From: bokr@bokr.com
To: zimoun <zimon.toutoune@gmail.com>
Cc: "Ludovic Courtès" <ludo@gnu.org>,
"Guix Devel" <guix-devel@gnu.org>,
"Marius Bakke" <marius@gnu.org>
Subject: Re: grafted package and CLI
Date: Sun, 17 Jul 2022 17:35:19 +0200 [thread overview]
Message-ID: <20220717153519.GA17917@LionPure> (raw)
In-Reply-To: <86wncooo5a.fsf@gmail.com>
Hi Simon,
On +2022-07-07 18:58:41 +0200, zimoun wrote:
> Hi,
>
> On Thu, 07 Jul 2022 at 17:09, Ludovic Courtès <ludo@gnu.org> wrote:
>
> > You mean hide with the ‘hidden?’ property?
>
> I do not know what I mean. ;-)
>
> The replacement could have an ’hidden?’ property or not being
> ’define-public’.
>
> > Good question. There’s probably little point in exposing the original
> > (replaced) version, so yes, hiding it makes sense I guess. Should we
> > just do that systematically?
>
> Well, we should follow the same strategy independently of the version
> bump. Systematically hide original (replaced) original version.
>
> Bah I do not know, what other think?
>
>
> Cheers,
> simon
>
"Other" here, reacting to word "hidden":
(equal? hidden some-trojan-horse-contents) :-)
I like "hidden" when it de-clutters my workflow, BUT:
Only when I know it comes with a simple toggle to a view
that reveals what is hidden, to any desired detail,
e.g., with a brief summary and a menu (a la info, with
Ctl-s searchability) to inspect potentially everything reachable.
Otherwise I worry about what's hidden :)
E.g., I'd like to be able to toggle into a first level inspection view
with some default info and a command line prompt where I could type
a repl CLI command like
reveal-vulns [OPTS]...
that by default starts in the current command line parsing environment,
and with a "-all" opt would show things like OTTOMH e.g., (not all vuln spots here)
* current execution context, e.g. pidparents defined as:
-----------cut here---------------start------------->8---
#!/usr/bin/bash
# ~/bin/pidparents
pid=${1:-$$} #this process if no pid specified as $1
while [ $(($pid)) -gt 0 ]; do
ps h -p $pid -o comm,tt,pid,stat,args
pid=$(ps -q $pid -o ppid=)
done
-----------cut here---------------end--------------->8---
* door to "systemctl status" etc if available
* OS kernel info -- uname -a and doors to details
* GPU info, other potential attack-via-DMA programmable devices
* CPU info, fully capable of secure hypervising of VMs? etc.
* BIOS type, current booting mode, etc, or info how to boot grub2 or
whatever tool on the current system to explore that.
* what is not built from guix cloned repo sources (substituted binaries, etc)
* what is trusted mirror list, with estimate of timeliness vs master sources
* what is invocable that uses setuid or setgid or sudo or su
* can a setgid video group invoker present me with a spoof screen?
* will a newly plugged in USB be accepted as a keyboard just because
it claims to be, without vetting by asking human and auth by serial?
- will keystrokes from it be injected into the current keyboard
input stream? (Insanely promiscuous legacy practice IMO)
* unusual ELF files (summary: how many exist,+ doors to detailed views)
* impure references in /gnu/... simple summaries, doors to full details
* status w.r.t. CVE announcements, (carefully, no tipoffs re exploitables)
* databases in use, SQL injection vulns?
* mystery daemons running?
* hardware error rates, trends
* ...
In short, I'd like reveal-vulns to give me a complete inventory
of my current vulnerablilities to a selectable detail level.
I know "complete" would be magic :)
I imagine there must be many attempted versions in existence.
Is there a guix package? (I confess not having searched ;/ )
--
Regards,
Bengt Richter
prev parent reply other threads:[~2022-07-17 15:35 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-05 0:07 grafted package and CLI zimoun
2022-07-07 8:00 ` Ludovic Courtès
2022-07-07 13:29 ` zimoun
2022-07-07 15:09 ` Ludovic Courtès
2022-07-07 16:58 ` zimoun
2022-07-17 15:35 ` bokr [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220717153519.GA17917@LionPure \
--to=bokr@bokr.com \
--cc=guix-devel@gnu.org \
--cc=ludo@gnu.org \
--cc=marius@gnu.org \
--cc=zimon.toutoune@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).