all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* bug#22831: OpenSSL should not depend on Perl
@ 2016-02-27 17:05 Ludovic Courtès
  2016-02-28  1:10 ` Leo Famulari
                   ` (2 more replies)
  0 siblings, 3 replies; 24+ messages in thread
From: Ludovic Courtès @ 2016-02-27 17:05 UTC (permalink / raw)
  To: 22831

Commit 784d6e91 changed OpenSSL such that it does not depend on Perl,
but one of the subsequent upgrades broke it:

--8<---------------cut here---------------start------------->8---
$ guix build perl
/gnu/store/x2p2biyybcb2wac77qz9468asc5fm48i-perl-5.22.1
$ grep -r x2p2biyybcb2wac77qz9468asc5fm48i $(guix build openssl)
/gnu/store/qvx4q6lbwi4s3cwr8wqaa7kcva0a5c4b-openssl-1.0.2f/bin/c_rehash:#!/gnu/store/x2p2biyybcb2wac77qz9468asc5fm48i-perl-5.22.1/bin/perl
--8<---------------cut here---------------end--------------->8---

Somehow ‘openssl-c-rehash.patch’ seems to no longer have the desired
effect.

Ludo’.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#22831: OpenSSL should not depend on Perl
  2016-02-27 17:05 bug#22831: OpenSSL should not depend on Perl Ludovic Courtès
@ 2016-02-28  1:10 ` Leo Famulari
  2016-02-28 13:35   ` Ludovic Courtès
  2016-02-28 13:37   ` Ludovic Courtès
  2016-03-01  0:39 ` bug#22831: [PATCH 0/2] OpenSSL / Perl run-time dependency Leo Famulari
  2016-03-21  2:20 ` bug#22831: [PATCH 0/1] Disallow reference to Perl from OpenSSL Leo Famulari
  2 siblings, 2 replies; 24+ messages in thread
From: Leo Famulari @ 2016-02-28  1:10 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 22831

On Sat, Feb 27, 2016 at 06:05:29PM +0100, Ludovic Courtès wrote:
> Commit 784d6e91 changed OpenSSL such that it does not depend on Perl,
> but one of the subsequent upgrades broke it:

Bisecting, I narrowed it down to:
86c8f1daf8ed10f13f2b1e973a28845629b8ce47
(gnu: openssl: Update to 1.0.2e [fixes CVE-2015-{3193,3194,3195}].).

I'll get the openssl sources corresponding to the good and bad commmits
and try to figure out what changed that pulled perl back in.

> 
> --8<---------------cut here---------------start------------->8---
> $ guix build perl
> /gnu/store/x2p2biyybcb2wac77qz9468asc5fm48i-perl-5.22.1
> $ grep -r x2p2biyybcb2wac77qz9468asc5fm48i $(guix build openssl)
> /gnu/store/qvx4q6lbwi4s3cwr8wqaa7kcva0a5c4b-openssl-1.0.2f/bin/c_rehash:#!/gnu/store/x2p2biyybcb2wac77qz9468asc5fm48i-perl-5.22.1/bin/perl
> --8<---------------cut here---------------end--------------->8---
> 
> Somehow ‘openssl-c-rehash.patch’ seems to no longer have the desired
> effect.
> 
> Ludo’.
> 
> 
> 

^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#22831: OpenSSL should not depend on Perl
  2016-02-28  1:10 ` Leo Famulari
@ 2016-02-28 13:35   ` Ludovic Courtès
  2016-02-29  8:47     ` Leo Famulari
  2016-02-28 13:37   ` Ludovic Courtès
  1 sibling, 1 reply; 24+ messages in thread
From: Ludovic Courtès @ 2016-02-28 13:35 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 22831

Leo Famulari <leo@famulari.name> skribis:

> On Sat, Feb 27, 2016 at 06:05:29PM +0100, Ludovic Courtès wrote:
>> Commit 784d6e91 changed OpenSSL such that it does not depend on Perl,
>> but one of the subsequent upgrades broke it:
>
> Bisecting, I narrowed it down to:
> 86c8f1daf8ed10f13f2b1e973a28845629b8ce47
> (gnu: openssl: Update to 1.0.2e [fixes CVE-2015-{3193,3194,3195}].).
>
> I'll get the openssl sources corresponding to the good and bad commmits
> and try to figure out what changed that pulled perl back in.

Awesome.  Hopefully we can apply the fix when we upgrade OpenSSL this
Tuesday.

