From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id kHTyNSW2umTlRwAASxT56A (envelope-from ) for ; Fri, 21 Jul 2023 18:45:25 +0200 Received: from aspmx1.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id yJ8MNiW2umR+fgAA9RJhRA (envelope-from ) for ; Fri, 21 Jul 2023 18:45:25 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 88ECF39392 for ; Fri, 21 Jul 2023 18:45:25 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20221208 header.b=IcevtwkZ; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1689957925; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=+HL9GtkpeE8XcxP6VpOUafvPTFFTibH/Jc88bbsgFAk=; b=dr54zFKwDgPPC6kcHHZAZvJDe+EuzhivjkE7CaGDeNh/WCtkAOBWd+Q4IGvZEQ67F6a+lD 5cOJ/hLbfLBsex8OIbkiGug2KtcpBt5YtjVUBuP0S/leXyMcc3/jKPugDw+kCi0cqHhF/l +5x7Q42mHtUMvV3/vmuJPD26SyBMPRK3kDiI1+x2IZWUomqeAgCZbmsanENzepbCjkzHCR qhkS5VFVxYeE+ja2IkSW9M/Y6DSoeUt9o4o4AoLIKiiN+OeiorxYbTqCAMCexp8ynqG77n FjT/54At9sba7Kak7ZNBGTUOXKicO8nmsK/aglLJifSs71nWzB5vbIhlviLJ1A== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1689957925; a=rsa-sha256; cv=none; b=NNTpTWZfomGH6OPDrEr9tqV1ZlC4vS00zbijxRhr69JlmHYVLcJELaBfsGNFDVph5S05P0 f9ROe/Fe7BK5g9WAgy4UtASeFpdvfxrq3ibpPd6RWSIXY0Uv6g8tuXaIzd+m0x/yrCu1WR vB+PT6syBeYwvJd3Pq4irc+MzCgmKK5UDK54u9t/ibco88/qv3H14CwQ1BwdG3h6rb8KPa 3TmI0oR1MVsaU6PrIbV/P2nEgLJHigYOQL1HESsaUePZbtR47n4kvM6NK5UUE3EguqJG2y j0A0wWkKbwE9L+wL167FUpIts8RNT4gEuQQ8UGnTAy+HaPjJRyt64KIQAV4cqA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20221208 header.b=IcevtwkZ; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qMtFZ-0007ky-Jz; Fri, 21 Jul 2023 12:45:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qMtFX-0007kS-9t for guix-patches@gnu.org; Fri, 21 Jul 2023 12:45:04 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qMtFX-0006PM-1B for guix-patches@gnu.org; Fri, 21 Jul 2023 12:45:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qMtFW-0007Ik-Tf for guix-patches@gnu.org; Fri, 21 Jul 2023 12:45:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#31444] 'guix health': a tool to report vulnerable packages Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 21 Jul 2023 16:45:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 31444 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: zimoun Cc: Ricardo Wurmus , Mathieu Othacehe , Ludovic =?UTF-8?Q?Court=C3=A8s?= , 31444@debbugs.gnu.org, 31442@debbugs.gnu.org Received: via spool by 31444-submit@debbugs.gnu.org id=B31444.168995786927994 (code B ref 31444); Fri, 21 Jul 2023 16:45:02 +0000 Received: (at 31444) by debbugs.gnu.org; 21 Jul 2023 16:44:29 +0000 Received: from localhost ([127.0.0.1]:34765 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qMtEy-0007HM-Si for submit@debbugs.gnu.org; Fri, 21 Jul 2023 12:44:29 -0400 Received: from mail-qk1-x730.google.com ([2607:f8b0:4864:20::730]:50576) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qMtEv-0007H3-UE; Fri, 21 Jul 2023 12:44:26 -0400 Received: by mail-qk1-x730.google.com with SMTP id af79cd13be357-76ad8892d49so151896685a.1; Fri, 21 Jul 2023 09:44:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1689957860; x=1690562660; h=content-transfer-encoding:mime-version:user-agent:message-id :in-reply-to:date:references:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=+HL9GtkpeE8XcxP6VpOUafvPTFFTibH/Jc88bbsgFAk=; b=IcevtwkZYBB5MKpU8Ee0jqbM8qktvhmQP6Bv6OUWFfPThL9KKOSU07EKphchmrEshH taHb63PP3SC2JQMlXB94RUN+u4PNolUsoBD17mdJr2F5KvJuT/syVm0F/grqqTZpFtU2 6KTRxusLWWi1kytPtzdxwbMdRggslurtRweju4HQIqG/dBZIIV/gGOAglWpcWZA9Ed0B +iw11vCNdq8JIWe83nDOzx40FkF4jTdlGLuXcXbionLPBHQ2vQ9aRSem9qq7H7nf0m3P YhPtsGI0ZunDpnrvaOrhiuXJXQvTpZxLaKoxx7gRm6m3x/t67ZMC/lgkWsNNa/7TO5Ba Oumw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689957860; x=1690562660; h=content-transfer-encoding:mime-version:user-agent:message-id :in-reply-to:date:references:subject:cc:to:from:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=+HL9GtkpeE8XcxP6VpOUafvPTFFTibH/Jc88bbsgFAk=; b=B6BTEJc9Shcb0d5PAPL9L2KlcqZg+Q2eKSB1EXrXbphD+VMPL0kn+KV6zlBy1Ruqfr eyDbniJ5OS7XLgL62D30NRTESDXH8nLGKp2PszfBhzOo1vubU+70CBXMmcIX+PAsRVeT Ok9Xr/qq2OQg8/PZqBB9VwnxiBPKBOl0Pc1L1oOGMHLWgeuJYK0gJCtrLLWIksjWQynS YjJ0aHOWjbeQ5hlo171Lz6JzNQqt6vEouD2qoe8nLjXVY1mwyi8R8Z9EZiF/ZHjDwrXe FAce54OCp/Y20QMyKhK4ICrwhG5BHMktPN4HVBQM3eY5vhvGOxFrsAcHCCUwzUnfuAAX 1xlQ== X-Gm-Message-State: ABy/qLZHFSfHfAl2VJh3WCwWG5kn/PjWYlrOXhG+j7Qvh2Ec6e3cWzJf ciHnyHZz1Ub8jk5gONoyi/rT1tm0La4= X-Google-Smtp-Source: APBJJlHSyMI5NvxiwzPutOiwRifIMNER0PF+Kmjag8fSb3CI4RslKlcoUjHyBymLbO5zCX94mahbng== X-Received: by 2002:a05:620a:17a7:b0:765:aac3:7667 with SMTP id ay39-20020a05620a17a700b00765aac37667mr707744qkb.0.1689957859958; Fri, 21 Jul 2023 09:44:19 -0700 (PDT) Received: from hurd (dsl-10-135-166.b2b2c.ca. [72.10.135.166]) by smtp.gmail.com with ESMTPSA id m12-20020ae9f20c000000b0075cd80fde9esm1216427qkg.89.2023.07.21.09.44.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 21 Jul 2023 09:44:19 -0700 (PDT) From: Maxim Cournoyer References: <87fu2vjj76.fsf@gnu.org> <864knuk8nk.fsf@gmail.com> Date: Fri, 21 Jul 2023 12:44:11 -0400 In-Reply-To: <864knuk8nk.fsf@gmail.com> (zimoun's message of "Sat, 19 Sep 2020 00:43:59 +0200") Message-ID: <87o7k5i59g.fsf_-_@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Scanner: mx2.migadu.com X-Migadu-Spam-Score: 5.86 X-Spam-Score: 5.86 X-Migadu-Queue-Id: 88ECF39392 X-TUID: aNI1xEGxtJeP Hi Simon, zimoun writes: > Hi, > > Digging in old bugs with patches, hit this one. :-) > > > On Mon, 14 May 2018 at 00:15, ludo@gnu.org (Ludovic Court=C3=A8s) wrote: > >> On IRC davidl shared a shell script that checks the output of =E2=80=98g= uix lint >> -c cve=E2=80=99 and uses that to determine vulnerable packages in a prof= ile. >> That reminds me of the plan for =E2=80=98guix health=E2=80=99 (a tool to= do just that), >> so I went ahead and tried to make it a reality at last. >> >> This =E2=80=98guix health=E2=80=99 reports information about =E2=80=9Cle= af=E2=80=9D packages in a >> profile, but not about their dependencies: > > Well, I do not know what was the idea at the time. :-) > (The search http://logs.guix.gnu.org/guix/search?query=3Dnick%3Adavidl > does not list logs before 2019 for the nickname. Do I miss something?) > > And I do not know if the idea is to report only =E2=80=9Cleaf=E2=80=9D pa= ckages. > > Well, instead to create another new command, I think it would be better > to