From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id 6IUOAdPSSWC2FAAA0tVLHw (envelope-from ) for ; Thu, 11 Mar 2021 08:20:35 +0000 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id SK0dONLSSWDCAQAAbx9fmQ (envelope-from ) for ; Thu, 11 Mar 2021 08:20:34 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 85EC028AA5 for ; Thu, 11 Mar 2021 09:20:34 +0100 (CET) Received: from localhost ([::1]:60534 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lKGYb-0003Nk-Kj for larch@yhetil.org; Thu, 11 Mar 2021 03:20:33 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:38800) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lKGY6-0003IA-RG for guix-devel@gnu.org; Thu, 11 Mar 2021 03:20:02 -0500 Received: from world.peace.net ([64.112.178.59]:46418) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lKGY4-0006Ib-PN for guix-devel@gnu.org; Thu, 11 Mar 2021 03:20:02 -0500 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lKGXs-0006DL-6W; Thu, 11 Mar 2021 03:19:48 -0500 From: Mark H Weaver To: =?utf-8?Q?L=C3=A9o?= Le Bouter , guix-devel@gnu.org Subject: Re: GNOME 3.34 in GNU Guix and security In-Reply-To: <4720e347b48bd6ca4710b461cadecf0b65aa6442.camel@zaclys.net> References: <4720e347b48bd6ca4710b461cadecf0b65aa6442.camel@zaclys.net> Date: Thu, 11 Mar 2021 03:18:17 -0500 Message-ID: <87lfaugl23.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=64.112.178.59; envelope-from=mhw@netris.org; helo=world.peace.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1615450834; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=Ce+mfTApS6ke70BHMaVOVybbtKC5L6B50d3FrJg9Xwk=; b=M2GArtq+uK2gfv2a0QxBIGSS4gmvGL+oQeIwaM76ShJCvjCbt3H2JRBxa8MzvohjoUgea7 /87//Jww9fbxec1ZN4wbAI0xG9/cFrn9vGx+oz2jLOWsFSzsVCd8tpsSy/hXzlajQEvUbS lZpEyMDczeQXTDOWdvHDewRY744/FYAWiHB0G9fdFrRwT669MfQHkuP0CJvT2BXCm4ugCC AxOQ+TXy8nly9EiuU5hmKggOiHxNrcddsGuiiae8lvuMVZYCMWTDKI5g0zVQAP9qKsNkuJ y8MbnO1cYMQ5+bSv7wg8FNtLH6GKHcaUOz6fdinXO284WjWseeQt3MKe9P41DA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615450834; a=rsa-sha256; cv=none; b=GdHrG0joO2LSkfXSTBWoZxioNuE58XG3GNt7ckxjKS4zEigL0wj3Q69fvdxEMVYH96l2Ra X9usOEstLd7kTd85ArU9ZLRM0mo1z898Z2c3mhaEc/kCTf7r6TV+jiuoyYD49oJDnNPGtL kNsBpztVOcsPtocJaaHdzIPKAeKV+G33bOq72URW5vfTekh3M5BFwiRKSO37RA+JrFfVx1 e8sqY2pGDMMoaqYdHqIS+RyExnSzwF3Iky/oonbgjZ4N3+j4SxWaMlQaiFOFu/emuba/Dy U2QusyC2RV5k+SzMuJMcHiLKMjtuXq5Avfc0jySdimpVVhctAGAjUzOyak3sMQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -2.39 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 85EC028AA5 X-Spam-Score: -2.39 X-Migadu-Scanner: scn0.migadu.com X-TUID: HIv+u1q/CeBS Hi L=C3=A9o, I appreciate your recent work on Guix security. Thank you for that. L=C3=A9o Le Bouter writes: > I must come to the conclusion that using GNOME 3.34 in GNU Guix right > now is just straight out insecure. I would advise we either, get rid of > GNOME, backport all individual security patches (they can be > numerous..), or upgrade GNOME to latest and keep up over time. Can you please substantiate this? What vulnerabilities do you know of, and what makes you think that we can't address them adequately in the usual ways, without "upgrading GNOME to [the] latest"? I saw your bug report about our Glib being vulnerable to CVE-2021-27218 and CVE-2021-27219. Thanks very much for bringing that our attention. > I don't think we can afford to spend time backporting security fixes to > the numerous GNOME packages with CVEs, not with current resources, it > is time-consuming. I'll backport the fixes to our version of Glib. It will actually be quite easy, given that Ubuntu has already published backports of the fixes for Glib 2.56.4 and 2.64.4, which brackets the version in Guix (2.62.6). I just looked at the diffs between those two patch sets, and the differences are quite slight, apart from line number differences. Besides CVE-2021-{27218,27219}, do you know of other known security issues that would justify your claim that "using GNOME 3.34 in GNU Guix right now is just straight out insecure"? Thanks, Mark