unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* OpenSSL “DROWN” vulnerability & grafts
@ 2016-03-01 21:16 Ludovic Courtès
  2016-03-01 21:50 ` Christopher Allan Webber
                   ` (2 more replies)
  0 siblings, 3 replies; 11+ messages in thread
From: Ludovic Courtès @ 2016-03-01 21:16 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 1820 bytes --]

Hello!

OpenSSL 1.0.2g was released today, fixing several serious security
vulnerabilities, several of which are referred to as “DROWN” (as has
become security-marketing tradition.)

This gave a good incentive to fix the “grafting” mechanism described at:

  https://www.gnu.org/software/guix/manual/html_node/Security-Updates.html

The problem was that until now, grafting was not recursive:
<http://bugs.gnu.org/22139>.  This is fixed in c22a132, so we “rushed”
to use it in ‘master’ for the OpenSSL upgrade, which is done in caeadfd.

So now is the time to find out how well the new implementation scales
and to address any limitations.  :-)

A potentially disturbing thing with the new code is that it starts
building/downloading things early, typically before it has written “The
following derivations will be built”; see
<http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22139#13>.

A limitation of the current implementation is that the replacement
package must have exactly the same name and version as the package being
replaced.  So OpenSSL 1.0.2g shows up as /gnu/store/…-openssl-1.0.2f.

The store file name of the old OpenSSL is given by:

  guix build openssl --no-grafts

… and the new one is given by:

  guix build openssl

For example, to verify which OpenSSL(s) your whole profile refers to,
you can run:

  guix gc -R $(readlink -f ~/.guix-profile) | grep openssl

and check the store file names that you get (make sure to turn off
guix-prettify-mode :-)).  Likewise for a GuixSD generation:

  guix gc -R $(guix system build config.scm) | grep openssl

And for running processes:

  lsof | grep /gnu/store/.*openssl

Seems like this tricks could go in the manual under “Security Updates”
no?

Feedback welcome!

Ludo’.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2016-03-05 21:51 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-03-01 21:16 OpenSSL “DROWN” vulnerability & grafts Ludovic Courtès
2016-03-01 21:50 ` Christopher Allan Webber
2016-03-02 16:28 ` Ludovic Courtès
2016-03-02 17:47   ` Mathieu Lirzin
2016-03-02 18:00   ` Chris Marusich
2016-03-02 18:43 ` Efraim Flashner
2016-03-02 21:36   ` Ludovic Courtès
2016-03-03  6:45     ` Efraim Flashner
2016-03-04 23:24       ` Ludovic Courtès
2016-03-05 19:07         ` Efraim Flashner
2016-03-05 21:51           ` Ludovic Courtès

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).