From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:bcc0::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id IB+kITTzXmDFbQEAgWs5BA (envelope-from ) for ; Sat, 27 Mar 2021 09:56:20 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id wFZTGzTzXmCefQAAbx9fmQ (envelope-from ) for ; Sat, 27 Mar 2021 08:56:20 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E9E9819758 for ; Sat, 27 Mar 2021 09:56:19 +0100 (CET) Received: from localhost ([::1]:43220 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lQ4jz-0008UA-2k for larch@yhetil.org; Sat, 27 Mar 2021 04:56:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:36162) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lQ4jq-0008U3-E8 for guix-devel@gnu.org; Sat, 27 Mar 2021 04:56:10 -0400 Received: from mira.cbaines.net ([212.71.252.8]:41584) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lQ4jo-0007gN-DS for guix-devel@gnu.org; Sat, 27 Mar 2021 04:56:10 -0400 Received: from localhost (unknown [IPv6:2a02:8010:68c1:0:8ac0:b4c7:f5c8:7caa]) by mira.cbaines.net (Postfix) with ESMTPSA id E2E4D27BC5C; Sat, 27 Mar 2021 08:56:06 +0000 (GMT) Received: from capella (localhost [127.0.0.1]) by localhost (OpenSMTPD) with ESMTP id d1a129a0; Sat, 27 Mar 2021 08:56:06 +0000 (UTC) References: <12b4006a4a28c9678c523ab129945850b4adf37f.camel@zaclys.net> <87eeg1a7hy.fsf@cbaines.net> <2860899294934b02fba39e41043c88c5c5068098.camel@zaclys.net> User-agent: mu4e 1.4.15; emacs 27.1 From: Christopher Baines To: =?utf-8?Q?L=C3=A9o?= Le Bouter Subject: Re: Security patching and the branching workflow: a new security-updates branch In-reply-to: <2860899294934b02fba39e41043c88c5c5068098.camel@zaclys.net> Date: Sat, 27 Mar 2021 08:56:03 +0000 Message-ID: <87blb59dr0.fsf@cbaines.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=212.71.252.8; envelope-from=mail@cbaines.net; helo=mira.cbaines.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616835380; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=FJNXn+VlB+Uoedsl/AOeHEhYCxXegDzCGLDYWy1FIs0=; b=WTHTsrz6DrxZ9lM16W69SL5R/PWT8tcjilbSivrqyrb2BU9R90VMdygGQx78+S2SHAh+I5 DBDP8XOzL+/g6oYpLfigoToPvGY0f+WQuvtARJXxgZQQ7hV5m4pexSs48whGdXg3PDkFoJ aGQHpVtxzfbVAhjpmxomqfkLTc0+5tw8HpfAxy/VFEcmBrMyzaVe7ty/0kKze5AZL33pWZ LQROM+OW+pECR2YkCJDLgHIvAnreX9rnRh1GFrPgbLGgz4iYPXluQN8qiMOikH0KEj7wRK wi3zSYm1t/GVTULtzsf8/7E47367wCMjZ08jtfCh722WWOCnReWeHzYAnicLnQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616835380; a=rsa-sha256; cv=none; b=fAXrxaqkMzotLwzBsdoUT7lVioL8uELdmK+pxTb+cB8ZFk8OsxiqZ1ZsRI2ht+S5hdpzQN KU1mvHV6WjqyQzoVDx7epRR8djVvhg3hYszembUSrPaB37+9F4K42u5TCzuZWg4PulH4FT zWqGVzJhuz4NGQO29myqfBnu3tQwVJa78PfjM4ckKt3h3MS1z0Oj60AdDtqvzqsK0LviWX jQtBOJ0Mpim3IvO9396VxxsqYAJW/ewkd+0I3zOl77sjLKQ5EsQbRnWTKmlmv22szPB2nh Fo7nrzj7O6N5RB3Oc4hgRAOZRcTX92o4B9g468gd/AhGbOft2sgLtP4IP/bmoQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -4.52 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: E9E9819758 X-Spam-Score: -4.52 X-Migadu-Scanner: scn0.migadu.com X-TUID: DlsTfOpGCe+K --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable L=C3=A9o Le Bouter writes: > On Fri, 2021-03-26 at 22:13 +0000, Christopher Baines wrote: >> Can you clarify what specific problem or problems you're proposing >> this >> security-updates branch to address? > > Substitute availability of security updates when they are released, > without causing big