IMPORTANT: glibc security update

IMPORTANT: glibc security update

[Mark H Weaver]

Hello Guix!

I've pushed a fix for CVE-2015-7547 to the master branch, although Hydra
has not fully rebuilt it.  I directed Hydra to build the most popular
packages first, and with greater effort devoted to x86_64, so my hope is
that most of what typical desktop users need is already built on x86_64.
Still, it is likely that you'll need to compile some things locally.

i686 is not as fully built, so users will probably need to do some more
compiling, but hopefully it is manageable.  I was able to fully update
my Xfce desktop system on i686 anyway.

As I write this, the rebuilds of armhf and mips64el are considerably
less advanced, so be prepared for a significant amount of local
recompilation.

We'll prioritize getting grafts working properly soon, so that we can
deploy security updates to core libraries much more quickly in the
future.

     Thanks,
       Mark

Re: IMPORTANT: glibc security update

[Christopher Allan Webber]

Mark H Weaver writes:

> Hello Guix!
>
> I've pushed a fix for CVE-2015-7547 to the master branch, although Hydra
> has not fully rebuilt it.  I directed Hydra to build the most popular
> packages first, and with greater effort devoted to x86_64, so my hope is
> that most of what typical desktop users need is already built on x86_64.
> Still, it is likely that you'll need to compile some things locally.
>
> i686 is not as fully built, so users will probably need to do some more
> compiling, but hopefully it is manageable.  I was able to fully update
> my Xfce desktop system on i686 anyway.
>
> As I write this, the rebuilds of armhf and mips64el are considerably
> less advanced, so be prepared for a significant amount of local
> recompilation.

Thank you Mark, and everyone who works on getting Hydra in order so we
can be safe.  We really appreciate your hard work!

> We'll prioritize getting grafts working properly soon, so that we can
> deploy security updates to core libraries much more quickly in the
> future.

Yay!

Re: IMPORTANT: glibc security update

[Leo Famulari]

On Fri, Feb 19, 2016 at 08:33:07AM -0500, Mark H Weaver wrote:
> Hello Guix!
> 
> I've pushed a fix for CVE-2015-7547 to the master branch, although Hydra
> has not fully rebuilt it.  I directed Hydra to build the most popular
> packages first, and with greater effort devoted to x86_64, so my hope is
> that most of what typical desktop users need is already built on x86_64.
> Still, it is likely that you'll need to compile some things locally.

At least two users on #guix (including me) have found that `guix pull`
is not fetching the latest snapshot. That is, the downloaded snapshot
is of some commit before the CVE-2015-7547 patch was applied.

Can you take a look?

> 
> i686 is not as fully built, so users will probably need to do some more
> compiling, but hopefully it is manageable.  I was able to fully update
> my Xfce desktop system on i686 anyway.
> 
> As I write this, the rebuilds of armhf and mips64el are considerably
> less advanced, so be prepared for a significant amount of local
> recompilation.
> 
> We'll prioritize getting grafts working properly soon, so that we can
> deploy security updates to core libraries much more quickly in the
> future.
> 
>      Thanks,
>        Mark
> 

Re: IMPORTANT: glibc security update

[Mark H Weaver]

Leo Famulari <leo@famulari.name> writes:

> On Fri, Feb 19, 2016 at 08:33:07AM -0500, Mark H Weaver wrote:
>> Hello Guix!
>> 
>> I've pushed a fix for CVE-2015-7547 to the master branch, although Hydra
>> has not fully rebuilt it.  I directed Hydra to build the most popular
>> packages first, and with greater effort devoted to x86_64, so my hope is
>> that most of what typical desktop users need is already built on x86_64.
>> Still, it is likely that you'll need to compile some things locally.
>
> At least two users on #guix (including me) have found that `guix pull`
> is not fetching the latest snapshot. That is, the downloaded snapshot
> is of some commit before the CVE-2015-7547 patch was applied.
>
> Can you take a look?

Indeed, you are right.  The problem is that, by default, "guix pull"
downloads the latest source from:

  http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz

and unfortunately, something is currently broken on Savannah, and that
snapshot is stuck on the commit before the glibc security update :-(

Until that's fixed, here's a workaround:

--8<---------------cut here---------------start------------->8---
$ git clone --depth 1 git://git.sv.gnu.org/guix.git master
Cloning into 'master'...
[...]
$ rm -rf master/.git
$ tar czf master.tar.gz master --sort=name --mtime=@0 --{owner,group}=root:0
$ guix pull --url=master.tar.gz
--8<---------------cut here---------------end--------------->8---

      Mark

Re: IMPORTANT: glibc security update

[Ludovic Courtès]

Mark H Weaver <mhw@netris.org> skribis:

> I've pushed a fix for CVE-2015-7547 to the master branch, although Hydra
> has not fully rebuilt it.  I directed Hydra to build the most popular
> packages first, and with greater effort devoted to x86_64, so my hope is
> that most of what typical desktop users need is already built on x86_64.
> Still, it is likely that you'll need to compile some things locally.

Thanks, Mark!

Ludo’.

Re: IMPORTANT: glibc security update

[Mark H Weaver]

Mark H Weaver <mhw@netris.org> writes:

> Leo Famulari <leo@famulari.name> writes:
>
>> At least two users on #guix (including me) have found that `guix pull`
>> is not fetching the latest snapshot. That is, the downloaded snapshot
>> is of some commit before the CVE-2015-7547 patch was applied.
>>
>> Can you take a look?
>
> Indeed, you are right.  The problem is that, by default, "guix pull"
> downloads the latest source from:
>
>   http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz
>
> and unfortunately, something is currently broken on Savannah, and that
> snapshot is stuck on the commit before the glibc security update :-(

It appears that this problem is now fixed, so the workaround should no
longer be needed.

     Mark