From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id +LLLC7xSB2ON9AAAbAwnHQ (envelope-from ) for ; Thu, 25 Aug 2022 12:45:16 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id 6M3GCrxSB2O5UgAAG6o9tA (envelope-from ) for ; Thu, 25 Aug 2022 12:45:16 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3362011AFE for ; Thu, 25 Aug 2022 12:45:15 +0200 (CEST) Received: from localhost ([::1]:41436 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oRAMM-0004Fc-8R for larch@yhetil.org; Thu, 25 Aug 2022 06:45:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:36780) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oRAMA-0004FJ-Sl for bug-guix@gnu.org; Thu, 25 Aug 2022 06:45:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:59369) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oRAMA-0004B3-JK for bug-guix@gnu.org; Thu, 25 Aug 2022 06:45:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oRAMA-0007mV-Ev for bug-guix@gnu.org; Thu, 25 Aug 2022 06:45:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#56322: Ruby packaging issues Resent-From: Remco van 't Veer Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 25 Aug 2022 10:45:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 56322 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Maxime Devos Cc: 56322@debbugs.gnu.org Received: via spool by 56322-submit@debbugs.gnu.org id=B56322.166142427729866 (code B ref 56322); Thu, 25 Aug 2022 10:45:02 +0000 Received: (at 56322) by debbugs.gnu.org; 25 Aug 2022 10:44:37 +0000 Received: from localhost ([127.0.0.1]:49118 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oRALk-0007ld-Q2 for submit@debbugs.gnu.org; Thu, 25 Aug 2022 06:44:37 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:37291) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oRALi-0007lO-Dd for 56322@debbugs.gnu.org; Thu, 25 Aug 2022 06:44:35 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 14EA65C0117; Thu, 25 Aug 2022 06:44:29 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Thu, 25 Aug 2022 06:44:29 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=remworks.net; h= cc:cc:content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm3; t=1661424269; x=1661510669; bh=wzWP4/Nt/R tL//6dc+DSQY4o3Cu+BceO/1i5TA6oQTM=; b=Y8LaN/3+NGwLFfIhCcnug/N5Kg HC8yUdFFKFN9v4fvkXsj7sh+bNKnUc9m5VeoEFDpM+yqb7980px5fq4GF5d1cT2R ms8eK7UxIdmMIwfcdTDI+c3No1hz8/YblyJ1jsMFVg4F3oGQmns1QVgt7Nq4ACHC aGgXLd0VEvWBHGy6yshOa3WvT3IDbtjneEDiNxzQJ9YiR9Dq7Q9lig4rH7f35k3s GU7E03mGQyL8UbV2GSfSiluQM3K0C4EN65o6ZbR+zo3EQIw92GgykiaLlhkNBoYd 130ahXku9y/NJvwkvFMPuE5F/YJrTwYpGMXpNfmvl5sk/i3gtP30NxPEBy2Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; t=1661424269; x=1661510669; bh=wzWP4/Nt/RtL//6dc+DSQY4o3Cu+ BceO/1i5TA6oQTM=; b=bVkFOtw5Mz5Guwwlg6UtRx/IJjZkzWf0lPvQ30PvUHol 2VKcqtpKH9n28ZMee5U6VmgnqBfd4P2y/Yh7WxJI/9Mq8xbkjZhDPvecGrjes8t5 n4zPr5gMUz9zx+t5Jo7llW8r4L4yNyxCrhq08K6K2uvIR7lLPGxJZy6dd3dBPpMd 2XrrndLpHur5TDNVdLKCMEf6BjNPr4U15P21ojkL27tza0CifnIlry61hTG+iJfD UDJEwsxq3REtdcr85ovjkuhxuTdtSyuPF4GUvyLJzp+RE7TgI0QOy8NxR2bZcG6T nDO3+vbgrCy+mRsSZNuxUdODRPqQ3+13C0P/ZE3oLw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrvdejfedgfedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfhgfhffvvefujgffkfggtgesthdtredttdertdenucfhrhhomheptfgvmhgt ohcuvhgrnhcukdhtucggvggvrhcuoehrvghmtghosehrvghmfihorhhkshdrnhgvtheqne cuggftrfgrthhtvghrnhepkeduveegfedufeelhedvuedvhfeufedtteevkeehhfeigfev lefhgeeukedtfeevnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilh hfrhhomheprhgvmhgtohesrhgvmhifohhrkhhsrdhnvght X-ME-Proxy: Feedback-ID: i568842cc:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 25 Aug 2022 06:44:28 -0400 (EDT) References: <87o7w9ll4x.fsf@jomco.nl> <171276f3-bcb2-abfc-b9a9-705059f8605f@telenet.be> User-agent: mu4e 1.8.9; emacs 28.1 From: Remco van 't Veer In-reply-to: <171276f3-bcb2-abfc-b9a9-705059f8605f@telenet.be> Date: Thu, 25 Aug 2022 12:44:26 +0200 Message-ID: <87sflkk3g5.fsf@remworks.net> MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1661424316; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=wzWP4/Nt/RtL//6dc+DSQY4o3Cu+BceO/1i5TA6oQTM=; b=rTQU6VDax2Il8Syi1yCl6lm0hXRwaMK6NIUu1AvHs7gVk99UQeYZlsAHTKZ+F0bwoTYZs6 H42y8lmBRYjk4tx+oBsO0uw8Bnnka+SDJ7xrD9WaFxNa8fyZ8XI7BOQKCzQsNOphGce2hX 