From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id kH/pEInLYWDccwAAgWs5BA (envelope-from ) for ; Mon, 29 Mar 2021 14:43:53 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id EEPjConLYWA0awAA1q6Kng (envelope-from ) for ; Mon, 29 Mar 2021 12:43:53 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 62952211EC for ; Mon, 29 Mar 2021 14:43:52 +0200 (CEST) Received: from localhost ([::1]:37680 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lQrFH-0000gZ-7o for larch@yhetil.org; Mon, 29 Mar 2021 08:43:51 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:39394) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lQrF1-0000gH-0y for guix-devel@gnu.org; Mon, 29 Mar 2021 08:43:35 -0400 Received: from sender4-of-o51.zoho.com ([136.143.188.51]:21156) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lQrEy-0002kM-5e for guix-devel@gnu.org; Mon, 29 Mar 2021 08:43:34 -0400 ARC-Seal: i=1; a=rsa-sha256; t=1617021806; cv=none; d=zohomail.com; s=zohoarc; b=YR9uLiwPP68pASkjIOcufQ8+U7DtzAf9pP0eAJVtK/TIYW6E+ElVnxCl9OBaCPdBr7v5Ra0OwTdof0T0BUBEaw3ePYD57/SvLEvPxr8esHC56SNXzzOj2auy0hQjDR6bdrF3GIcqv+oScZAor0qOsk0tpVPLfktB8QHbmzTnc9s= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1617021806; h=Content-Type:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=SztxId0q/loJL1TOgffWEvgUC4c1jyia0R1u/LbtBZ4=; b=heGfEP73/kJGX/fUkeLfuYdsTgEr2bE1+qukH7+wJpYPldWtc8Pdf96ZcSBv1MqgcotS18IJ1J3xqgzEfhC/nXvx7k/l76Myizix5nYXhHUjFAg/I1vdKMbZ85XDD/STQ1254xyHwwlnUA+53jh7dUpQQrmbWKKtQPRCIjIUDG0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=elephly.net; spf=pass smtp.mailfrom=rekado@elephly.net; dmarc=pass header.from= header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1617021806; s=zoho; d=elephly.net; i=rekado@elephly.net; h=References:From:To:Cc:Subject:In-reply-to:Date:Message-ID:MIME-Version:Content-Type; bh=SztxId0q/loJL1TOgffWEvgUC4c1jyia0R1u/LbtBZ4=; b=LQIcemcshE753cMbMFh/CJMOvXlk+7kA5fTVA4fVQRGMPs7FmC/O/K5Fc4wHWGYV fbwu6cHnFmAc2OrxN9uJJP+01ZOG8N/lkD2aIH1TLb/Ub4TaGXH4CIR1cSkWBfp065C x2Rx01PCzTVcr/ajEHwe+REYjibMnZKKMId2TspA= Received: from localhost (p54ad4d21.dip0.t-ipconnect.de [84.173.77.33]) by mx.zohomail.com with SMTPS id 1617021803705601.4058757440978; Mon, 29 Mar 2021 05:43:23 -0700 (PDT) References: <878s68zqsd.fsf@netris.org> <927d66ccc760afacdb88485c5158731458d52dd6.camel@telenet.be> <87k0psdu25.fsf@netris.org> <9fb6ac4f0893446e3619d62395e035a446a9606f.camel@telenet.be> <875z1bdkmq.fsf@netris.org> <87zgymdi2n.fsf@netris.org> User-agent: mu4e 1.4.14; emacs 27.1 From: Ricardo Wurmus To: Mark H Weaver Subject: Re: Needed: tooling to detect references to buggy */stable packages (was: Re: [PATCHES] ImageMagick security updates without grafting) In-reply-to: <87zgymdi2n.fsf@netris.org> X-URL: https://elephly.net X-PGP-Key: https://elephly.net/rekado.pubkey X-PGP-Fingerprint: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC Date: Mon, 29 Mar 2021 14:43:20 +0200 Message-ID: <878s665dw7.fsf@elephly.net> MIME-Version: 1.0 Content-Type: text/plain X-ZohoMailClient: External Received-SPF: pass client-ip=136.143.188.51; envelope-from=rekado@elephly.net; helo=sender4-of-o51.zoho.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617021833; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=SztxId0q/loJL1TOgffWEvgUC4c1jyia0R1u/LbtBZ4=; b=jAHzibQrU+m+nmTQqGwFQKxkz5P6+NjqLjrzYM1C6m8P8wn+wO1vONjZLuUKd2BopE39WG Vyc/tkIQdZ543XzRaK4kbpEtqjxygt/1ABSKYglLRsYorGsgfpTJBDWNxrKOWOJwNhirZK bVJyyirP/UbApwP9ajxF1bztl66cRgE6puguAIddFshyMHM8fohTZ66XZdYyP9DiusM1aA TJLzSirM1hVbLdnsAzlGYML+dJ6mMLws8NRHL77okxGWxDEymDzPK+dS8Voc/GX56cHxmk TVXvMUGgxc6rHXzvCZfTmIKj9u397UGh1vzSLkAd3mSjMYHgP6g6teCmFfSxPA== ARC-Seal: i=2; s=key1; d=yhetil.org; t=1617021833; a=rsa-sha256; cv=fail; b=dXIntxkk+iRD7MW67rBSykIYeZQDtejVFk+g9Cu3nJ5kMm/SyAa8k/hRhtEOgOnYTw4K0c F2xlfVucBtIWAhGAou1j1UiCTpBL/4N0L+eVb40NInzSEjOKVh1wo7JZpPLKG9N5NWPZK9 KZDCBLzG8O5if8JAIkvmaeVYmyqtJ2mOAlOrp/je+BmyWRrG1aA3fY2NpbJN09WitJ4Lsa +keomQYAxcASOytV1JR9HUvtfPTQMrq1Fv7cXfyRTgP1ktqD+prMjleukkMP21pzjHeC+o waNPoRtaSQ+xJ6CX782Zf2ExwnS/rZz9besMVBxiHH618ucp/70dQny75JebxQ== ARC-Authentication-Results: i=2; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=elephly.net header.s=zoho header.b=LQIcemcs; arc=reject ("signature check failed: fail, {[1] = sig:zohomail.com:reject}"); dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: 0.58 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=elephly.net header.s=zoho header.b=LQIcemcs; arc=reject ("signature check failed: fail, {[1] = sig:zohomail.com:reject}"); dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 62952211EC X-Spam-Score: 0.58 X-Migadu-Scanner: scn0.migadu.com X-TUID: nuYEOuTyzfwR Mark H Weaver writes: > Earlier, I wrote: >> One thing to be very careful about is to only use 'gtk-doc/stable', >> 'dblatex/stable', and 'imagemagick/stable' in native-inputs, and >> moreover to make sure that no references to these */stable packages >> remain in any package outputs. >> >> Of course, if any package retains references to its 'native-inputs', >> that's always a bug, but I wouldn't be surprised if such bugs exist in >> Guix. Such bugs might be relatively harmless now (except when >> cross-compiling), but they could become a security bug if a package >> retains a reference to 'imagemagick/stable'. > > It occurs to me that we will need some tooling to ensure that no > references to these buggy "*/stable" packages end up in package outputs > that users actually use. Otherwise, it is likely that sooner or later, > a runtime reference to one of these buggy packages will sneak in to our > systems. The gnu-build-system takes a keyword #:disallowed-references that could be used here. -- Ricardo