Thanks,
Ludo’.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#22831: OpenSSL should not depend on Perl
  2016-02-28  1:10 ` Leo Famulari
  2016-02-28 13:35   ` Ludovic Courtès
@ 2016-02-28 13:37   ` Ludovic Courtès
  2016-02-29  8:48     ` Leo Famulari
  1 sibling, 1 reply; 24+ messages in thread
From: Ludovic Courtès @ 2016-02-28 13:37 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 22831

Leo Famulari <leo@famulari.name> skribis:

> On Sat, Feb 27, 2016 at 06:05:29PM +0100, Ludovic Courtès wrote:
>> Commit 784d6e91 changed OpenSSL such that it does not depend on Perl,
>> but one of the subsequent upgrades broke it:
>
> Bisecting, I narrowed it down to:
> 86c8f1daf8ed10f13f2b1e973a28845629b8ce47
> (gnu: openssl: Update to 1.0.2e [fixes CVE-2015-{3193,3194,3195}].).
>
> I'll get the openssl sources corresponding to the good and bad commmits
> and try to figure out what changed that pulled perl back in.

Also we should add something like:

  #:allowed-references (list (canonical-package glibc)
                             (list (canonical-package gcc) "lib")
                             "out")

to avoid regressions.

(A case where #:disallowed-references would be more convenient, but it’s
not yet implemented.  :-))

Ludo’.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#22831: OpenSSL should not depend on Perl
  2016-02-28 13:35   ` Ludovic Courtès
@ 2016-02-29  8:47     ` Leo Famulari
  2016-03-01 13:38       ` Ludovic Courtès
  0 siblings, 1 reply; 24+ messages in thread
From: Leo Famulari @ 2016-02-29  8:47 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 22831

On Sun, Feb 28, 2016 at 02:35:12PM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> 
> > On Sat, Feb 27, 2016 at 06:05:29PM +0100, Ludovic Courtès wrote:
> >> Commit 784d6e91 changed OpenSSL such that it does not depend on Perl,
> >> but one of the subsequent upgrades broke it:
> >
> > Bisecting, I narrowed it down to:
> > 86c8f1daf8ed10f13f2b1e973a28845629b8ce47
> > (gnu: openssl: Update to 1.0.2e [fixes CVE-2015-{3193,3194,3195}].).
> >
> > I'll get the openssl sources corresponding to the good and bad commmits
> > and try to figure out what changed that pulled perl back in.
> 
> Awesome.  Hopefully we can apply the fix when we upgrade OpenSSL this
> Tuesday.

'openssl-c-rehash.patch' is being applied, but at some point in the
build process the change is reverted.

I haven't figured out why yet. Ludo is right, it would be really good to
only change our OpenSSL package one day this week.

So, I'm asking for help with this problem!

I will spend some time on it tomorrow, but I really don't have any
promising leads. My plan is to step through the build process and learn
when the shebang is recreated. Hopefully then I will get some
inspiration.

I suppose a nasty short term fix would be to patch the file after
installing it. I will submit that patch if it seems there is no other
option in time for the security update.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#22831: OpenSSL should not depend on Perl
  2016-02-28 13:37   ` Ludovic Courtès
@ 2016-02-29  8:48     ` Leo Famulari
  2016-03-01  0:43       ` Leo Famulari
  0 siblings, 1 reply; 24+ messages in thread
From: Leo Famulari @ 2016-02-29  8:48 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 22831

On Sun, Feb 28, 2016 at 02:37:54PM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> 
> > On Sat, Feb 27, 2016 at 06:05:29PM +0100, Ludovic Courtès wrote:
> >> Commit 784d6e91 changed OpenSSL such that it does not depend on Perl,
> >> but one of the subsequent upgrades broke it:
> >
> > Bisecting, I narrowed it down to:
> > 86c8f1daf8ed10f13f2b1e973a28845629b8ce47
> > (gnu: openssl: Update to 1.0.2e [fixes CVE-2015-{3193,3194,3195}].).
> >
> > I'll get the openssl sources corresponding to the good and bad commmits
> > and try to figure out what changed that pulled perl back in.
> 
> Also we should add something like:
> 
>   #:allowed-references (list (canonical-package glibc)
>                              (list (canonical-package gcc) "lib")
>                              "out")
> 
> to avoid regressions.

Okay, good idea.

