glibc update

glibc update

[Leo Famulari]

I'm wondering if anyone has rebuilt their local systems based on the
glibc update in security updates? I'm wondering what is the best way to
achieve this?

For Guix users, something like this?

$ git checkout master \
&& git checkout -b my-branch \
&& git cherry-pick 8304ccdbc7b653ab0b81e3cec5420fcc6 \
&& ./pre-inst-env guix package -u

It would probably be desirable to reboot afterwards.

GuixSD users would want to reconfigure, presumably.

Then, you would rebase 'my-branch' on master as desired.

It seems arduous, but faster than waiting for our build farm to rebuild
all packages.

Feedback requested!

Re: glibc update

[Andy Wingo]

On Tue 16 Feb 2016 21:20, Leo Famulari <leo@famulari.name> writes:

> I'm wondering if anyone has rebuilt their local systems based on the
> glibc update in security updates? I'm wondering what is the best way to
> achieve this?
>
> For Guix users, something like this?
>
> $ git checkout master \
> && git checkout -b my-branch \
> && git cherry-pick 8304ccdbc7b653ab0b81e3cec5420fcc6 \
> && ./pre-inst-env guix package -u
>
> It would probably be desirable to reboot afterwards.
>
> GuixSD users would want to reconfigure, presumably.
>
> Then, you would rebase 'my-branch' on master as desired.
>
> It seems arduous, but faster than waiting for our build farm to rebuild
> all packages.
>
> Feedback requested!

Given that seriousness of this bug and the amount of time that a full
rebuild will take, does anyone have a graft recipe they would like to
share?

Andy

Re: glibc update

[Jookia]

On Wed, Feb 17, 2016 at 10:10:14AM +0100, Andy Wingo wrote:
> Given that seriousness of this bug and the amount of time that a full
> rebuild will take, does anyone have a graft recipe they would like to
> share?

Not really, unfortunately grafts are broken right now. I'm not sure how high a
priority it is to fix it, but from what I know Mark Weaver knows how to fix it.

> Andy

Jookia.

Re: glibc update

[Leo Famulari]

On Wed, Feb 17, 2016 at 09:10:12PM +1100, Jookia wrote:
> On Wed, Feb 17, 2016 at 10:10:14AM +0100, Andy Wingo wrote:
> > Given that seriousness of this bug and the amount of time that a full
> > rebuild will take, does anyone have a graft recipe they would like to
> > share?
> 
> Not really, unfortunately grafts are broken right now. I'm not sure how high a
> priority it is to fix it, but from what I know Mark Weaver knows how to fix it.

Here is the relevant bug report:
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22139

Personally, I'd say it's extremely high priority, but I don't know
Scheme or Guix internals well enough to fix it myself.

> 
> > Andy
> 
> Jookia.

Re: glibc update

[Leo Famulari]

On Tue, Feb 16, 2016 at 03:20:10PM -0500, Leo Famulari wrote:
> I'm wondering if anyone has rebuilt their local systems based on the
> glibc update in security updates? I'm wondering what is the best way to
> achieve this?
> 
> For Guix users, something like this?
> 
> $ git checkout master \
> && git checkout -b my-branch \
> && git cherry-pick 8304ccdbc7b653ab0b81e3cec5420fcc6 \
> && ./pre-inst-env guix package -u

I tried this. The resulting process downloaded the bootstrap binaries
and appeared to rebuild *everything*. I haven't had time to figure out
what actually got rebuilt and if anything is still using the vulnerable
glibc.

> 
> It would probably be desirable to reboot afterwards.
> 
> GuixSD users would want to reconfigure, presumably.
> 
> Then, you would rebase 'my-branch' on master as desired.
> 
> It seems arduous, but faster than waiting for our build farm to rebuild
> all packages.
> 
> Feedback requested!
> 

Re: glibc update

[Jookia]

On Wed, Feb 17, 2016 at 11:14:19AM -0500, Leo Famulari wrote:
> I tried this. The resulting process downloaded the bootstrap binaries
> and appeared to rebuild *everything*. I haven't had time to figure out
> what actually got rebuilt and if anything is still using the vulnerable
> glibc.

