* glibc update
@ 2016-02-16 20:20 Leo Famulari
2016-02-17 9:10 ` Andy Wingo
2016-02-17 16:14 ` Leo Famulari
0 siblings, 2 replies; 10+ messages in thread
From: Leo Famulari @ 2016-02-16 20:20 UTC (permalink / raw)
To: guix-devel
I'm wondering if anyone has rebuilt their local systems based on the
glibc update in security updates? I'm wondering what is the best way to
achieve this?
For Guix users, something like this?
$ git checkout master \
&& git checkout -b my-branch \
&& git cherry-pick 8304ccdbc7b653ab0b81e3cec5420fcc6 \
&& ./pre-inst-env guix package -u
It would probably be desirable to reboot afterwards.
GuixSD users would want to reconfigure, presumably.
Then, you would rebase 'my-branch' on master as desired.
It seems arduous, but faster than waiting for our build farm to rebuild
all packages.
Feedback requested!
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: glibc update
2016-02-16 20:20 glibc update Leo Famulari
@ 2016-02-17 9:10 ` Andy Wingo
2016-02-17 10:10 ` Jookia
2016-02-17 16:14 ` Leo Famulari
1 sibling, 1 reply; 10+ messages in thread
From: Andy Wingo @ 2016-02-17 9:10 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
On Tue 16 Feb 2016 21:20, Leo Famulari <leo@famulari.name> writes:
> I'm wondering if anyone has rebuilt their local systems based on the
> glibc update in security updates? I'm wondering what is the best way to
> achieve this?
>
> For Guix users, something like this?
>
> $ git checkout master \
> && git checkout -b my-branch \
> && git cherry-pick 8304ccdbc7b653ab0b81e3cec5420fcc6 \
> && ./pre-inst-env guix package -u
>
> It would probably be desirable to reboot afterwards.
>
> GuixSD users would want to reconfigure, presumably.
>
> Then, you would rebase 'my-branch' on master as desired.
>
> It seems arduous, but faster than waiting for our build farm to rebuild
> all packages.
>
> Feedback requested!
Given that seriousness of this bug and the amount of time that a full
rebuild will take, does anyone have a graft recipe they would like to
share?
Andy
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: glibc update
2016-02-17 9:10 ` Andy Wingo
@ 2016-02-17 10:10 ` Jookia
2016-02-17 15:59 ` Leo Famulari
0 siblings, 1 reply; 10+ messages in thread
From: Jookia @ 2016-02-17 10:10 UTC (permalink / raw)
To: Andy Wingo; +Cc: guix-devel
On Wed, Feb 17, 2016 at 10:10:14AM +0100, Andy Wingo wrote:
> Given that seriousness of this bug and the amount of time that a full
> rebuild will take, does anyone have a graft recipe they would like to
> share?
Not really, unfortunately grafts are broken right now. I'm not sure how high a
priority it is to fix it, but from what I know Mark Weaver knows how to fix it.
> Andy
Jookia.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: glibc update
2016-02-17 10:10 ` Jookia
@ 2016-02-17 15:59 ` Leo Famulari
2016-02-22 14:32 ` Ludovic Courtès
0 siblings, 1 reply; 10+ messages in thread
From: Leo Famulari @ 2016-02-17 15:59 UTC (permalink / raw)
To: Jookia; +Cc: guix-devel
On Wed, Feb 17, 2016 at 09:10:12PM +1100, Jookia wrote:
> On Wed, Feb 17, 2016 at 10:10:14AM +0100, Andy Wingo wrote:
> > Given that seriousness of this bug and the amount of time that a full
> > rebuild will take, does anyone have a graft recipe they would like to
> > share?
>
> Not really, unfortunately grafts are broken right now. I'm not sure how high a
> priority it is to fix it, but from what I know Mark Weaver knows how to fix it.
Here is the relevant bug report:
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22139
Personally, I'd say it's extremely high priority, but I don't know
Scheme or Guix internals well enough to fix it myself.
