From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp1 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id CPqmM7ecUWBDdQAA0tVLHw
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 17 Mar 2021 06:07:51 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1 with LMTPS
	id gAJnL7ecUWCjQQAAbx9fmQ
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 17 Mar 2021 06:07:51 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 8117A8B6B
	for <larch@yhetil.org>; Wed, 17 Mar 2021 07:07:51 +0100 (CET)
Received: from localhost ([::1]:44914 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1lMPLS-0006zG-A2
	for larch@yhetil.org; Wed, 17 Mar 2021 02:07:50 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:60384)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lMPLF-0006zA-CG
 for guix-devel@gnu.org; Wed, 17 Mar 2021 02:07:37 -0400
Received: from mail.zaclys.net ([178.33.93.72]:44593)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lMPLC-0005L0-RO
 for guix-devel@gnu.org; Wed, 17 Mar 2021 02:07:36 -0400
Received: from [192.168.0.44] (82-64-145-38.subs.proxad.net [82.64.145.38])
 (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12H67WYg042949
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Wed, 17 Mar 2021 07:07:32 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12H67WYg042949
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@zaclys.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1615961252;
 bh=o0KhfAjxPinNIiaje8JdQd7CD+x2CNRgdZm3FlJ9w7w=;
 h=Subject:From:To:Date:In-Reply-To:References:From;
 b=aCKBDtlG5BFe74NTbfcaDTBC3ULWya92ovKvNjWsF3fmrdpiQPf2az5Z0UuG5/OSM
 H4GG1pkqVAcK780ukI6fzxCjg30/FE/ilmJ8YPTlbgJHNDdPcA9TpWtbZza/jJ7ZW5
 lagSg44BcXgHyn1WwoEUfNKDW0TK3c2HtovyLeFM=
Message-ID: <9f737d23e85e11ae4810373b043dd9c78eb0b5ae.camel@zaclys.net>
Subject: Re: [opinion] CVE-patching is not sufficient for package security
 patching
From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@zaclys.net>
To: Mark H Weaver <mhw@netris.org>, guix-devel@gnu.org
Date: Wed, 17 Mar 2021 07:07:31 +0100
In-Reply-To: <87v99qit39.fsf@netris.org>
References: <9b9a43a584e2dc70488482fce5931b46abd0e006.camel@zaclys.net>
 <87v99qit39.fsf@netris.org>
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-+MCM/QLEKma99ig6k9pa"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net;
 helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1615961271;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=o0KhfAjxPinNIiaje8JdQd7CD+x2CNRgdZm3FlJ9w7w=;
	b=D62jVggpS/1FLdQXszfr2hY9rvy3FgDNAnDi4XI3/v4EC5I6Uy8nt6g4mzkIbzgkYMZy+H
	MvGs15Upt+RAs//E0Q8Cl6OlbEbV4pxUkPepN6NkfwZVHWZdqDkxVhScLAUSPhaX6xxC2f
	vtyituryGdDXOrRJb/zhxDu1yXDm2vr9ldU8RWAqtJpflWPrct78jom+kBnTgJ3ntrueUo
	zuN/J0pOS8cd12ghsLndnbGEBupilWMKsNPFkUOHWzhFR6DyTgRcM8wcKfwNYoyjg+Ck0A
	CeFon7DXRETIoJZBy0iCl1Lw1iw4gb539clNJ74C952XUydZJC7ABZ5GB5Qxcw==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615961271; a=rsa-sha256; cv=none;
	b=feETNKiEoaTLdomSYitObKsByeDxc3BCnf/8vGrBxL/Qh/eyXosLIKLiCn7eVgHnIHKWlz
	5aKsM4UqT0N0NTUyRfOf/g1Ncvwzw6ZuCQdyGejdQG0X+mwT8Xg6YtbX3gOauG+G0V8ViD
	7s2is/s/+3dJTgp3q6nR8M19PnBAquF2txrf75vIRQXR8/DuAVP0FqPwEcVPx+OeKbXN1j
	aIul5B/zty0NxXWwVaVaGAqd2SM1eZrabXB3JFhQozJ1BiFdSvgvZHhZkijX/3724/BzWH
	VLBS5fYRpCM9G9RcnhX4WQaq3liUpHxzkQy9ZJN8MsUV8DVNc+fsrfVz8jjuFA==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=zaclys.net header.s=default header.b=aCKBDtlG;
	dmarc=pass (policy=reject) header.from=zaclys.net;
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Spam-Score: -5.20
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=zaclys.net header.s=default header.b=aCKBDtlG;
	dmarc=pass (policy=reject) header.from=zaclys.net;
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Queue-Id: 8117A8B6B
X-Spam-Score: -5.20
X-Migadu-Scanner: scn0.migadu.com
X-TUID: B5gQlZApFWN0


--=-+MCM/QLEKma99ig6k9pa
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Tue, 2021-03-16 at 19:19 -0400, Mark H Weaver wrote:
> That said, I strongly disagree that we should "never backport patches
> ourselves in most cases".  The only way to do that, while addressing
> security flaws, would be to promptly update even our lowest-level
> libraries in response to CVEs, of which there is a steady stream.

Fortunately I think that lots of these core package upstreams also have
good CVE-issuance practices. For the Glib care in particular, I think
they are good, I consider acceptable to backport patches, everyone is
doing it, upstream is cooperative and works towards that same goal.

To everyone else in general, I understand we have to ship a working
system, and I want that too, that's why I said we should "strive" to,
but it doesnt mean we should break things, of course. By that I mean
that we shouldnt leave packages unmaintained without updates for too
long even without CVEs or other security notices issued. At some point,
if a package is of no use, no users show up and it's painful to update,
we should also consider removing the package or archiving it in a third
party channel we could create like "guix-archive", "guix-ugly" or
"guix-love-me-please".

L=C3=A9o

--=-+MCM/QLEKma99ig6k9pa
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBRnKMACgkQRaix6GvN
EKbgbA//ZntlBg4G5AS3vkYFAHI7kO2AoJhWmJzILuj211JQWpQnuw8fmQbrBaMV
2ILJNcFe47GisvkW27o0eYLmjfWLEVJJW3MVDAO4nqFFjGvYW8gta+xQwa3Gw9Oj
klNBoCSu70zT4hN7xAe56WWhyNFKcmbmv4tozMR3bDYWGGXVyk17TOye21JYTul8
kR7/lj0V1jcc8wpUARCA66gLUP4CNcBh3wKNg6XlaYmQKRT3P3AsllStv3l83y1+
Lm1nfD9otXElIk5JepzVhXREjXhrILk/2JN4ofKd0X7QZeVYBBJA81t6dT9fRC6H
GmSIBZjkb8VRC/Bw+1b15NFSTFDg5a4Bvc4FrlbnYZ8PjuSB8SWeeXxVuQD6pv1f
qIP8+oJpyl4KiLcbaHLe0XNn4Ot6HKeqfvMcIn8jXnJoYxnalC6R1wcE8wCqogQp
UBS5vmT9XKUmq2clQk3CjCtNqdSGWFOtY5I3mrSwg41KctG603vFvTAtKEgeZPov
krU7yuA8JHF/+ZhgWj2BU3/tISR/Hm45NpxbKu2qXplEguy1a+kUkag//ohPD9hj
WT3U7e/6fmsb+a2N59TWAMom+oN1faCionoeSFHBPrsDesW6Cig2KsvnULARgBgM
DHYi+mY7lp7IGsrhw7ohYAfIweB/5BNfsORBkcuoTneAhj5amsU=
=hg3d
-----END PGP SIGNATURE-----

--=-+MCM/QLEKma99ig6k9pa--