* openssh vulnerability
@ 2018-10-17 1:20 Christopher Lemmer Webber
2018-10-17 4:47 ` Mike Gerwitz
0 siblings, 1 reply; 7+ messages in thread
From: Christopher Lemmer Webber @ 2018-10-17 1:20 UTC (permalink / raw)
To: Guix-devel
https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/
seems serious?
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: openssh vulnerability
2018-10-17 1:20 openssh vulnerability Christopher Lemmer Webber
@ 2018-10-17 4:47 ` Mike Gerwitz
2018-10-17 5:42 ` Leo Famulari
0 siblings, 1 reply; 7+ messages in thread
From: Mike Gerwitz @ 2018-10-17 4:47 UTC (permalink / raw)
To: Christopher Lemmer Webber; +Cc: Guix-devel
[-- Attachment #1: Type: text/plain, Size: 425 bytes --]
On Tue, Oct 16, 2018 at 21:20:30 -0400, Christopher Lemmer Webber wrote:
> https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/
>
> seems serious?
Very... Fortunately that's libssh and not OpenSSH[0], but with that said,
it does appear to be packaged in Guix and there are a couple packages
that use it.
[0]: You had me very worried from your subject line!
--
Mike Gerwitz
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: openssh vulnerability
2018-10-17 4:47 ` Mike Gerwitz
@ 2018-10-17 5:42 ` Leo Famulari
2018-10-17 13:15 ` Christopher Lemmer Webber
0 siblings, 1 reply; 7+ messages in thread
From: Leo Famulari @ 2018-10-17 5:42 UTC (permalink / raw)
To: Mike Gerwitz; +Cc: Guix-devel
[-- Attachment #1: Type: text/plain, Size: 466 bytes --]
On Wed, Oct 17, 2018 at 12:47:26AM -0400, Mike Gerwitz wrote:
> On Tue, Oct 16, 2018 at 21:20:30 -0400, Christopher Lemmer Webber wrote:
> > https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/
> >
> > seems serious?
>
> Very... Fortunately that's libssh and not OpenSSH[0], but with that said,
> it does appear to be packaged in Guix and there are a couple packages
> that use it.
Patch at <https://bugs.gnu.org/33067>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: openssh vulnerability
2018-10-17 5:42 ` Leo Famulari
@ 2018-10-17 13:15 ` Christopher Lemmer Webber
2018-10-20 20:17 ` Chris Marusich
0 siblings, 1 reply; 7+ messages in thread
From: Christopher Lemmer Webber @ 2018-10-17 13:15 UTC (permalink / raw)
To: Leo Famulari; +Cc: Guix-devel
Leo Famulari writes:
> On Wed, Oct 17, 2018 at 12:47:26AM -0400, Mike Gerwitz wrote:
>> On Tue, Oct 16, 2018 at 21:20:30 -0400, Christopher Lemmer Webber wrote:
>> > https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/
>> >
>> > seems serious?
>>
>> Very... Fortunately that's libssh and not OpenSSH[0], but with that said,
>> it does appear to be packaged in Guix and there are a couple packages
>> that use it.
Ha, sorry for the scare.
> Patch at <https://bugs.gnu.org/33067>
Yay, thanks Leo!
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: openssh vulnerability
2018-10-17 13:15 ` Christopher Lemmer Webber
@ 2018-10-20 20:17 ` Chris Marusich
2018-10-21 19:19 ` libssh vulnerability Leo Famulari
0 siblings, 1 reply; 7+ messages in thread
From: Chris Marusich @ 2018-10-20 20:17 UTC (permalink / raw)
To: Christopher Lemmer Webber; +Cc: Guix-devel
[-- Attachment #1: Type: text/plain, Size: 1250 bytes --]
Christopher Lemmer Webber <cwebber@dustycloud.org> writes:
> Leo Famulari writes:
>
>> [...]
>>
>> Patch at <https://bugs.gnu.org/33067>
>
> Yay, thanks Leo!
Thank you for the fix! It looks like this change
(eed00f93e8999712191e39c59c15e23461520f43) went to master:
--8<---------------cut here---------------start------------->8---
$ git branch -a --contains eed00f93e8999712191e39c59c15e23461520f43
* (HEAD detached at 7d1f21c69)
master
remotes/origin/HEAD -> origin/master
remotes/origin/master
remotes/origin/wip-next-browser3
--8<---------------cut here---------------end--------------->8---
Will this change trigger many rebuilds? It has many dependents:
--8<---------------cut here---------------start------------->8---
$ guix refresh -l libssh2
Building the following 1321 packages would ensure 3307 dependent
packages are rebuilt: [...]
--8<---------------cut here---------------end--------------->8---
I looked into this email thread mainly because I was curious to see how
we would apply the security update. I thought we would use grafts
somehow, but this looks like we just changed the package definition on
master, which will result in more rebuilds than usual - right?
--
Chris
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* libssh vulnerability
2018-10-20 20:17 ` Chris Marusich
@ 2018-10-21 19:19 ` Leo Famulari
2018-10-21 20:14 ` Chris Marusich
0 siblings, 1 reply; 7+ messages in thread
From: Leo Famulari @ 2018-10-21 19:19 UTC (permalink / raw)
To: Chris Marusich; +Cc: Guix-devel
[-- Attachment #1: Type: text/plain, Size: 1080 bytes --]
On Sat, Oct 20, 2018 at 01:17:48PM -0700, Chris Marusich wrote:
> Will this change trigger many rebuilds? It has many dependents:
>
> --8<---------------cut here---------------start------------->8---
> $ guix refresh -l libssh2
> Building the following 1321 packages would ensure 3307 dependent
> packages are rebuilt: [...]
> --8<---------------cut here---------------end--------------->8---
It's true that libssh2 has too many dependents to update without a
graft. However, libssh, which is what was changed, only has a handful of
dependents, which is convenient for us :)
------
$ guix refresh -l libssh
Building the following 9 packages would ensure 12 dependent packages are rebuilt: kodi@18.0_alpha-8.ec16dbc wireshark@2.6.4 guile2.0-guix@0.15.0-5.1d0be47 cuirass@0.0.1-20.fe2b73c emacs-guix@0.5 gwl@0.1.1 hpcguix-web@0.0.1-3.53e09ea guile2.2-ssh@0.11.3 tmate@2.2.1
------
It's confusing, but libssh and libssh2 are totally separate projects.
And for the record, they are also not related to OpenSSH, which is the
one we all know and use directly.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: libssh vulnerability
2018-10-21 19:19 ` libssh vulnerability Leo Famulari
@ 2018-10-21 20:14 ` Chris Marusich
0 siblings, 0 replies; 7+ messages in thread
From: Chris Marusich @ 2018-10-21 20:14 UTC (permalink / raw)
To: Leo Famulari; +Cc: Guix-devel
[-- Attachment #1: Type: text/plain, Size: 355 bytes --]
Leo Famulari <leo@famulari.name> writes:
> It's true that libssh2 has too many dependents to update without a
> graft. However, libssh, which is what was changed, only has a handful of
> dependents, which is convenient for us :)
Oh, I see - I was confused and incorrectly thought you had updated
libssh2. Sorry for the confusion!
--
Chris
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2018-10-21 20:14 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-10-17 1:20 openssh vulnerability Christopher Lemmer Webber
2018-10-17 4:47 ` Mike Gerwitz
2018-10-17 5:42 ` Leo Famulari
2018-10-17 13:15 ` Christopher Lemmer Webber
2018-10-20 20:17 ` Chris Marusich
2018-10-21 19:19 ` libssh vulnerability Leo Famulari
2018-10-21 20:14 ` Chris Marusich
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).