>
> > Andy
>
> Jookia.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: glibc update
2016-02-16 20:20 glibc update Leo Famulari
2016-02-17 9:10 ` Andy Wingo
@ 2016-02-17 16:14 ` Leo Famulari
2016-02-17 16:28 ` Jookia
1 sibling, 1 reply; 10+ messages in thread
From: Leo Famulari @ 2016-02-17 16:14 UTC (permalink / raw)
To: guix-devel
On Tue, Feb 16, 2016 at 03:20:10PM -0500, Leo Famulari wrote:
> I'm wondering if anyone has rebuilt their local systems based on the
> glibc update in security updates? I'm wondering what is the best way to
> achieve this?
>
> For Guix users, something like this?
>
> $ git checkout master \
> && git checkout -b my-branch \
> && git cherry-pick 8304ccdbc7b653ab0b81e3cec5420fcc6 \
> && ./pre-inst-env guix package -u
I tried this. The resulting process downloaded the bootstrap binaries
and appeared to rebuild *everything*. I haven't had time to figure out
what actually got rebuilt and if anything is still using the vulnerable
glibc.
>
> It would probably be desirable to reboot afterwards.
>
> GuixSD users would want to reconfigure, presumably.
>
> Then, you would rebase 'my-branch' on master as desired.
>
> It seems arduous, but faster than waiting for our build farm to rebuild
> all packages.
>
> Feedback requested!
>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: glibc update
2016-02-17 16:14 ` Leo Famulari
@ 2016-02-17 16:28 ` Jookia
2016-02-17 18:27 ` Leo Famulari
0 siblings, 1 reply; 10+ messages in thread
From: Jookia @ 2016-02-17 16:28 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
On Wed, Feb 17, 2016 at 11:14:19AM -0500, Leo Famulari wrote:
> I tried this. The resulting process downloaded the bootstrap binaries
> and appeared to rebuild *everything*. I haven't had time to figure out
> what actually got rebuilt and if anything is still using the vulnerable
> glibc.
This doesn't graft does it? It'd just bump glibc's version.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: glibc update
2016-02-17 16:28 ` Jookia
@ 2016-02-17 18:27 ` Leo Famulari
2016-02-18 6:45 ` Security warnings (was Re: glibc update) Pjotr Prins
0 siblings, 1 reply; 10+ messages in thread
From: Leo Famulari @ 2016-02-17 18:27 UTC (permalink / raw)
To: Jookia; +Cc: guix-devel
No, it doesn't graft. And it produces the same "version" of glibc, but with a patch applied for CVE-2015-7547.
Well, you would make sure you cherry-pick the right hash. I can't confirm that from my phone.
-------- Original Message --------
From: Jookia <166291@gmail.com>
Sent: February 17, 2016 11:28:33 AM EST
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org
Subject: Re: glibc update
On Wed, Feb 17, 2016 at 11:14:19AM -0500, Leo Famulari wrote:
> I tried this. The resulting process downloaded the bootstrap binaries
> and appeared to rebuild *everything*. I haven't had time to figure out
> what actually got rebuilt and if anything is still using the vulnerable
> glibc.
This doesn't graft does it? It'd just bump glibc's version.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Security warnings (was Re: glibc update)
2016-02-17 18:27 ` Leo Famulari
@ 2016-02-18 6:45 ` Pjotr Prins
0 siblings, 0 replies; 10+ messages in thread
From: Pjotr Prins @ 2016-02-18 6:45 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
Someone noted that you can run a compromised glibc for a long time on
Guix without realizing.
How expensive would it be that every time you run Guix it would check
for compromised versions and issue a warning like this:
WARNING: version x.x of package name installed on your system has
security concerns, please see URL and update the package to y.y or
later.
In the URL we give a fuller description and a list of packages that
may need to be updated. Very long in the case of glibc.
