From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id 2NSUGHo4ZV/2QwAA0tVLHw (envelope-from ) for ; Fri, 18 Sep 2020 22:45:14 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id 2EhwFHo4ZV/8GAAAB5/wlQ (envelope-from ) for ; Fri, 18 Sep 2020 22:45:14 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 9CB13940704 for ; Fri, 18 Sep 2020 22:45:13 +0000 (UTC) Received: from localhost ([::1]:42276 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kJP7v-0000no-Rv for larch@yhetil.org; Fri, 18 Sep 2020 18:45:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:42422) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kJP7n-0000mr-DG for guix-patches@gnu.org; Fri, 18 Sep 2020 18:45:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:33743) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kJP7n-0004QT-35 for guix-patches@gnu.org; Fri, 18 Sep 2020 18:45:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kJP7n-000124-1A for guix-patches@gnu.org; Fri, 18 Sep 2020 18:45:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#31444] 'guix health': a tool to report vulnerable packages Resent-From: zimoun Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 18 Sep 2020 22:45:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 31444 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Cc: Ricardo Wurmus , Mathieu Othacehe , 31444@debbugs.gnu.org, 31442@debbugs.gnu.org Received: via spool by 31444-submit@debbugs.gnu.org id=B31444.16004690533886 (code B ref 31444); Fri, 18 Sep 2020 22:45:02 +0000 Received: (at 31444) by debbugs.gnu.org; 18 Sep 2020 22:44:13 +0000 Received: from localhost ([127.0.0.1]:45286 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kJP6v-00010T-2H for submit@debbugs.gnu.org; Fri, 18 Sep 2020 18:44:13 -0400 Received: from mail-wr1-f46.google.com ([209.85.221.46]:39503) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kJP6t-0000zv-CB; Fri, 18 Sep 2020 18:44:07 -0400 Received: by mail-wr1-f46.google.com with SMTP id a17so7058266wrn.6; Fri, 18 Sep 2020 15:44:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-transfer-encoding; bh=SvzKX7GV+wwO4HBRnj4hJaJW9oMNDHZJFLnlYR8wcjE=; b=VTSDLCBjQfx3+m186rFL3Bbq5WWxFv33589uNxz+W2SpRQQvyRu2ewpXWQZjpqeLMl xImBWtqu5qoBIvd6X2HJ7hxB6OwFM166meWRJmekSozDbxHD5+7DDMlpiFMQJ4y8t6yo 8Dd0CrMdMxUeCr4PXz/RZi4fP63uo0RPJQjh/kSexjlnDdj5nH3sbND6BUkEc4KoV+a1 QTO1P+lmP9GK+Mr4NW9WK1mJz26pW93Q3vXHwklx/9fADWCs7Mnm4TH00js9t1EYwBtk hqKBYkgXlBg5V33P+AaWm6KPczO0q6dd/mnXosMsjgwbezq0dO6oc4FaQy4aMPaaftAH xqHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-transfer-encoding; bh=SvzKX7GV+wwO4HBRnj4hJaJW9oMNDHZJFLnlYR8wcjE=; b=N+FZdNiomMr489O6/MNSRbnFw3aitY9hdgqxyuhbudYHT6fFnS6k50zsO45aIlwy3L r3xUl7MJycccdw6tm//gREQsfR2eraHltDpFloLtxiE129c7w/yhhNwS8hAYUx9xOxKy Uet/ycAEft5WTwNYirsZGbaNrW1jXJxERT0/hkD02WEe/xpQQva+nUhrxwfr73iITF1u elMB7+RarA7fo099xw/T1SRovRvWfaP0vtkRbPwcc8+W+o0cyasi8Fz6x8G9y4/scr0y 7w7iKVKyNbQB/tOUZJZ//obkINV6OxdmMH8vPPG8ounTXUeuQummOVDfvbx2Cm6wclbw 0gCw== X-Gm-Message-State: AOAM5313UvgPkFiu9Zy2Tp9DOuWt5FovHPhfLrXsQVT8bNFhkN0Fe5Ag B6tQeQxWe0BTLBitV/Sbsdc= X-Google-Smtp-Source: ABdhPJy/VquQB3XuMOTsfnrKeELsp227GwXjZyAoqwBJAlP0cNeQ4rIH7LznHOntXovW/KJO4rNcFA== X-Received: by 2002:adf:e601:: with SMTP id p1mr42928256wrm.172.1600469041130; Fri, 18 Sep 2020 15:44:01 -0700 (PDT) Received: from lili ([2a01:e0a:59b:9120:65d2:2476:f637:db1e]) by smtp.gmail.com with ESMTPSA id q13sm8482475wra.93.2020.09.18.15.44.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 18 Sep 2020 15:44:00 -0700 (PDT) From: zimoun References: <87fu2vjj76.fsf@gnu.org> Date: Sat, 19 Sep 2020 00:43:59 +0200 In-Reply-To: <87fu2vjj76.fsf@gnu.org> ("Ludovic =?UTF-8?Q?Court=C3=A8s?="'s message of "Mon, 14 May 2018 00:15:41 +0200") Message-ID: <864knuk8nk.