From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id 6GT+Dn/u/GRMTAAA9RJhRA:P1 (envelope-from ) for ; Sun, 10 Sep 2023 00:15:27 +0200 Received: from aspmx1.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id 6GT+Dn/u/GRMTAAA9RJhRA (envelope-from ) for ; Sun, 10 Sep 2023 00:15:27 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 2CA3640EB3 for ; Sun, 10 Sep 2023 00:15:27 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20221208 header.b=i07Ukeh1; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1694297727; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=siklqpScQMxCvKJKQmLwes/eUt8wJAaEjmupMdjVKqk=; b=txnXHsMZ+q9HkIItvHaeQZPVKeK+4zz5uHh5+aZ6b706q7e81uPBgOURu0N5M5hCs8MGe2 Lb80ai3kCwZa8B0DCBL5CbYb2nwY5oZIBsmPw8f4O0qgyL1s15E9JnceuSU2pMLAsVenYv Njv+7L0KcP3LWisPv4KcdQ3cYWZdMVfAr9zfHlmfmxuQAntcazmsGi7POetI+PrgXR8Vbe d1UNv5H17wWrj9+R0U64HTwb/Ax9v/HLMJqeaYTLTIJhptpPsNZsSG1dl0rYiz4IO8pvdP +bh6dxSxNFdsc4KipCaRtUHDPsXACqNqmD4imT2A6wtO3JeUQbfn/tumd6M8ig== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1694297727; a=rsa-sha256; cv=none; b=SGuQLYntiQq4mrfiOd+fntYQdx/Q2vU/PwG/xIl2rewdq0Q4YkGNUjhoz5Qx5vz6BNdY6H 5oec+oM2KHlds6mZTXC7beXL2caF31JLB12MrBz+uU7pMROHKRUIxAobaGSdCPokbBBMBZ LM3Red986RSO8ggjH0hGs0SfxDpaczI+Xsn+gwgmh3DUGJAVdaC3dlbmHWx0u+U6l/hPmz Rvt1x9H3uQYUtFFVH35eQVkjCoXyg99AjAxW+NdKF3OglGVAWUYYQKKaseeS8xzyK+6eSN 3uiYAEmKlfroSA8QoxlxP3Q5v0clEFzV2xTCSupResuJ8SG7WixJIVrgTZXEvQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20221208 header.b=i07Ukeh1; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qf6EH-00089a-3x; Sat, 09 Sep 2023 18:15:01 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qf6EF-00088s-93 for guix-patches@gnu.org; Sat, 09 Sep 2023 18:14:59 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qf6EF-0003nr-0k for guix-patches@gnu.org; Sat, 09 Sep 2023 18:14:59 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qf6EI-000490-1q for guix-patches@gnu.org; Sat, 09 Sep 2023 18:15:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#31444] 'guix health': a tool to report vulnerable packages Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 09 Sep 2023 22:15:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 31444 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: Ricardo Wurmus , Mathieu Othacehe , 31444@debbugs.gnu.org, 31442@debbugs.gnu.org, zimoun Received: via spool by 31444-submit@debbugs.gnu.org id=B31444.169429766715866 (code B ref 31444); Sat, 09 Sep 2023 22:15:02 +0000 Received: (at 31444) by debbugs.gnu.org; 9 Sep 2023 22:14:27 +0000 Received: from localhost ([127.0.0.1]:48575 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qf6Dj-00047l-A4 for submit@debbugs.gnu.org; Sat, 09 Sep 2023 18:14:27 -0400 Received: from mail-ot1-x32d.google.com ([2607:f8b0:4864:20::32d]:53623) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qf6Dg-00047Q-3r; Sat, 09 Sep 2023 18:14:24 -0400 Received: by mail-ot1-x32d.google.com with SMTP id 46e09a7af769-6bdcbde9676so2333795a34.3; Sat, 09 Sep 2023 15:14:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1694297655; x=1694902455; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:user-agent:message-id :in-reply-to:date:references:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=siklqpScQMxCvKJKQmLwes/eUt8wJAaEjmupMdjVKqk=; b=i07Ukeh1IPEkuOKeT4okKL/ujkhf8iCykeU3i9ycS5OAIEclFqL5Nr1V46I/TPea/d 7zXH/OpSd2oZ5XL+KzntsaxKVAshHN0Mlzp4uM+L238OuYLnrFaiUlJMZMCECdWJoFO7 SYJiUeIouax26XsHkKtmTVRb6UizzMA474VNH21gNyLZNmgoqC5qqsxPErDoIOTmkIYe 47IgZUPprKefaD9QMwC5/mTsuFe1KTvYaXRu1eUt1D+yc/jdOZpQ2AMt9Gowvv3l16ib