include the =E2=80=9Cleaf=E2=80=9D packages to =E2=80=9Cguix graph=E2= =80=9D and then pipe to =E2=80=9Cguix > lint=E2=80=9D. Other said, =E2=80=9Cguix graph=E2=80=9D should help to m= anipulate the graph of > packages. I like this idea to allow composing our already existing commands, the UNIX way. It'd be useful not just for this use case, but to better exploit the Guix command line API in general. > I am not sure it fits the idea behind =E2=80=9Cguix health=E2=80=9D but t= he patch #43477 > allows to only output the nodes, for example. > > > > > Here an example, to verify the SWH health of one profile. (Note I > choose the archival checker because it display stuff. :-)) > > $ guix package -p ~/.config/guix/profiles/apps/apps -I | cut -f1 > youtube-dl > mb2md > isync > xournal > ghostscript > imagemagick > mupdf > > $for pkg in \ >> $(guix package -p ~/.config/guix/profiles/apps/apps -I | cut -f1 | xargs= ./pre-inst-env guix graph -b plain); \ >> do guix lint -c archival $pkg ; done > gnu/packages/video.scm:2169:12: youtube-dl@2020.09.14: source not archive= d on Software Heritage > gnu/packages/video.scm:1412:12: ffmpeg@4.3.1: source not archived on Soft= ware Heritage > gnu/packages/autotools.scm:286:12: automake@1.16.2: source not archived o= n Software Heritage > guix lint: error: autoconf-wrapper: package not found for version 2.69 > gnu/packages/perl.scm:89:12: perl@5.30.2: source not archived on Software= Heritage > gnu/packages/guile.scm:141:11: guile@2.0.14: source not archived on Softw= are Heritage > gnu/packages/ed.scm:32:12: ed@1.16: source not archived on Software Herit= age > > [...] > > gnu/packages/xorg.scm:5280:6: libxcb@1.14: source not archived on Softwar= e Heritage > guix lint: error: tzdata: package not found for version 2019c > gnu/packages/python.scm:514:2: python-minimal@3.8.2: source not archived = on Software Heritage > gnu/packages/xorg.scm:2140:6: xcb-proto@1.14: source not archived on Soft= ware Heritage > > [...] > > gnu/packages/shells.scm:376:12: tcsh@6.22.02: source not archived on Soft= ware Heritage > gnu/packages/icu4c.scm:43:11: icu4c@66.1: Software Heritage rate limit re= ached; try again later > C-c > > Obviously, the for-loop should be avoided. But raising an error by > =E2=80=9Cguix lint=E2=80=9D breaks the stream. Well, that=E2=80=99s anot= her story. :-) > > > To summary, instead of =E2=80=9Cguix health=E2=80=9D, I suggest to add = =E2=80=9Cfeatures=E2=80=9C to > =E2=80=98guix graph=E2=80=99 (support manifest files, more facilities to = manipulate/show > the DAG). I like this idea too. > >> The difficulty here is that we need to know a package=E2=80=99s CPE name= before >> we can check the CVE database, and we also need to know whether the >> package already includes fixes for known CVEs. This patch set attaches >> this information to manifest entries, so that =E2=80=98guix health=E2=80= =99 can then >> rely on it. > > Well, I am not sure to understand. Is it not somehow an issue of =E2=80= =98guix > lint -c cve=E2=80=99? This is my understand as well. Ludo, if your proposition has gone stale and you don't plan to work on it anytime soon, feel free to close it. --=20 Thanks, Maxim