to install Guix on top of a running GNU/Linux system, thereafter
called a “foreign distro”.(1) The script automates the download,
installation, and initial configuration of Guix. It should be run
as the root user.
When installed on a foreign distro, GNU Guix complements the
available tools without interference. Its data lives exclusively in two
directories, usually ‘/gnu/store’ and ‘/var/guix’; other files on your
system, such as ‘/etc’, are left untouched.
[...]
(1) This section is concerned with the installation of the package
manager, which can be done on top of a running GNU/Linux system. If,
instead, you want to install the complete GNU operating system, *note
System Installation::.
---------------------------
I have also read from "info guix introduction":
-----------------
(2) We used to refer to Guix System as “Guix System Distribution” or
“GuixSD”. We now consider it makes more sense to group everything under
the “Guix” banner since, after all, Guix System is readily available
through the ‘guix system’ command, even if you’re using a different
distro underneath!
----------------
further along it says:
-----------------------
With Guix System, you _declare_ all aspects of the operating system
configuration and Guix takes care of instantiating the configuration in
a transactional, reproducible, and stateless fashion (*note System
Configuration::). Guix System uses the Linux-libre kernel, the Shepherd
initialization system (*note (shepherd)Introduction::), the well-known
GNU utilities and tool chain, as well as the graphical environment or
system services of your choice.
-----------------------
That sounds more restricted than "... even if you’re using a different
distro underneath!"
When you say "Guix System," do/should you really mean _only_ a system specifically
running a linux-libre kernel, built with no dependencies outside of GuixSD
official sources, and using Shepherd initialization??
E.g., the purism OS has (UIAM) been recognized as free as in RMS's "ryf" but is it
compiled entirely using only tools in /gnu/store/... ?
Ask them, right? ;-)
(BTW, does anyone in the guix community have contact with them?
I think they are trying to contribute upstream and do "The Right Thing"(TM))
My point is, if e.g. a bug is caused by something that is different in their kernel image
from the one you generate from linux-libre and GuixSD sources, then we will be chasing a bug
in their build process, not ours.
Sometimes it might be "useful to be able to make that distinction" no? :)
(kernel image is just an example, likewise for initrd's or anything that runs that was not derived
from official guix/GuixSD sources).
BTW, Is it safe to do "guix system reconfigure" naively, "... even if you’re using a different
distro underneath!" ?? I am afraid to try it :)
--
Regards,
Bengt Richter
PS. I think it would be useful if there were a LD_IMPURE_REFERENCE_LOG="path/to/logfile.txt"
in an easy-to-edit place that, if present, would cause the ld wrapper to append to log what
it finds (even if otherwise ignoring impure refs)
WDYT?
next prev parent reply other threads:[~2019-10-19 1:33 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-14 7:47 bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Ludovic Courtès
2019-10-14 7:58 ` Ludovic Courtès
2019-10-14 11:53 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2019-10-14 16:37 ` Maxim Cournoyer
2019-10-15 12:34 ` Ludovic Courtès
2019-10-15 14:31 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2019-10-16 6:57 ` Ludovic Courtès
2019-10-16 10:22 ` Ludovic Courtès
2019-10-16 13:25 ` Ludovic Courtès
2019-10-16 14:22 ` pelzflorian (Florian Pelz)
2019-10-16 15:16 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2019-10-16 15:19 ` pelzflorian (Florian Pelz)
2019-10-16 15:23 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2019-10-16 17:05 ` Ludovic Courtès
2019-10-16 19:50 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2019-10-16 19:55 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2019-10-16 21:40 ` Ludovic Courtès
2019-10-16 21:41 ` Ludovic Courtès
2019-10-16 19:58 ` Julien Lepiller
2019-10-16 21:38 ` Ludovic Courtès
2019-10-16 15:37 ` pelzflorian (Florian Pelz)
2019-10-16 21:39 ` Ludovic Courtès
2019-10-17 2:58 ` pelzflorian (Florian Pelz)
2019-10-17 3:01 ` pelzflorian (Florian Pelz)
2019-10-16 20:28 ` Ludovic Courtès
2019-10-17 16:18 ` Ludovic Courtès
2019-10-17 19:01 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2019-10-17 20:25 ` Ludovic Courtès
2019-10-18 2:21 ` Bengt Richter
2019-10-18 14:36 ` Ludovic Courtès
2019-10-19 1:32 ` Bengt Richter [this message]
2019-10-16 14:12 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2019-10-16 20:01 ` Ludovic Courtès
2019-10-16 16:28 ` Julien Lepiller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191018224519.GA81713@PhantoNv4ArchGx.localdomain \
--to=bokr@bokr.com \
--cc=37744@debbugs.gnu.org \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).