DvcMSgg0qcRwR65INkYuOSSeR0h76Q5w4NsX8lMfrEtul7kNxTnNuI7bOqd5ckXHKwp5 NNBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694297655; x=1694902455; h=content-transfer-encoding:mime-version:user-agent:message-id :in-reply-to:date:references:subject:cc:to:from:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=siklqpScQMxCvKJKQmLwes/eUt8wJAaEjmupMdjVKqk=; b=IKejdC8uBZ7YlL9J7W9OyxjdLBD2Z+76xSmnm41kJXurEz5tP88tUWYS8KbNpamLGu Q4TS0W/njGJu7mxpyHrz7rOLwb4L5HYCFC00DuL1WEgxpmn95uqHbe0f27gNWsc3cmjz IExAjdYCRKtRZ36ByMiiCP2JjUSuNnecd0pMnikpqaHvUHyMCoBLf4RJxnRyeEloOHLi zeAEMMq8gRuBaBbZczjCHAXLQ0trKu1tn+QrPYpGW4hGfJMeI2OOZmkmlzIkYKD7ryxA e9onbCpGriqOa+/fHyIHdtTLXNHaye1yTtSiZaMXXVMYyB3RaHl+6wQrje5XCu922jjd s+Ug== X-Gm-Message-State: AOJu0YxQpzivOzb6Oz3p/cVTR/I8pM1qsYe/EPDFrMxjTQOan8BtPGv3 oFSBlUp7o36ZeWV1YHJd3m/l3/mujtE= X-Google-Smtp-Source: AGHT+IE8DWN2OPiCezbxlfpPeDsdhSt+Ae01Q0Vpv3VnVkFPnxjh6oI2wpvL3FPKgt51LoM7zwnPng== X-Received: by 2002:a05:6358:2906:b0:13a:4f34:8063 with SMTP id y6-20020a056358290600b0013a4f348063mr5788575rwb.32.1694297655115; Sat, 09 Sep 2023 15:14:15 -0700 (PDT) Received: from hurd (dsl-155-89.b2b2c.ca. [66.158.155.89]) by smtp.gmail.com with ESMTPSA id p4-20020a05620a112400b007675c4b530fsm1523075qkk.28.2023.09.09.15.14.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 09 Sep 2023 15:14:14 -0700 (PDT) From: Maxim Cournoyer References: <87fu2vjj76.fsf@gnu.org> <864knuk8nk.fsf@gmail.com> <87o7k5i59g.fsf_-_@gmail.com> <87jzt04ooe.fsf@gnu.org> Date: Sat, 09 Sep 2023 18:14:13 -0400 In-Reply-To: <87jzt04ooe.fsf@gnu.org> ("Ludovic =?UTF-8?Q?Court=C3=A8s?="'s message of "Fri, 08 Sep 2023 18:25:53 +0200") Message-ID: <871qf7xadm.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Scanner: mx2.migadu.com X-Spam-Score: -3.60 X-Migadu-Queue-Id: 2CA3640EB3 X-Migadu-Spam-Score: -3.60 X-TUID: jwFFIs/1RfJ+ Hi Ludovic, Ludovic Court=C3=A8s writes: [...] > Reporting only leaf packages was a limitation, not a goal. The > limitation stemmed from the fact that, to determine whether a package is > vulnerable, we need to (1) map its store file name to its package name, > and (2) map its package name to its CPE name. > > We can do #1 via manifests, but only for leaf packages (because there=E2= =80=99s > no metadata available for other store items). [...] > There=E2=80=99s been progress since I posted this patch: manifests now in= clude > provenance info, which means we can map profiles back to package > definitions! So we could make a proper =E2=80=98guix health=E2=80=99 at = this stage. > > I=E2=80=99d like to say I=E2=80=99ll work on it soon but reality is that = I=E2=80=99m a bit > swamped. Anyhow, I think it remains a useful tool, and whether it=E2=80= =99s me > or someone else working on it, we should probably aim for it at some > point. Thanks for the update. It's OK to keep it here if all that is missing is some extra work to push it to the finish line, so let's keep this one open. On a related note sometimes we have WIP kind of work that stays on our tracker with deeper questions / problems to solve, and I don't think it's fair for our reviewers to have these linger on for years on the tracker (they take a lot of time to get familiar with, and would then require quit more investment to be completed, sometimes with the original submitter no longer active in the discussion) -- I think for these situations it's fair to close it. An interested person can hopefully find these in the archives and resume work on it if they are so inclined. --=20 Thanks, Maxim