Pj.
On Wed, Feb 17, 2016 at 01:27:22PM -0500, Leo Famulari wrote:
> No, it doesn't graft. And it produces the same "version" of glibc, but with a patch applied for CVE-2015-7547.
>
> Well, you would make sure you cherry-pick the right hash. I can't confirm that from my phone.
>
>
> -------- Original Message --------
> From: Jookia <166291@gmail.com>
> Sent: February 17, 2016 11:28:33 AM EST
> To: Leo Famulari <leo@famulari.name>
> Cc: guix-devel@gnu.org
> Subject: Re: glibc update
>
> On Wed, Feb 17, 2016 at 11:14:19AM -0500, Leo Famulari wrote:
> > I tried this. The resulting process downloaded the bootstrap binaries
> > and appeared to rebuild *everything*. I haven't had time to figure out
> > what actually got rebuilt and if anything is still using the vulnerable
> > glibc.
>
> This doesn't graft does it? It'd just bump glibc's version.
>
>
--
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: glibc update
2016-02-17 15:59 ` Leo Famulari
@ 2016-02-22 14:32 ` Ludovic Courtès
2016-02-22 17:47 ` Leo Famulari
0 siblings, 1 reply; 10+ messages in thread
From: Ludovic Courtès @ 2016-02-22 14:32 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
Leo Famulari <leo@famulari.name> skribis:
> On Wed, Feb 17, 2016 at 09:10:12PM +1100, Jookia wrote:
>> On Wed, Feb 17, 2016 at 10:10:14AM +0100, Andy Wingo wrote:
>> > Given that seriousness of this bug and the amount of time that a full
>> > rebuild will take, does anyone have a graft recipe they would like to
>> > share?
>>
>> Not really, unfortunately grafts are broken right now. I'm not sure how high a
>> priority it is to fix it, but from what I know Mark Weaver knows how to fix it.
>
> Here is the relevant bug report:
> http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22139
>
> Personally, I'd say it's extremely high priority, but I don't know
> Scheme or Guix internals well enough to fix it myself.
I agree it’s high-priority. I’ll take another stab at it.
Ludo’.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: glibc update
2016-02-22 14:32 ` Ludovic Courtès
@ 2016-02-22 17:47 ` Leo Famulari
0 siblings, 0 replies; 10+ messages in thread
From: Leo Famulari @ 2016-02-22 17:47 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
On Mon, Feb 22, 2016 at 03:32:09PM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
>
> > On Wed, Feb 17, 2016 at 09:10:12PM +1100, Jookia wrote:
> >> On Wed, Feb 17, 2016 at 10:10:14AM +0100, Andy Wingo wrote:
> >> > Given that seriousness of this bug and the amount of time that a full
> >> > rebuild will take, does anyone have a graft recipe they would like to
> >> > share?
> >>
> >> Not really, unfortunately grafts are broken right now. I'm not sure how high a
> >> priority it is to fix it, but from what I know Mark Weaver knows how to fix it.
> >
> > Here is the relevant bug report:
> > http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22139
> >
> > Personally, I'd say it's extremely high priority, but I don't know
> > Scheme or Guix internals well enough to fix it myself.
>
> I agree it’s high-priority. I’ll take another stab at it.
Christopher linked to some relevant discussions for posterity in the bug
report: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22139#8
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2016-02-22 17:47 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-02-16 20:20 glibc update Leo Famulari
2016-02-17 9:10 ` Andy Wingo
2016-02-17 10:10 ` Jookia
2016-02-17 15:59 ` Leo Famulari
2016-02-22 14:32 ` Ludovic Courtès
2016-02-22 17:47 ` Leo Famulari
2016-02-17 16:14 ` Leo Famulari
2016-02-17 16:28 ` Jookia
2016-02-17 18:27 ` Leo Famulari
2016-02-18 6:45 ` Security warnings (was Re: glibc update) Pjotr Prins
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).