From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:bcc0::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id qJU9JZsEYWA1kQAAgWs5BA (envelope-from ) for ; Mon, 29 Mar 2021 00:35:07 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id CDsvH5sEYWCXCwAA1q6Kng (envelope-from ) for ; Sun, 28 Mar 2021 22:35:07 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3D5B415EDD for ; Mon, 29 Mar 2021 00:35:07 +0200 (CEST) Received: from localhost ([::1]:40074 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lQdzu-0007ns-EZ for larch@yhetil.org; Sun, 28 Mar 2021 18:35:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58528) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lQdzi-0007na-S0 for guix-devel@gnu.org; Sun, 28 Mar 2021 18:34:54 -0400 Received: from world.peace.net ([64.112.178.59]:34214) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lQdzf-0003Ug-ES for guix-devel@gnu.org; Sun, 28 Mar 2021 18:34:54 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lQdzd-0001OG-0X; Sun, 28 Mar 2021 18:34:49 -0400 From: Mark H Weaver To: Maxime Devos , guix-devel@gnu.org Subject: Needed: tooling to detect references to buggy */stable packages (was: Re: [PATCHES] ImageMagick security updates without grafting) In-Reply-To: <875z1bdkmq.fsf@netris.org> References: <878s68zqsd.fsf@netris.org> <927d66ccc760afacdb88485c5158731458d52dd6.camel@telenet.be> <87k0psdu25.fsf@netris.org> <9fb6ac4f0893446e3619d62395e035a446a9606f.camel@telenet.be> <875z1bdkmq.fsf@netris.org> Date: Sun, 28 Mar 2021 18:33:09 -0400 Message-ID: <87zgymdi2n.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=64.112.178.59; envelope-from=mhw@netris.org; helo=world.peace.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616970907; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=bEgwNJe0rypG65dOGq/Ffa39Fgv6aJNwMmUOucYxY30=; b=IZionBR9OAgpmtUAitafIF64CI7RdmZiWjInyLvXSZUs5zhMdXtjhkXJs8qbxTm1Hkkx4d I5OZQ8Q6nF36sUi1DKGoLMrb5+eqEpguwwIYZuulqAfaCTOjrE19w7PK5M68028zOkayYc dkFvHM4dzHJcGyPZKIElUvkodGQi4h7Dxg/UZF8cJVfdpMXrxuJrYNslRhExmVThB0vCQO u9YrfcyFDLIoOHKp54boAHC5ID2UdctwDWdvXVvU0khxdQdDUIkfHCwMD2w+mS73v0NHsT 0QJ4wEDMLYtLNURJRFjT4fGSfkThlMi6WlfKptsdQKVv1Jkp7AdCLAjlaLhEWg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616970907; a=rsa-sha256; cv=none; b=LmwMkGjKOwet3LtwVo5ARy4EtkySxXwWIAnmhufS4MQ+y2LXXdvHGEUfeQbX+/3LfxCBfN ltCBOhS17Tt8NrevNnqEVZLRrjFztqKglTunoi0FJiqUzFtpR34hDxz7oQ9mfsgip/ifTH 6XXjelbr42xnnNSuge8Sib5wjp8bKxXtiDuzg9umoABeIbOCFatbcUa+rPl47yLjOioDYj O8/+9Az+a5bZMjXd/mtq2beft2Yn24i9uquFBjV2BIMFENUh0iPiKPJA1nsYWUhy5Ys73I LhRFda0HcPoXjBzs69zQuf4kqsmXjIckG8kwv5F9ALSBK3EiqFYc/zKb2SaNEQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -2.42 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 3D5B415EDD X-Spam-Score: -2.42 X-Migadu-Scanner: scn0.migadu.com X-TUID: fVrE5WOvyF0z Earlier, I wrote: > One thing to be very careful about is to only use 'gtk-doc/stable', > 'dblatex/stable', and 'imagemagick/stable' in native-inputs, and > moreover to make sure that no references to these */stable packages > remain in any package outputs. > > Of course, if any package retains references to its 'native-inputs', > that's always a bug, but I wouldn't be surprised if such bugs exist in > Guix. Such bugs might be relatively harmless now (except when > cross-compiling), but they could become a security bug if a package > retains a reference to 'imagemagick/stable'. It occurs to me that we will need some tooling to ensure that no references to these buggy "*/stable" packages end up in package outputs that users actually use. Otherwise, it is likely that sooner or later, a runtime reference to one of these buggy packages will sneak in to our systems. An initial idea is that these "*/stable" packages could have a package property (perhaps named something like 'build-time-only') that indicates that references to its outputs should not occur within the outputs of any other package that does not have that same property. We'd also need to somehow ensure that users don't install these 'build-time-only' packages directly, at least not without an additional option (e.g. --force-unsafe-build-time-only) to override it. Additionally, it might be good to issue warnings if 'build-time-only' packages are not hidden, or if they are found within the 'inputs' or 'propagated-inputs' fields of any package that's not also 'build-time-only'. Both of these last two checks have loopholes, however, so they are not reliable indicators. Thoughts? Other proposals? Regards, Mark