> 
> (A case where #:disallowed-references would be more convenient, but it’s
> not yet implemented.  :-))
> 
> Ludo’.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#22831: [PATCH 0/2] OpenSSL / Perl run-time dependency
  2016-02-27 17:05 bug#22831: OpenSSL should not depend on Perl Ludovic Courtès
  2016-02-28  1:10 ` Leo Famulari
@ 2016-03-01  0:39 ` Leo Famulari
  2016-03-01  0:39   ` bug#22831: [PATCH 1/2] gnu: openssl: Remove run-time dependency on Perl Leo Famulari
  2016-03-01  0:39   ` bug#22831: [PATCH 2/2] WIP: gnu: openssl: Restrict allowed references for openssl Leo Famulari
  2016-03-21  2:20 ` bug#22831: [PATCH 0/1] Disallow reference to Perl from OpenSSL Leo Famulari
  2 siblings, 2 replies; 24+ messages in thread
From: Leo Famulari @ 2016-03-01  0:39 UTC (permalink / raw)
  To: 22831

Patch 1/2 updates the patch we use to keep Perl from becoming a
registered run-time dependency of OpenSSL.

Patch 2/2 is an attempt to use #:allowed-references to prevent
Perl from sneaking back in again. Unfortunately, it fails when gcc is an
allowed reference. It "works" when gcc is not in the list. Here's the
backtrace:

Backtrace:
In ice-9/boot-9.scm:
 157: 19 [catch system-error #<procedure 1fc8930 at ice-9/eval.scm:416:20 ()> ...]
In ice-9/eval.scm:
 481: 18 [lp (#<fluid 1>) (absolute)]
 411: 17 [eval # #]
 481: 16 [lp (#<fluid 32>) (#t)]
In srfi/srfi-1.scm:
 646: 15 [append-map #<procedure 1fca0c0 at ice-9/eval.scm:416:20 (a)> (#)]
 578: 14 [map #<procedure 1fca0c0 at ice-9/eval.scm:416:20 (a)> (#)]
In ice-9/eval.scm:
 387: 13 [eval # #]
 411: 12 [eval # #]
In ice-9/r4rs.scm:
  39: 11 [call-with-values #<procedure 5e8f960 at ice-9/eval.scm:416:20 ()> ...]
In ice-9/eval.scm:
 411: 10 [eval # #]
 481: 9 [lp (#<fluid 24> #<fluid 25>) ("x86_64-linux" #f)]
 481: 8 [lp (#<fluid 25>) (#f)]
 411: 7 [eval # #]
 387: 6 [eval # #]
 387: 5 [eval # #]
 387: 4 [eval # #]
 387: 3 [eval # #]
 387: 2 [eval # #]
 393: 1 [eval # #]
In unknown file:
   ?: 0 [memoize-variable-access! #<memoized gcc> #<directory # 41083f0>]

ERROR: In procedure memoize-variable-access!:
ERROR: Unbound variable: gcc


Leo Famulari (2):
  gnu: openssl: Remove run-time dependency on Perl.
  WIP: gnu: openssl: Restrict allowed references for openssl.

 gnu/packages/patches/openssl-c-rehash.patch | 14 ++++++++++++++
 gnu/packages/tls.scm                        |  7 +++++++
 2 files changed, 21 insertions(+)

-- 
2.7.1

^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#22831: [PATCH 1/2] gnu: openssl: Remove run-time dependency on Perl.
  2016-03-01  0:39 ` bug#22831: [PATCH 0/2] OpenSSL / Perl run-time dependency Leo Famulari
@ 2016-03-01  0:39   ` Leo Famulari
  2016-03-01  0:39   ` bug#22831: [PATCH 2/2] WIP: gnu: openssl: Restrict allowed references for openssl Leo Famulari
  1 sibling, 0 replies; 24+ messages in thread
From: Leo Famulari @ 2016-03-01  0:39 UTC (permalink / raw)
  To: 22831

Fixes <http://bugs.gnu.org/22831>.

* gnu/packages/patches/openssl-c-rehash.patch: Update patch to also replace the
shebang of 'c_rehash.in'.
---
 gnu/packages/patches/openssl-c-rehash.patch | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/gnu/packages/patches/openssl-c-rehash.patch b/gnu/packages/patches/openssl-c-rehash.patch
index f873a9a..62cf662 100644
--- a/gnu/packages/patches/openssl-c-rehash.patch
+++ b/gnu/packages/patches/openssl-c-rehash.patch
@@ -15,3 +15,17 @@ package.
  
