From: ludo@gnu.org (Ludovic Courtès)
To: Vincent Legoll <vincent.legoll@gmail.com>
Cc: guix-devel <guix-devel@gnu.org>
Subject: Re: GnuTLS security update
Date: Sun, 11 Sep 2016 22:45:12 +0200 [thread overview]
Message-ID: <874m5mjhd3.fsf@gnu.org> (raw)
In-Reply-To: <CAEwRq=qLgtBJBZEdvuMjAQML4-ZB_-G6rf+rX5DUbKcJ6E-H7A@mail.gmail.com> (Vincent Legoll's message of "Sun, 11 Sep 2016 18:08:27 +0200")
Vincent Legoll <vincent.legoll@gmail.com> skribis:
> On Sun, Sep 11, 2016 at 5:41 PM, Leo Famulari <leo@famulari.name> wrote:
>> There is a GnuTLS security advisory [0] regarding "an issue that affects
>> validation of certificates using OCSP responses, which can falsely
>> report a certificate as valid under certain circumstances."
>>
>> I updated GnuTLS on core-updates to 3.5.4, the latest release of the 3.5
>> series.
>>
>> For master, the naive approach of cherry-picking the patch [1] did not
>> work; the test 'system-prio-file' fails consistently with that change. I
>> could instead try grafting the updated version.
>>
>> What do you think? The authors seem to think it's a relatively minor
>> issue [2], since exploiting it requires an attacker to compromise the
>> certificate authority.
>
> Side questions (just for my curiosity's sake):
>
> - What does it cost (manpower, hydra build time, etc...) approximatively
> to do a new release ?
Many packages would need to be rebuilt:
--8<---------------cut here---------------start------------->8---
$ guix refresh -l gnutls
Building the following 527 packages would ensure 1169 dependent packages are rebuilt:
[...]
--8<---------------cut here---------------end--------------->8---
> - Is it sufficiently automated ?
Yes:
--8<---------------cut here---------------start------------->8---
$ guix refresh gnutls
/home/ludo/.config/guix/latest/gnu/packages/tls.scm:140:13: gnutls would be upgraded from 3.5.2 to 3.5.4
--8<---------------cut here---------------end--------------->8---
> - Can we help ?
Always! ;-)
The question is such situations is just how to deploy the fix as fast as
possible, which means avoiding a situation that would lead users to
rebuild or redownload massive amounts of software just to get the
upgrade. Grafts make it faster.
Ludo’.
next prev parent reply other threads:[~2016-09-11 20:45 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-11 15:41 GnuTLS security update Leo Famulari
2016-09-11 16:08 ` Vincent Legoll
2016-09-11 20:45 ` Ludovic Courtès [this message]
2016-09-11 20:54 ` Ludovic Courtès
2016-09-12 1:53 ` Leo Famulari
2016-09-12 3:28 ` Leo Famulari
2016-09-12 12:56 ` Ludovic Courtès
2016-09-12 16:34 ` Leo Famulari
2016-10-14 21:37 ` bug#24418: " Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874m5mjhd3.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=guix-devel@gnu.org \
--cc=vincent.legoll@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).