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -1.0 (-) X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=fail (rsa verify failed) header.d=gmail.com header.s=20161025 header.b=VTSDLCBj; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Spam-Score: 0.09 X-TUID: /eTLim3BmxCf Hi, Digging in old bugs with patches, hit this one. :-) On Mon, 14 May 2018 at 00:15, ludo@gnu.org (Ludovic Court=C3=A8s) wrote: > On IRC davidl shared a shell script that checks the output of =E2=80=98gu= ix lint > -c cve=E2=80=99 and uses that to determine vulnerable packages in a profi= le. > That reminds me of the plan for =E2=80=98guix health=E2=80=99 (a tool to = do just that), > so I went ahead and tried to make it a reality at last. > > This =E2=80=98guix health=E2=80=99 reports information about =E2=80=9Clea= f=E2=80=9D packages in a > profile, but not about their dependencies: Well, I do not know what was the idea at the time. :-) (The search http://logs.guix.gnu.org/guix/search?query=3Dnick%3Adavidl does not list logs before 2019 for the nickname. Do I miss something?) And I do not know if the idea is to report only =E2=80=9Cleaf=E2=80=9D pack= ages. Well, instead to create another new command, I think it would be better to include the =E2=80=9Cleaf=E2=80=9D packages to =E2=80=9Cguix graph=E2=80= =9D and then pipe to =E2=80=9Cguix lint=E2=80=9D. Other said, =E2=80=9Cguix graph=E2=80=9D should help to man= ipulate the graph of packages. I am not sure it fits the idea behind =E2=80=9Cguix health=E2=80=9D but the= patch #43477 allows to only output the nodes, for example. Here an example, to verify the SWH health of one profile. (Note I choose the archival checker because it display stuff. :-)) --8<---------------cut here---------------start------------->8--- $ guix package -p ~/.config/guix/profiles/apps/apps -I | cut -f1 youtube-dl mb2md isync xournal ghostscript imagemagick mupdf $for pkg in \ > $(guix package -p ~/.config/guix/profiles/apps/apps -I | cut -f1 | xargs = ./pre-inst-env guix graph -b plain); \ > do guix lint -c archival $pkg ; done gnu/packages/video.scm:2169:12: youtube-dl@2020.09.14: source not archived = on Software Heritage gnu/packages/video.scm:1412:12: ffmpeg@4.3.1: source not archived on Softwa= re Heritage gnu/packages/autotools.scm:286:12: automake@1.16.2: source not archived on = Software Heritage guix lint: error: autoconf-wrapper: package not found for version 2.69 gnu/packages/perl.scm:89:12: perl@5.30.2: source not archived on Software H= eritage gnu/packages/guile.scm:141:11: guile@2.0.14: source not archived on Softwar= e Heritage gnu/packages/ed.scm:32:12: ed@1.16: source not archived on Software Heritage [...] gnu/packages/xorg.scm:5280:6: libxcb@1.14: source not archived on Software = Heritage guix lint: error: tzdata: package not found for version 2019c gnu/packages/python.scm:514:2: python-minimal@3.8.2: source not archived on= Software Heritage gnu/packages/xorg.scm:2140:6: xcb-proto@1.14: source not archived on Softwa= re Heritage [...] gnu/packages/shells.scm:376:12: tcsh@6.22.02: source not archived on Softwa= re Heritage gnu/packages/icu4c.scm:43:11: icu4c@66.1: Software Heritage rate limit reac= hed; try again later C-c --8<---------------cut here---------------end--------------->8--- Obviously, the for-loop should be avoided. But raising an error by =E2=80=9Cguix lint=E2=80=9D breaks the stream. Well, that=E2=80=99s anothe= r story. :-) To summary, instead of =E2=80=9Cguix health=E2=80=9D, I suggest to add =E2= =80=9Cfeatures=E2=80=9C to =E2=80=98guix graph=E2=80=99 (support manifest files, more facilities to ma= nipulate/show the DAG). > The difficulty here is that we need to know a package=E2=80=99s CPE name = before > we can check the CVE database, and we also need to know whether the > package already includes fixes for known CVEs. This patch set attaches > this information to manifest entries, so that =E2=80=98guix health=E2=80= =99 can then > rely on it. Well, I am not sure to understand. Is it not somehow an issue of =E2=80=98= guix lint -c cve=E2=80=99? > Fundamentally, that means we cannot reliably tell much about > dependencies: in cases where the CPE name differs from the Guix name, we > won=E2=80=99t have any match, and more generally, we cannot know what CVE= are > patched in the package; we could infer part of this by looking at the > same-named package in the current Guix, but that=E2=80=99s hacky. > > I think that longer-term we probably need to attach this kind of > meta-data to packages themselves, by adding a bunch of files in each > package, say under PREFIX/guix. We could do that for search paths as > well. What is the status of this idea? > Should we satisfy ourselves with the current approach in the meantime? > Thoughts? > > Besides, support for properties in manifest entries seems useful to me, > so we may want to keep it regardless of whether we take =E2=80=98guix hea= lth=E2=80=99 > as-is. I am not sure that my email is relevant, but at least it will ping for =E2=80=98guix health=E2=80=99. :-) Cheers, simon