From mboxrd@z Thu Jan 1 00:00:00 1970 From: Efraim Flashner Subject: Re: OpenSSL =?utf-8?B?4oCcRFJPV04=?= =?utf-8?B?4oCd?= vulnerability & grafts Date: Wed, 2 Mar 2016 20:43:08 +0200 Message-ID: <20160302184308.GA11131@debian-netbook> References: <87twkpnbk0.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="VS++wcV0S1rZb1Fb" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:33845) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1abBjx-0008UC-7o for guix-devel@gnu.org; Wed, 02 Mar 2016 13:43:18 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1abBjs-0005Om-OK for guix-devel@gnu.org; Wed, 02 Mar 2016 13:43:16 -0500 Content-Disposition: inline In-Reply-To: <87twkpnbk0.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: guix-devel --VS++wcV0S1rZb1Fb Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 01, 2016 at 10:16:47PM +0100, Ludovic Court=C3=A8s wrote: > Hello! >=20 > OpenSSL 1.0.2g was released today, fixing several serious security > vulnerabilities, several of which are referred to as =E2=80=9CDROWN=E2=80= =9D (as has > become security-marketing tradition.) >=20 > This gave a good incentive to fix the =E2=80=9Cgrafting=E2=80=9D mechanis= m described at: >=20 > https://www.gnu.org/software/guix/manual/html_node/Security-Updates.html >=20 > The problem was that until now, grafting was not recursive: > . This is fixed in c22a132, so we =E2=80=9Cru= shed=E2=80=9D > to use it in =E2=80=98master=E2=80=99 for the OpenSSL upgrade, which is d= one in caeadfd. >=20 > So now is the time to find out how well the new implementation scales > and to address any limitations. :-) >=20 > A potentially disturbing thing with the new code is that it starts > building/downloading things early, typically before it has written =E2=80= =9CThe > following derivations will be built=E2=80=9D; see > . >=20 > A limitation of the current implementation is that the replacement > package must have exactly the same name and version as the package being > replaced. So OpenSSL 1.0.2g shows up as /gnu/store/=E2=80=A6-openssl-1.0= =2E2f. >=20 > The store file name of the old OpenSSL is given by: >=20 > guix build openssl --no-grafts >=20 > =E2=80=A6 and the new one is given by: >=20 > guix build openssl >=20 > For example, to verify which OpenSSL(s) your whole profile refers to, > you can run: >=20 > guix gc -R $(readlink -f ~/.guix-profile) | grep openssl >=20 > and check the store file names that you get (make sure to turn off > guix-prettify-mode :-)). Likewise for a GuixSD generation: >=20 > guix gc -R $(guix system build config.scm) | grep openssl >=20 > And for running processes: >=20 > lsof | grep /gnu/store/.*openssl >=20 > Seems like this tricks could go in the manual under =E2=80=9CSecurity Upd= ates=E2=80=9D > no? >=20 > Feedback welcome! >=20 > Ludo=E2=80=99. BIG thanks for getting this working, its a great way to keep our systems up and running while taking care of the security issues. One issue that I noticed on my slow netbook is that `guix package -u`, with no updates, now takes ~15 minutes, while before it was ~30 seconds. --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --VS++wcV0S1rZb1Fb Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJW1zQ7AAoJEPTB05F+rO6T2acP/0wZRspuAatVWvGTtR+f6vLA cSd404vFmOL16HMLj+pJRR1iFOgOszoA+O0ByN2ibPauwZD34iiX3i4+wN7i+jfv qeivBZB77J72fqaGGwUAp6Q23vcbkeF23zef9rJuiZfdRgRBvXc7A3UKFFccCWPv 7vhZYtpysJAf6+Q9hDa1X6QBpz2V9bLNRVtEhbgIbeRnpq5DcjJRZbm5K0VtreDD 2tVOro20U1TvYo/FwIz1hQS8onX76t+aUdcwwHJe/eB92SaoiYeIK5syQf8wP7cJ FgMLqgvh+o3uAzNrVU0zTj7Cb80nqLnpc2yuc6jdqFuvvtmEP5+ZVfniA8o/LL+i 0iN1yxliJaG5cuc2DBGwi0xhv5VsQYMEINZGGGviJFXEx/F2MUXxaBDb/Dw3JQB5 rwQbbJFC9sP5wFPffO9C1/m9bLJRWXXDhi/EvYUFI4M2dUC4QFwiNtaidGC7dswx u5a2Ix0z6DBzDzJzNM+7/OAeHTSET0Rfz4Pk4crLyV9qGwe0NdVNUpP2iqIK14SQ pR5hcyOjCgXrSggFNiJPVRMvXiDeclru34jGtpjL0fMB9srMepnygvIzuY1IC3qz eyp4sBlG/9H24uEftU8ssk7qEFp7S59Ad3XGQGWu0/7WsIE3ev7ObzS8Y7V80eYR GNtQinmKiyDwpfRllvQE =6ZjN -----END PGP SIGNATURE----- --VS++wcV0S1rZb1Fb--