  # Perl c_rehash script, scan all files in a directory
  # and add symbolic links to their hash values.
+
+diff --git a/tools/c_rehash.in b/tools/c_rehash.in
+index b086ff9..5908a97 100644
+--- a/tools/c_rehash.in
++++ b/tools/c_rehash.in
+@@ -1,4 +1,6 @@
+-#!/usr/local/bin/perl
++eval '(exit $?0)' && eval 'exec perl -wS "$0" ${1+"$@"}'
++  & eval 'exec perl -wS "$0" $argv:q'
++    if 0;
+ 
+ # Perl c_rehash script, scan all files in a directory
+ # and add symbolic links to their hash values.
+
-- 
2.7.1

^ permalink raw reply related	[flat|nested] 24+ messages in thread

* bug#22831: [PATCH 2/2] WIP: gnu: openssl: Restrict allowed references for openssl.
  2016-03-01  0:39 ` bug#22831: [PATCH 0/2] OpenSSL / Perl run-time dependency Leo Famulari
  2016-03-01  0:39   ` bug#22831: [PATCH 1/2] gnu: openssl: Remove run-time dependency on Perl Leo Famulari
@ 2016-03-01  0:39   ` Leo Famulari
  2016-03-01  7:18     ` Leo Famulari
  2016-03-01  7:20     ` Leo Famulari
  1 sibling, 2 replies; 24+ messages in thread
From: Leo Famulari @ 2016-03-01  0:39 UTC (permalink / raw)
  To: 22831

* gnu/packages/tls.scm (openssl)[arguments]: Add #:allowed-references.
---
 gnu/packages/tls.scm | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 57f0ca1..5990413 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -200,6 +200,13 @@ required structures.")
     `(#:parallel-build? #f
       #:parallel-tests? #f
       #:test-target "test"
+
+      ;; Perl is required at build-time, but ideally not at run-time.
+      ;; OpenSSL updates tend to pull it back in. This prevents that.
+
+      #:allowed-references ,(list (canonical-package glibc)
+                                  (list (canonical-package gcc) "lib")
+                                  "out")
       #:phases
       (modify-phases %standard-phases
         (add-before
-- 
2.7.1

^ permalink raw reply related	[flat|nested] 24+ messages in thread

* Re: bug#22831: OpenSSL should not depend on Perl
  2016-02-29  8:48     ` Leo Famulari
@ 2016-03-01  0:43       ` Leo Famulari
  2016-03-01 20:48         ` Ludovic Courtès
  0 siblings, 1 reply; 24+ messages in thread
From: Leo Famulari @ 2016-03-01  0:43 UTC (permalink / raw)
  To: guix-devel

On Mon, Feb 29, 2016 at 03:48:15AM -0500, Leo Famulari wrote:
> On Sun, Feb 28, 2016 at 02:37:54PM +0100, Ludovic Courtès wrote:
> > Leo Famulari <leo@famulari.name> skribis:
> > 
> > > On Sat, Feb 27, 2016 at 06:05:29PM +0100, Ludovic Courtès wrote:
> > >> Commit 784d6e91 changed OpenSSL such that it does not depend on Perl,
> > >> but one of the subsequent upgrades broke it:
> > >
> > > Bisecting, I narrowed it down to:
> > > 86c8f1daf8ed10f13f2b1e973a28845629b8ce47
> > > (gnu: openssl: Update to 1.0.2e [fixes CVE-2015-{3193,3194,3195}].).
> > >
> > > I'll get the openssl sources corresponding to the good and bad commmits
> > > and try to figure out what changed that pulled perl back in.
> > 
> > Also we should add something like:
> > 
> >   #:allowed-references (list (canonical-package glibc)
> >                              (list (canonical-package gcc) "lib")
> >                              "out")
> > 
> > to avoid regressions.
> 
> Okay, good idea.

Normally I wouldn't forward mail from bug-guix to guix-devel. I need
help with a patch addressing a bug that I'd like to see fixed alongside
tomorrow's OpenSSL update, so I'm trying to increase the exposure.

