From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id QLP3Lb3USWBXHwAA0tVLHw (envelope-from ) for ; Thu, 11 Mar 2021 08:28:45 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id uGbaKb3USWDcAQAA1q6Kng (envelope-from ) for ; Thu, 11 Mar 2021 08:28:45 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 70EF714E2B for ; Thu, 11 Mar 2021 09:28:45 +0100 (CET) Received: from localhost ([::1]:40198 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lKGgW-0007ll-Kf for larch@yhetil.org; Thu, 11 Mar 2021 03:28:44 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:40910) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lKGgN-0007lD-6b for guix-devel@gnu.org; Thu, 11 Mar 2021 03:28:35 -0500 Received: from mail.zaclys.net ([178.33.93.72]:39385) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lKGgI-0003TS-3F for guix-devel@gnu.org; Thu, 11 Mar 2021 03:28:34 -0500 Received: from [192.168.0.27] (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12B8SQNe011089 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 11 Mar 2021 09:28:26 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12B8SQNe011089 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1615451306; bh=a3KQCo8eegkLtf9vQ6HmDPBqN14zMrK2sA0iGRTG3xU=; h=Subject:From:To:Date:In-Reply-To:References:From; b=pU0O99pOReqIKGbxk21VEkK7AK+HKTu9nznoaguMp2fTgA3bGY23+idiP6PlC4rLx fH6Q/YwJ0nTUbLvaedYbEuTrQ9Zp0QntSAUUJq7TEzq306IfAeM1fpiU0dyjJaUTwh fux0yXK/KRe4v6KFJ4BmKBHluEg7N0ZxpEg148WI= Message-ID: <1db062314b9b45d651bf7ba549a8f7e2bf0d1dbd.camel@zaclys.net> Subject: Re: GNOME 3.34 in GNU Guix and security From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: Mark H Weaver , guix-devel@gnu.org Date: Thu, 11 Mar 2021 09:28:22 +0100 In-Reply-To: <87lfaugl23.fsf@netris.org> References: <4720e347b48bd6ca4710b461cadecf0b65aa6442.camel@zaclys.net> <87lfaugl23.fsf@netris.org> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-kNi5UVFG1YCHSiZ9gf1d" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1615451325; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=a3KQCo8eegkLtf9vQ6HmDPBqN14zMrK2sA0iGRTG3xU=; b=Ugq5jDzkMLJKx4AykU6DT0z9PImlG0Okz2LVRMmFZUNVpE8+50vHxKHFAtHC3qUl93OdYb owwQNMQTfyZYpjbPH0ahiRUs3kBoiFK52g+RMRyy2Xk4WRy9b59ZLAoqwWTa6wcYE98UjG jFNvGtID448eY7QQ/j/qeZiuQV1esPFgcHDybcYEcTzVZYi7e4vAFGR2SslDmdGrFzcrQD MlEwfsPF8PlM1cqa9p6E6A0egHvg7GxcOIhx62Sfn+Ymz0QaoOcsmDnY9ZJOvs4RR8CAnM zeDya0H2gIvTaTMrn5ZY02mNmL0G+BpHoU2ss/YO/iw22HG+rEP+XP4DQSeXMw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615451325; a=rsa-sha256; cv=none; b=jN90BQJHjEzLdvj2/QgR/Xrbm/v+FWc2Yy1u1ipfmtwQbcFAhXn44Q15ujuQbJ0CE4J6Sf Jy3KAASsssTEHkuWOIU8MoixqaItwdUUhrZ3x1Tpln1m84pFZCMoTzt3ncVpkap9Srt3de S9vG/lld7fF4AR/ftfR9N2+C8ctwD4+ShpWUa1XOLpyU3raS/6ZJRohMIcSCKUO4b5YR/d DekmeSApU1J+5ckMMfxuhlwp9wBBzbFlFgRr9bChiMdmW2ZjR4tsXootv6HZV6IS14RbqT NThM72JqnViCv1NvWkJ+1B/C1U5YiF58ucWkqJWNqXEvmbvyIaXnqaLX5gY65A== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=pU0O99pO; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -5.19 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=pU0O99pO; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 70EF714E2B X-Spam-Score: -5.19 X-Migadu-Scanner: scn0.migadu.com X-TUID: Xg21IhUB7cfc --=-kNi5UVFG1YCHSiZ9gf1d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, 2021-03-11 at 03:18 -0500, Mark H Weaver wrote: > Hi L=C3=A9o, Hello! > I appreciate your recent work on Guix security. Thank you for that. Very happy to catch up there as well for my own usage of GNU Guix as well! > Can you please substantiate this? What vulnerabilities do you know > of, > and what makes you think that we can't address them adequately in the > usual ways, without "upgrading GNOME to [the] latest"? I have not yet fully investigated each CVE but there is uncertainty around gnome-shell, gvfs, librsvg, gdk-pixbuf, pango, cairo, if not more. You can use 'guix lint -c cve ' to find out, also look up in NVD individually in case GNU Guix doesnt find it. I am always uneasy relying on CVE only for security patches since I know how much lots of security issues are fixed by developers without issuing any CVE, so to me the best way of keeping up is to always be on latest. > I saw your bug report about our Glib being vulnerable to CVE-2021- > 27218 > and CVE-2021-27219. Thanks very much for bringing that our > attention. >=20 > I'll backport the fixes to our version of Glib. It will actually be > quite easy, given that Ubuntu has already published backports of > the > fixes for Glib 2.56.4 and 2.64.4, which brackets the version in Guix > (2.62.6). I just looked at the diffs between those two patch sets, > and > the differences are quite slight, apart from line number differences. I am really happy you are willing to help! I will have to admit that I am a bit overwhelmed by the amount of work that I have left still. L=C3=A9o --=-kNi5UVFG1YCHSiZ9gf1d Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBJ1KYACgkQRaix6GvN EKbGZA/7BMtGXkiOWJ0yFyWPtJwfoyDRn6q0vGX29zORdUbtKfUAScRwP5Fe2OZH BEz7T6TepFNBdJGKiFXGYV4WnEHp98fhVfI2XH6maxE03QpzURz+z1NpfbJgF8wR 7XvSmI5PAn1Sy5oRVG29jasXkgYl7CU8TZ1Egv7Z5sFJT8+X0NbrZoC/SKHtk2Z6 mCgVe8vA3Ikvu1B5UX4gS2ek8+kpn1rIFKR5gIkaqOq8E2oJ1Xn897MFPNDfXUXM RvJ49al8M5erXl6VBI1zreQGyt24whk9SHSDAZRrNvjLeWLV3W7Q541W7IRt07ae Rp23MPr2De94aseoFV/+HiggRAAiXtHnSAuL5Ls2w71IDT0VEZnpc1bnBC3lUYI4 X1LVjrRVY9fsmPpQJBXl7xQY7GwYr27AHIaKx/HS4VX9CW8wLiLchj4eqgdbytIR ALbqnFQYJkCBcnV1irzv+03cKc26d5+i/p/hO7DSZpOjBem9dsnlFwaH0XfB0p6o TAHJ27sc+UxxQN1SPR4xG22Mqm1+oq5qIrf4ixf5vM59dp8dbbT4jQ4wFtcT+cTY ppdrUmLid61G8tnr6YCUCcQHij+9qqjMG5jZUDQuCHM7+6zuVSN/no27w+t21VSJ k7GiOjjSbnamgScEFad2rrmS5ETLawufecdhoHZtZ0n9yevuROQ= =Izao -----END PGP SIGNATURE----- --=-kNi5UVFG1YCHSiZ9gf1d--