From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: Re: store reference detection (was Re: JARs and reference scanning) Date: Fri, 12 May 2017 17:51:36 -0400 Message-ID: <871srthhg7.fsf@netris.org> References: <87a876pwaq.fsf@gmail.com> <8760hr7mwl.fsf@gmail.com> <20170426.135333.1620868924745053745.post@thomasdanckaert.be> <87fugu6jzg.fsf@gnu.org> <59022E86.1020709@crazy-compilers.com> <8760hjig4r.fsf@gnu.org> <590F179B.4060306@crazy-compilers.com> <87shkafvhu.fsf@netris.org> <87o9uyv665.fsf@gmail.com> <87inl6ht4p.fsf@netris.org> <591612F8.40408@crazy-compilers.com> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:59031) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d9ITY-0002os-V5 for guix-devel@gnu.org; Fri, 12 May 2017 17:51:53 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d9ITU-0005uT-V4 for guix-devel@gnu.org; Fri, 12 May 2017 17:51:52 -0400 Received: from world.peace.net ([50.252.239.5]:39173) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1d9ITU-0005sq-Qh for guix-devel@gnu.org; Fri, 12 May 2017 17:51:48 -0400 In-Reply-To: <591612F8.40408@crazy-compilers.com> (Hartmut Goebel's message of "Fri, 12 May 2017 21:54:32 +0200") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Hartmut Goebel Cc: guix-devel@gnu.org Hartmut Goebel writes: > Am 12.05.2017 um 19:39 schrieb Mark H Weaver: > > It would not interfere, but it could have the effect of *hiding* > security problems due to a failure to graft properly. > [...] > If we create a redundant set of references in another file, then > problems like this could go undetected for a long time. > > Reading you comments (and words like "hidden"), I assume you are > referring to some compressed or otherwise unreadable data. > > Please don't confuse this: We are *not* talking about compressed > files, but about plain text (or stored uncomressed within e.g. a > zip-file). Apologies if I've misunderstood. Earlier, you wrote: > So I propose to add a small text file ".guix-dependencies' to all > language's packages which do not add some kind of references > themselves: Python, Perl, Java, etc. What's the motivation for this proposal, if not to allow the scanner to see references that would otherwise be obfuscated? Mark