9H3Ykd+KWi85R3jTNzhMToJwzsweCdPfWIRlrT/NVT8idjtahmA66vf34NNyGWfJx0jx4E PaBX6E32lQKil8LAla2biPrIQnWFWg968Kf0omg1Na9bbhPPgdhd/wDs6uend7COJaWWyh 1S1nYCgOQpuLc9gf3pOqLokq/1RPtYQRAILYIFs8tqscwDE70QDQcmFjvx4VuA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1661424316; a=rsa-sha256; cv=none; b=UpXf0VkwL2hpXhZZ1/eNmdsJQHyjBSQRlfDD7W8tTGmV3/G1r94isnoLIqLkwZhzvY44Xx s8z3hUODCFVpyViVLBIqF2d0UVs7VrX1b9+6J4TNLo7u1ebphJ9vMOqYhzqI4ZWSgP/QuA +j66+zGCPDIPjbBeQ7LF/mMN4JgOzR9Dnb7Ld6Atr6RzU38OgfbfqhZdvDCJcIG/SVW4cT 9dFDlWYIesvHtXE7UhKMU7Xg5KeqpVXb/I7MysWfkV6b8JOg/z0S4d9mQnpR+a4g46m8G7 b1qX4ZuMrjInyqbZP5zPuCdg78x4PfF9Ttsi7tziqdbeJAwR3RIDiX/VmxbH1A== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=remworks.net header.s=fm3 header.b="Y8LaN/3+"; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm1 header.b=bVkFOtw5; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 1.09 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=remworks.net header.s=fm3 header.b="Y8LaN/3+"; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm1 header.b=bVkFOtw5; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 3362011AFE X-Spam-Score: 1.09 X-Migadu-Scanner: scn1.migadu.com X-TUID: HJvunjkmkBLd 2022/08/24 20:38, Maxime Devos: > We have a bunch of old rubies packaged, maybe it can be generated with > one of the old versions? Though possibly the old versions have the > same problem, I haven't checked. Older rubies need ruby to compile too, I checked. To totally getting rid of parse.c is not easy. > If not: fully properly generating it might not be possible, but > something in-between could be an option: > > 1. First, use the pre-generated parse.c. > 2. Once ruby is built, regenerate the parse.c, and verify that it is > the same as the old parse.c (ignoring the timestamp) > >> What's to gain by this? > > (1) I would assume it is much easier to hide malware in a generated > file like parse.c than in the real source code (*) (IIRC, the .c code > generated by bison is much longer than the .y). By generating the > parse.c, the potential issue is side-stepped; any security reviewers > wouldn't even have to look at parse.c because the pre-generated > parse.c isn't used, it's regenerated. By using one ruby to support compiling the others said security reviewer can focus on one particular parse.c. It's big but reviewing it seems doable but I am no security reviewer. > (2) Also: generators like Bison can have bugs, fixed in later > versions. Now imagine that Bison had, say, a buffer overflow bug, and > that distro's just used the pre-generated parse.c. Then once a fixed > version of Bison comes out, we would have to check every package to > see if it has a pre-generated parser. It would be much less stressful > to just always generate parsers from source, then once the version of > Bison in Guix is updated then all packages automatically get the > buffer overflow fix. > > I don't think my in-between proposal helps much with (1) in case of a > competent attacker (though it could stop some insufficiently > sophisticated attacks where the parse.c malware doesn't try to subvert > the later check), but it still helps with (2) -- it at least detects > if ruby used an old bison (and hence that a patch might be in order) The two phase build approach (first building with parse.c and then using that ruby as native-input for a package with parse.c removed) seems to work but with some notes. Rubies 2.7 and up work fine with bison current in guix (bison-3.7.6) but ruby-2.6 (and possibly down) don't because they trigger some incompatibility between bison-3.5.1 (stated as parse.c generator in ruby-2.6) and bison-3.7.6. I tried bison-3.0 from gnu/packages/bison for ruby-2.6 and it works but using that kinda defeats the ".. automatically get the buffer overflow fix" argument. I'd say, it doesn't really matter for ruby-2.6 and down since they are EOL anyway and should at some point be removed from guix. I'll post a patch after this message for feedback. In it a new package is introduced based on ruby-2.7 named baseruby which is compiled with the parse.c from the tarball, ruby-2.7 and up will delete parse.c before build and have extra native-inputs on baseruby and bison to support the magic. Cheers, Remco