From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id AQgRFaX3YGBIbwAAgWs5BA (envelope-from ) for ; Sun, 28 Mar 2021 23:39:49 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id CPbkDaX3YGDmJgAAbx9fmQ (envelope-from ) for ; Sun, 28 Mar 2021 21:39:49 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E2C7E145BF for ; Sun, 28 Mar 2021 23:39:48 +0200 (CEST) Received: from localhost ([::1]:59890 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lQd8O-00018n-31 for larch@yhetil.org; Sun, 28 Mar 2021 17:39:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50994) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lQd8F-00018e-PH for guix-devel@gnu.org; Sun, 28 Mar 2021 17:39:39 -0400 Received: from world.peace.net ([64.112.178.59]:34108) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lQd8D-0003Sj-P7 for guix-devel@gnu.org; Sun, 28 Mar 2021 17:39:39 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lQd8A-0005tL-UL; Sun, 28 Mar 2021 17:39:35 -0400 From: Mark H Weaver To: Maxime Devos , guix-devel@gnu.org Subject: Re: [PATCHES] ImageMagick security updates without grafting In-Reply-To: <9fb6ac4f0893446e3619d62395e035a446a9606f.camel@telenet.be> References: <878s68zqsd.fsf@netris.org> <927d66ccc760afacdb88485c5158731458d52dd6.camel@telenet.be> <87k0psdu25.fsf@netris.org> <9fb6ac4f0893446e3619d62395e035a446a9606f.camel@telenet.be> Date: Sun, 28 Mar 2021 17:37:54 -0400 Message-ID: <875z1bdkmq.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=64.112.178.59; envelope-from=mhw@netris.org; helo=world.peace.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616967589; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=uc0QpAtbZA8Roe+i6MQrJxk3/uRflS9lhtPtPYegOnU=; b=Mx9npUUpRRqf3aBdPLLqVWUdSBajdy4qigOfK4qvUfq6R3dCNCbr8zMhtmLg7aCWavHHQY iFmbwSr4juX0EhPFQzr2IjaKnrDMQIqh+esb+IAaQZezQ0VawmCFT/W9/h3cy1e2vTPU5f zMLbwF30CDCyZxilfBemm1TB+2reVAfKisHwK9Cg9rIePt9KcG77GZOdIUm/IoCd5h1iHE pBiUJhZ0nfhoFlHHFcGJa9KT+411B0GwcX2RrG7H8F4no5oqDUGKOFX5K+1HuPkSiSpDHu Oz3Y6D9DSB7thyBSuin0lMET0mMx0mQHrD2avF7HjKSzizceTAVU5jCG1Tpa0Q== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616967589; a=rsa-sha256; cv=none; b=ItOQWrrVx3/eGl+tzJ2ve7tIh/zaCSF7o6nrO4BSYhDxVk/ycRevCTQOg5se7Jjsn/yr7J 9eufMeY0LMpP/AX5qUG/pNOCGvFWCL+ejWz8BvbvnHoTPHNBYQVEfw+lvZABinko692NoY Jx2ZMoyzFz3W93nm+sAodTya1p/sjYh2pnM2q2B7GgoZMEevjyDxysnMWOp0dTrxUzBkm1 TTgu3VDD6jXv3eiZB+m6haTLlW//cO5LM39LOFvoiunkBcrYFzZWRbPkDPVpc3Mnc3E8VT gbeDYjV3DJxGFJg+0GPtb7ipDyAOCW8LXOfSa7jfrwnTG9n4jZt6q6Q8KcvOnQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -2.42 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: E2C7E145BF X-Spam-Score: -2.42 X-Migadu-Scanner: scn0.migadu.com X-TUID: kgAbQlNFI+y/ Maxime Devos writes: > On Sat, 2021-03-27 at 20:01 -0400, Mark H Weaver wrote: >> [...] >> Maxime wrote: >> > What does =E2=80=98guix refresh --list-dependent imagemagick@6.9.11-48= =E2=80=99 >> > output now? > >> When I last checked, it reported on the order of 2400 dependent package >> rebuilds. > > I should have written imagemagick@6.9.12-4 here. On my Guix system, after applying my recent patch set, "guix refresh -l imagemagick" (which refers to imagemagick@6.9.12-4) reports 603 dependent packages. I see that, according to our guidelines, since this number is greater than 300, it implies that updates to 'imagemagick' should not be done on the 'master' branch. On the other hand, for what it's worth, on my own GNOME system, the number of rebuilds from my patch set was quite minimal, and *far* less than the number of rebuilds than I usually need to do when updating my system to the latest 'master' after just a few days. I should say that I'm fully in support of having guidelines like this to limit the number of rebuilds on 'master'. It's especially important to me since I never use substitutes, and build everything locally on my (rather old) Thinkpad X200. That said, _number_ of dependent packages is not a good measure of what we should be trying to minimize. I can build hundreds of 'python-*' packages in the time it takes to build a single package like 'webkitgtk' or 'icecat'. A better measure might try to estimate the total amount of *build time* suffered by _all_ Guix users, as a result of updating a given package. That would depend on both (1) the estimated _time_ needed to build the dependent packages, and (2) the estimated number of users of those dependent packages, perhaps based on download statistics from our substitute servers. >> > If it there are many dependent packages, could some >> > of them use imagemagick/stable, dblatex/stable or gtk-doc/stable >> > as well? >>=20 >> Yes, that's exactly the purpose of this patch set. Although at present, >> the only user of 'imagemagick/stable' is 'dblatex/stable', and the only >> user of 'dblatex/stable' is 'gtk-doc/stable'. > > You missed a few packages: > in gnu/packages/mate.scm: search for "gtk-doc". > Also, the (gnu packages imagemagick) import seems > unused. I did not attempt to comprehensively change all 'native-inputs' references of 'gtk-doc' to 'gtk-doc/stable'. I stopped when the number of rebuilds on my own GNOME system became quite minimal. That's why the summary line of commit 9dea1618755891526f708aa335b4136c1302d16e ends with the words "selected packages". However, I see now that we should continue working on this, at least until we can update 'imagemagick' on 'master' without violating our guidelines. > Looking at the package graph, many packages depend on imagemagick > through python-sphinx, so it may be worthwile to define a > python-sphinx/stable and use it instead of python-sphinx in the > native-inputs. > > I suggest > guix graph --type=3Dreverse-package imagemagick@6.9.12-4 | dot -Tpdf > a= .pdf > > to find out if there are more uses for imagemagick/stable. That's a good idea. Would you like to work on it? One thing to be very careful about is to only use 'gtk-doc/stable', 'dblatex/stable', and 'imagemagick/stable' in native-inputs, and moreover to make sure that no references to these */stable packages remain in any package outputs. Of course, if any package retains references to its 'native-inputs', that's always a bug, but I wouldn't be surprised if such bugs exist in Guix. Such bugs might be relatively harmless now (except when cross-compiling), but they could become a security bug if a package retains a reference to 'imagemagick/stable'. On my own system and user profile, which includes GNOME, I'm glad to report that I have *no* references to 'imagemagick' at all, not even to its newest release, and that's my strong preference. Regards, Mark