This doesn't graft does it? It'd just bump glibc's version.

Re: glibc update

[Leo Famulari]

No, it doesn't graft. And it produces the same "version" of glibc, but with a patch applied for CVE-2015-7547.

Well, you would make sure you cherry-pick the right hash. I can't confirm that from my phone.


-------- Original Message --------
From: Jookia <166291@gmail.com>
Sent: February 17, 2016 11:28:33 AM EST
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org
Subject: Re: glibc update

On Wed, Feb 17, 2016 at 11:14:19AM -0500, Leo Famulari wrote:
> I tried this. The resulting process downloaded the bootstrap binaries
> and appeared to rebuild *everything*. I haven't had time to figure out
> what actually got rebuilt and if anything is still using the vulnerable
> glibc.

This doesn't graft does it? It'd just bump glibc's version.

Security warnings (was Re: glibc update)

[Pjotr Prins]

Someone noted that you can run a compromised glibc for a long time on
Guix without realizing.

How expensive would it be that every time you run Guix it would check
for compromised versions and issue a warning like this:

  WARNING: version x.x of package name installed on your system has
  security concerns, please see URL and update the package to y.y or
  later.

In the URL we give a fuller description and a list of packages that
may need to be updated. Very long in the case of glibc.

Pj.

On Wed, Feb 17, 2016 at 01:27:22PM -0500, Leo Famulari wrote:
> No, it doesn't graft. And it produces the same "version" of glibc, but with a patch applied for CVE-2015-7547.
> 
> Well, you would make sure you cherry-pick the right hash. I can't confirm that from my phone.
> 
> 
> -------- Original Message --------
> From: Jookia <166291@gmail.com>
> Sent: February 17, 2016 11:28:33 AM EST
> To: Leo Famulari <leo@famulari.name>
> Cc: guix-devel@gnu.org
> Subject: Re: glibc update
> 
> On Wed, Feb 17, 2016 at 11:14:19AM -0500, Leo Famulari wrote:
> > I tried this. The resulting process downloaded the bootstrap binaries
> > and appeared to rebuild *everything*. I haven't had time to figure out
> > what actually got rebuilt and if anything is still using the vulnerable
> > glibc.
> 
> This doesn't graft does it? It'd just bump glibc's version.
> 
> 

-- 

Re: glibc update

[Ludovic Courtès]

Leo Famulari <leo@famulari.name> skribis:

> On Wed, Feb 17, 2016 at 09:10:12PM +1100, Jookia wrote:
>> On Wed, Feb 17, 2016 at 10:10:14AM +0100, Andy Wingo wrote:
>> > Given that seriousness of this bug and the amount of time that a full
>> > rebuild will take, does anyone have a graft recipe they would like to
>> > share?
>> 
>> Not really, unfortunately grafts are broken right now. I'm not sure how high a
>> priority it is to fix it, but from what I know Mark Weaver knows how to fix it.
>
> Here is the relevant bug report:
> http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22139
>
> Personally, I'd say it's extremely high priority, but I don't know
> Scheme or Guix internals well enough to fix it myself.

I agree it’s high-priority.  I’ll take another stab at it.

Ludo’.

Re: glibc update

[Leo Famulari]

On Mon, Feb 22, 2016 at 03:32:09PM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> 
> > On Wed, Feb 17, 2016 at 09:10:12PM +1100, Jookia wrote:
> >> On Wed, Feb 17, 2016 at 10:10:14AM +0100, Andy Wingo wrote:
> >> > Given that seriousness of this bug and the amount of time that a full
> >> > rebuild will take, does anyone have a graft recipe they would like to
> >> > share?
> >> 
> >> Not really, unfortunately grafts are broken right now. I'm not sure how high a
> >> priority it is to fix it, but from what I know Mark Weaver knows how to fix it.
> >
> > Here is the relevant bug report:
> > http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22139
> >
> > Personally, I'd say it's extremely high priority, but I don't know
> > Scheme or Guix internals well enough to fix it myself.
> 
> I agree it’s high-priority.  I’ll take another stab at it.

Christopher linked to some relevant discussions for posterity in the bug
report: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22139#8