From mboxrd@z Thu Jan 1 00:00:00 1970 From: rain1@openmailbox.org Subject: About collision encountered arbitrarily choosing ... Date: Sun, 27 Mar 2016 19:58:15 +0100 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:40425) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1akFtT-0004Kh-Kv for guix-devel@gnu.org; Sun, 27 Mar 2016 14:58:36 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1akFtQ-0006uq-Ek for guix-devel@gnu.org; Sun, 27 Mar 2016 14:58:35 -0400 Received: from smtp4.openmailbox.org ([62.4.1.38]:34775) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1akFtQ-0006tL-6J for guix-devel@gnu.org; Sun, 27 Mar 2016 14:58:32 -0400 Received: from www.openmailbox.org (openmailbox-b1 [10.91.69.218]) by mail2.openmailbox.org (Postfix) with ESMTP id 811952AD18A2 for ; Sun, 27 Mar 2016 20:58:15 +0200 (CEST) List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: guix-devel@gnu.org I was just thinking about the warnings you get after installing packages: warning: collision encountered warning: arbitrarily choosing because there are a lot of them and they generally don't matter or cause problems I have learned to ignore them.. but I just spotted this collision today: /gnu/store/...-lsh-2.1/share/man/man8/sftp-server.8.gz /gnu/store/...-openssh-7.2p2/share/man/man8/sftp-server.8.gz That's only a man page substitution but really any package can shadow any file with 50% chance (can probably make it 100% by setting up the hash to come lexically first, not sure). A bad package could sneakily replace a core system library with, for example, insecure crypto code. So I think it is something that should be dealt with. ------------------------------------------- I had a look at past discussions on this: * https://lists.gnu.org/archive/html/guix-devel/2015-05/msg00437.html * https://lists.gnu.org/archive/html/guix-devel/2015-12/msg00106.html * https://lists.gnu.org/archive/html/guix-devel/2015-09/msg00213.html * https://lists.gnu.org/archive/html/guix-devel/2015-07/msg00668.html one idea was a whitelist to reduce the amount of errors displayed. I've made a list of the collisions I see on my system: * [gnome] /share/icons/hicolor/icon-theme.cache * [gnome] /lib/gio/modules/giomodule.cache * [gnome] /share/glib-2.0/schemas/gschemas.compiled * [gnome] /bin/gtk-update-icon-cache # because there are 2 versions of gtk * [python] /bin/coverage * [python] /bin/.coverage3-wrap-01 * [python] /bin/py.test-3.4 * [python] /bin/.py.test-wrap-01 * [python] /bin/.py.test-3.4-wrap-01 A suggestion I have for helping reduce this is there could be a post install phase in gtk build system to delete those specific .cache files. There could also be a similar one in those python libraries. Do people agree that this is a potential problem? If so I could attempt to add such an phase. Or maybe there are other solutions that would solve this better?