rebuilds on master for users before the build farm > had time to produce substitutes. Ok. >> You mention applying and backporting patches is lots of work, and >> uncertainty around whether grafts work in particular >> situations. > > Also that some times backporting is just not possible because security > fixes are not properly labeled upstream as security-relevant and manual > review of each and every commit is just not viable. > >> Personally I think staging and core-updates are quite a bit of work, >> and >> adding more complexity to the process involves more work in my >> mind. Additionally, this isn't going to provide more information >> about >> areas where grafts can't be used (if those exist). > > I understand. There's lot of uncertainty on how grafts work exactly for > me and in what situations they work and what situations they do not. > The only way I am certain some security fix is correctly applied in GNU > Guix is when the vulnerable version of the package is not packaged at > all anymore in GNU Guix. > >> Now the software involved is getting better at rapidly building >> things >> for substitutes, personally I see a way forward through trying to >> measure and potentially increase the rate of change for outputs in >> general. Going faster also involves more work probably, but in terms >> of >> the process, that might just mean that updates to more packages can >> be >> merged to master directly, without sitting on a non-master branch. > > I would like this, merging things to master directly when we feel it is > the right thing would be what I would like to do. Even if it causes big > world rebuilds, when we can't graft. > > There's another thing I saw that was ongoing but can't remember where, > that 'guix pull' could hold off updating to newer revisions unless > substitutes are available. I think approaching the substitute availability problem this way, and supporting users delaying updates if they want to is the way to go, at least to avoid process on the side of making changes. I'm hoping things will get better through a combination of these factors: - Measuring the "churn" in Guix, which will hopefully allow for intentionally increaseing this - Keeping packages more up to date generally - Allowing users to choose whether they want the latest packages, or want to avoid building things (this means important security updates that cause rebuilds can be merged to master) --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKlBAEBCgCPFiEEPonu50WOcg2XVOCyXiijOwuE9XcFAmBe8yNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcRHG1haWxAY2Jh aW5lcy5uZXQACgkQXiijOwuE9Xd6LRAAmgXsesKftp5ZRp2VD7fWGvupHVcsMB5P 5QD+K5tkYPJ6CEvTwu4LHEQ+1vaQPwFtSnZnsj57FAzYr7E3UqlDDMA9yo4EDdJn YboKZCvAfuneQ8vU5URFsP61Ja1wA2I1L7ClwQPL+sr+UWdhziL+E6vm24MccYAX hKwbLQSDhSWatsG1TvrGRo62agDLeJAQ/kbr5wSRmefAHcl1K56JqCG+Uq66ZWjA Y8mVGbn2J9BqaGrRqlbUtLFyR5bZdGJFaDTt7QFqj7p/2oWrM8Q8C6K0EgF0bawR +I34k5zWS71uKCVjrxXxcXcL52C0p6Up+drPoxELKBUqP9QJ1qTWrOiYnplx0qDO xRvyBa9Cg30dGDuuQ1+3b6cYI702aQ0jFkQo53RB2attPTag+J1i/Ky4Qyn9HCtO FdzqJ6wN3g4rN29gb8UeYFilR3lFNRxstaTonS/jyMMmSZs62GWFYcf4LXaqnwa7 jIHcUmofpcKtbSVc/PLSDaNCu/kXOIreTrnNuOGt9U7xQMmaWsQofd6+zObSkpP9 SPqBsIkuP2YSvbkuZ5qEpXvCLeChzUz0dND7hqWZzpJQsWhuFbTzR7qmGDgEAUd8 pgqCSAI7urfughuar4/Zn+7hSAqAmQbhgUXkC5v+ncWeob7AFWA3vzvf5uR+oZiv pR3bn/FwRsE= =J3ok -----END PGP SIGNATURE----- --=-=-=--