From mboxrd@z Thu Jan 1 00:00:00 1970 From: Christopher Allan Webber Subject: Re: OpenSSL =?utf-8?B?4oCcRFJPV07igJ0=?= vulnerability & grafts Date: Tue, 01 Mar 2016 13:50:14 -0800 Message-ID: <87twkpswa1.fsf@dustycloud.org> References: <87twkpnbk0.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:38488) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aasBN-0005Ij-P5 for guix-devel@gnu.org; Tue, 01 Mar 2016 16:50:18 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aasBM-0003R4-PM for guix-devel@gnu.org; Tue, 01 Mar 2016 16:50:17 -0500 In-reply-to: <87twkpnbk0.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: guix-devel Ludovic Court=C3=A8s writes: > Hello! > > OpenSSL 1.0.2g was released today, fixing several serious security > vulnerabilities, several of which are referred to as =E2=80=9CDROWN=E2=80= =9D (as has > become security-marketing tradition.) > > This gave a good incentive to fix the =E2=80=9Cgrafting=E2=80=9D mechan= ism described at: > > https://www.gnu.org/software/guix/manual/html_node/Security-Updates.h= tml > > The problem was that until now, grafting was not recursive: > . This is fixed in c22a132, so we =E2=80=9C= rushed=E2=80=9D > to use it in =E2=80=98master=E2=80=99 for the OpenSSL upgrade, which is= done in caeadfd. > > So now is the time to find out how well the new implementation scales > and to address any limitations. :-) > > A potentially disturbing thing with the new code is that it starts > building/downloading things early, typically before it has written =E2=80= =9CThe > following derivations will be built=E2=80=9D; see > . > > A limitation of the current implementation is that the replacement > package must have exactly the same name and version as the package bein= g > replaced. So OpenSSL 1.0.2g shows up as /gnu/store/=E2=80=A6-openssl-1= .0.2f. > > The store file name of the old OpenSSL is given by: > > guix build openssl --no-grafts > > =E2=80=A6 and the new one is given by: > > guix build openssl > > For example, to verify which OpenSSL(s) your whole profile refers to, > you can run: > > guix gc -R $(readlink -f ~/.guix-profile) | grep openssl > > and check the store file names that you get (make sure to turn off > guix-prettify-mode :-)). Likewise for a GuixSD generation: > > guix gc -R $(guix system build config.scm) | grep openssl > > And for running processes: > > lsof | grep /gnu/store/.*openssl > > Seems like this tricks could go in the manual under =E2=80=9CSecurity U= pdates=E2=80=9D > no? > > Feedback welcome! > > Ludo=E2=80=99. Just wanted to repeat a *HUGE* congratulations and thank you on landing this feature! So necessary!