From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id OF1wE/UDgGMjsQAAbAwnHQ (envelope-from ) for ; Fri, 25 Nov 2022 00:53:25 +0100 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id iMJWE/UDgGNyiwAAauVa8A (envelope-from ) for ; Fri, 25 Nov 2022 00:53:25 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1B4882513C for ; Fri, 25 Nov 2022 00:53:25 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oyM1g-0004Hh-RO; Thu, 24 Nov 2022 18:53:04 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oyM1e-0004HY-Vw for bug-guix@gnu.org; Thu, 24 Nov 2022 18:53:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oyM1e-0002mH-Ng for bug-guix@gnu.org; Thu, 24 Nov 2022 18:53:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oyM1e-0005ga-B7 for bug-guix@gnu.org; Thu, 24 Nov 2022 18:53:02 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#56398: (guix git) fails to check out repos with nested submodules Resent-From: bokr@bokr.com Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 24 Nov 2022 23:53:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 56398 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: =?UTF-8?Q?Andr=C3=A9?= Batista Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= , 56398@debbugs.gnu.org Received: via spool by 56398-submit@debbugs.gnu.org id=B56398.166933393421797 (code B ref 56398); Thu, 24 Nov 2022 23:53:02 +0000 Received: (at 56398) by debbugs.gnu.org; 24 Nov 2022 23:52:14 +0000 Received: from localhost ([127.0.0.1]:60534 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oyM0r-0005fV-Ng for submit@debbugs.gnu.org; Thu, 24 Nov 2022 18:52:14 -0500 Received: from mailout.easymail.ca ([64.68.200.34]:36904) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oyM0o-0005fG-Nm for 56398@debbugs.gnu.org; Thu, 24 Nov 2022 18:52:12 -0500 Received: from localhost (localhost [127.0.0.1]) by mailout.easymail.ca (Postfix) with ESMTP id B751C66D06; Thu, 24 Nov 2022 23:52:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=bokr.com; s=easymail; t=1669333924; bh=WLOuFqmDHWcXebdzI/QILTEaxNhRTaHjE8+UYVs7n5k=; h=From:Date:To:Cc:Subject:References:In-Reply-To:From; b=Q7GYPW8yfuaiWfWmA/uKk8wKFck0U/UFQGoqiTIoTq90AsfNGYUZVGqxgt3zXOEsx XJPoav5Z3RoY+v6+YLj5irz1MTwxpTppiic1ujMOIVMtes3wW1xbP77+kEVMkJ0EFQ 6ki+A03+SrW8VsHW7f110+736azQMqiteJ7F4BtmQ88Up0e+zIxaq8KeLSrk8QOwTO d4BvdUoivQEJPQ4JiwbQ8SfTDyBFAJ+5YO5Vh0L3oiu2cGwWAfxHXuoEIhNsf/+v3u gMDO8ZOboMs3wXKlHEGH3a6Cf6iEcC+UrlxC08453VgihUqlRDh3fYJXP8DAbQIV4q j/LJE53xTZQ5Q== X-Virus-Scanned: Debian amavisd-new at emo09-pco.easydns.vpn Received: from mailout.easymail.ca ([127.0.0.1]) by localhost (emo09-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xzx58rBk8zsp; Thu, 24 Nov 2022 23:52:04 +0000 (UTC) Received: from localhost (m90-129-206-71.cust.tele2.se [90.129.206.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mailout.easymail.ca (Postfix) with ESMTPSA id BB2E066B89; Thu, 24 Nov 2022 23:52:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=bokr.com; s=easymail; t=1669333924; bh=WLOuFqmDHWcXebdzI/QILTEaxNhRTaHjE8+UYVs7n5k=; h=From:Date:To:Cc:Subject:References:In-Reply-To:From; b=Q7GYPW8yfuaiWfWmA/uKk8wKFck0U/UFQGoqiTIoTq90AsfNGYUZVGqxgt3zXOEsx XJPoav5Z3RoY+v6+YLj5irz1MTwxpTppiic1ujMOIVMtes3wW1xbP77+kEVMkJ0EFQ 6ki+A03+SrW8VsHW7f110+736azQMqiteJ7F4BtmQ88Up0e+zIxaq8KeLSrk8QOwTO d4BvdUoivQEJPQ4JiwbQ8SfTDyBFAJ+5YO5Vh0L3oiu2cGwWAfxHXuoEIhNsf/+v3u gMDO8ZOboMs3wXKlHEGH3a6Cf6iEcC+UrlxC08453VgihUqlRDh3fYJXP8DAbQIV4q j/LJE53xTZQ5Q== From: bokr@bokr.com Date: Fri, 25 Nov 2022 00:51:43 +0100 Message-ID: <20221124235143.GA8148@LionPure> References: <87sfnf4n7c.fsf@inria.fr> <87pmigxb5r.fsf@inria.fr> <87h72smd7r.fsf@inria.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1669334005; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=/c1MgtvaXQhx6jfyrJa9CmKYRzjpyyPgz70VUbJ61c0=; b=rhu+C4Mcjg76R6I9yjFKK0b0ntcAtEaNDXNfymcEQORkwm65frmSfcQptSbVNwOhoypOCb OjNa2iRn5F2I5f7Q0m9GSWnTNbEwF0jDWQQAUv0Bi5MNRMvL0BqTkYCW59Tu4HNo2bWlta GbRWXuOooKEZ4b4RUK5o9YudbfuItwqtdQ3z2iVOc4XpnY55FG41UwFJgVFSOLc7yLii6g ddxYwQEM2hYri4nTJCbCt+cA9JRJmmUTE7mksrk6pxAckxHyhU1OwPsYZry1MtcxxWU0sC LIH8SboJKQDiOIq6uW2whfTB8VoGj79gvXKYJUuOoo48svh35l48aXsnspOv/g== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1669334005; a=rsa-sha256; cv=none; b=WZ2V+PLi6+TFBsPG5QzwI0EOkTPDmLD7ZYvyaPOyf4Hh4VV7Vk5KQEn45VUg0l8U1IY02I ZkwtytdVbtMadgOvDuZd+sazL9ydjY0RHR/SIen0VdFM+VqTk1xnxivj9wcE4s7JX0uLMo AmONMuAN2VaWj2gk5w/4ONlybdnZHL6SbUrmLTy4hILf/8r/u/G7peyMLY4Fmu0HYhZq2k p8rAduREml6JrYKutLkEUgkUYtZcqT/cR5wmtFktKdGx3RxcUE0ewl82Mk9QNn70PTxumW ByVPTbGNVX/vWWtd2gxfETbXWA2aqnGuUhZ0h+bfTqO0zGlN++pV1qfkhh+xgQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=bokr.com header.s=easymail header.b=Q7GYPW8y; dkim=fail ("headers rsa verify failed") header.d=bokr.com header.s=easymail header.b=Q7GYPW8y; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 1.32 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=bokr.com header.s=easymail header.b=Q7GYPW8y; dkim=fail ("headers rsa verify failed") header.d=bokr.com header.s=easymail header.b=Q7GYPW8y; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 1B4882513C X-Spam-Score: 1.32 X-Migadu-Scanner: scn1.migadu.com X-TUID: 7cO+1ZZMwEhM Hi, On +2022-11-24 12:17:01 -0300, André Batista wrote: > Hi! > > qui 04 ago 2022 às 13:59:20 (1659632360), ludovic.courtes@inria.fr enviou: > > I think we should instead report it upstream. Do you feel like doing > > it? I guess we’d need to give them the C version of the three-line > > snippet I gave earlier. > > Upstream issue #6433[1] > > Apparently, GIT_SUBMODULE_STATUS_WD_UNINITIALIZED isn't actually set > in this scenario, only GIT_SUBMODULE_STATUS_IN_CONFIG. > > 1. https://github.com/libgit2/libgit2/issues/6433 > > > Wondering if this[1] is all history in gnu/guix-land: [1] Wherein it says --8<---------------cut here---------------start------------->8--- The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1. --8<---------------cut here---------------end--------------->8--- Is there an automated tool to answer the question, "What executables (command line directly, or indirectly (including config-directed interpretation)) does my system contain that have known vulnerabilities?" BTW: Newsflash: :) RMS paranoia now dernier-cri[3] as cited in [2] [2] [3] Something[3] to get (more) serious about for gnu/guix? -- Regards, Bengt Richter