I need help setting up #:allowed-references:

http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22831#23

^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#22831: [PATCH 2/2] WIP: gnu: openssl: Restrict allowed references for openssl.
  2016-03-01  0:39   ` bug#22831: [PATCH 2/2] WIP: gnu: openssl: Restrict allowed references for openssl Leo Famulari
@ 2016-03-01  7:18     ` Leo Famulari
  2016-03-01  7:20     ` Leo Famulari
  1 sibling, 0 replies; 24+ messages in thread
From: Leo Famulari @ 2016-03-01  7:18 UTC (permalink / raw)
  To: 22831

On Mon, Feb 29, 2016 at 07:39:53PM -0500, Leo Famulari wrote:
> * gnu/packages/tls.scm (openssl)[arguments]: Add #:allowed-references.

I realized that it would work if I imported (gnu packages gcc) when
defining the tls module. I don't know if that's the right approach or
not, but the output now refers only to glibc, gcc:lib, and itself.

> ---
>  gnu/packages/tls.scm | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
> index 57f0ca1..5990413 100644
> --- a/gnu/packages/tls.scm
> +++ b/gnu/packages/tls.scm
> @@ -200,6 +200,13 @@ required structures.")
>      `(#:parallel-build? #f
>        #:parallel-tests? #f
>        #:test-target "test"
> +
> +      ;; Perl is required at build-time, but ideally not at run-time.
> +      ;; OpenSSL updates tend to pull it back in. This prevents that.
> +
> +      #:allowed-references ,(list (canonical-package glibc)
> +                                  (list (canonical-package gcc) "lib")
> +                                  "out")
>        #:phases
>        (modify-phases %standard-phases
>          (add-before
> -- 
> 2.7.1
> 
> 
> 
> 

^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#22831: [PATCH 2/2] WIP: gnu: openssl: Restrict allowed references for openssl.
  2016-03-01  0:39   ` bug#22831: [PATCH 2/2] WIP: gnu: openssl: Restrict allowed references for openssl Leo Famulari
  2016-03-01  7:18     ` Leo Famulari
@ 2016-03-01  7:20     ` Leo Famulari
  2016-03-01 20:46       ` Ludovic Courtès
  1 sibling, 1 reply; 24+ messages in thread
From: Leo Famulari @ 2016-03-01  7:20 UTC (permalink / raw)
  To: 22831

[-- Attachment #1: Type: text/plain, Size: 160 bytes --]

On Mon, Feb 29, 2016 at 07:39:53PM -0500, Leo Famulari wrote:
> * gnu/packages/tls.scm (openssl)[arguments]: Add #:allowed-references.

Working patch attached.

[-- Attachment #2: 0001-gnu-openssl-Restrict-allowed-references-for-openssl.patch --]
[-- Type: text/x-diff, Size: 1312 bytes --]

From 00807e4421757f8d9204f1601de9a8286a408f91 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Mon, 29 Feb 2016 19:24:20 -0500
Subject: [PATCH] gnu: openssl: Restrict allowed references for openssl.

* gnu/packages/tls.scm (openssl)[arguments]: Add #:allowed-references.
---
 gnu/packages/tls.scm | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 90971f2..8c72f3b 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -32,6 +32,7 @@
   #:use-module (guix build-system python)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages)
+  #:use-module (gnu packages gcc)
   #:use-module (gnu packages guile)
   #:use-module (gnu packages libffi)
   #:use-module (gnu packages libidn)
@@ -200,6 +201,12 @@ required structures.")
     `(#:parallel-build? #f
       #:parallel-tests? #f
       #:test-target "test"
+
+      ;; We want to limit what the output of this derivation refers to.
+      ;; Specifically, we don't want it to refer to Perl.
+      #:allowed-references ,(list (canonical-package glibc)
+                                  (list (canonical-package gcc) "lib")
+                                  "out")
       #:phases
       (modify-phases %standard-phases
         (add-before
-- 
2.7.1


^ permalink raw reply related	[flat|nested] 24+ messages in thread

* bug#22831: OpenSSL should not depend on Perl
  2016-02-29  8:47     ` Leo Famulari
@ 2016-03-01 13:38       ` Ludovic Courtès
  2016-03-01 17:24         ` Ludovic Courtès
  0 siblings, 1 reply; 24+ messages in thread
From: Ludovic Courtès @ 2016-03-01 13:38 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 22831

Leo Famulari <leo@famulari.name> skribis:

> On Sun, Feb 28, 2016 at 02:35:12PM +0100, Ludovic Courtès wrote:
>> Leo Famulari <leo@famulari.name> skribis:
>> 
>> > On Sat, Feb 27, 2016 at 06:05:29PM +0100, Ludovic Courtès wrote:
>> >> Commit 784d6e91 changed OpenSSL such that it does not depend on Perl,
>> >> but one of the subsequent upgrades broke it:
>> >
>> > Bisecting, I narrowed it down to:
>> > 86c8f1daf8ed10f13f2b1e973a28845629b8ce47
>> > (gnu: openssl: Update to 1.0.2e [fixes CVE-2015-{3193,3194,3195}].).
>> >
>> > I'll get the openssl sources corresponding to the good and bad commmits
>> > and try to figure out what changed that pulled perl back in.
>> 
>> Awesome.  Hopefully we can apply the fix when we upgrade OpenSSL this
>> Tuesday.
>
> 'openssl-c-rehash.patch' is being applied, but at some point in the
> build process the change is reverted.

In the source, I see:

--8<---------------cut here---------------start------------->8---
$ find -name c_rehash\*
./tools/c_rehash
./tools/c_rehash.in
./doc/apps/c_rehash.pod
--8<---------------cut here---------------end--------------->8---

Could it be that the unpatched one ends up being installed or something?

Ludo’.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#22831: OpenSSL should not depend on Perl
  2016-03-01 13:38       ` Ludovic Courtès
@ 2016-03-01 17:24         ` Ludovic Courtès
  0 siblings, 0 replies; 24+ messages in thread
From: Ludovic Courtès @ 2016-03-01 17:24 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 22831-done

ludo@gnu.org (Ludovic Courtès) skribis:

> Leo Famulari <leo@famulari.name> skribis:
>
>> On Sun, Feb 28, 2016 at 02:35:12PM +0100, Ludovic Courtès wrote:
>>> Leo Famulari <leo@famulari.name> skribis:
>>> 
>>> > On Sat, Feb 27, 2016 at 06:05:29PM +0100, Ludovic Courtès wrote:
>>> >> Commit 784d6e91 changed OpenSSL such that it does not depend on Perl,
>>> >> but one of the subsequent upgrades broke it:
>>> >
>>> > Bisecting, I narrowed it down to:
>>> > 86c8f1daf8ed10f13f2b1e973a28845629b8ce47
>>> > (gnu: openssl: Update to 1.0.2e [fixes CVE-2015-{3193,3194,3195}].).
>>> >
>>> > I'll get the openssl sources corresponding to the good and bad commmits
>>> > and try to figure out what changed that pulled perl back in.
>>> 
>>> Awesome.  Hopefully we can apply the fix when we upgrade OpenSSL this
>>> Tuesday.
>>
>> 'openssl-c-rehash.patch' is being applied, but at some point in the
>> build process the change is reverted.
>
> In the source, I see:
>
> $ find -name c_rehash\*
> ./tools/c_rehash
> ./tools/c_rehash.in
> ./doc/apps/c_rehash.pod
>
> Could it be that the unpatched one ends up being installed or something?

Indeed.  Fixed in caeadfd, though without #:allowed-references—it’ll be
more convenient to use #:disallowed-references when it’s implemented.

Ludo’.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#22831: [PATCH 2/2] WIP: gnu: openssl: Restrict allowed references for openssl.
  2016-03-01  7:20     ` Leo Famulari
@ 2016-03-01 20:46       ` Ludovic Courtès
  2016-03-01 21:04         ` Leo Famulari
  0 siblings, 1 reply; 24+ messages in thread
From: Ludovic Courtès @ 2016-03-01 20:46 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 22831

Leo Famulari <leo@famulari.name> skribis:

> From 00807e4421757f8d9204f1601de9a8286a408f91 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Mon, 29 Feb 2016 19:24:20 -0500
> Subject: [PATCH] gnu: openssl: Restrict allowed references for openssl.
>
> * gnu/packages/tls.scm (openssl)[arguments]: Add #:allowed-references.

For some reason I hadn’t seen it in M-x debbugs-gnu for this report
today, but the patch looks good to me!

If we apply it now, it won’t trigger a rebuild (yay!), but will still
trigger a bunch of regrafting, which is slightly annoying.  What about
applying it in the next ‘security-updates’ branch?

Thanks!

Ludo’.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: bug#22831: OpenSSL should not depend on Perl
  2016-03-01  0:43       ` Leo Famulari
@ 2016-03-01 20:48         ` Ludovic Courtès
  0 siblings, 0 replies; 24+ messages in thread
From: Ludovic Courtès @ 2016-03-01 20:48 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

Apologies for not replying earlier today.  I skipped guix-devel and
looked at things in Emacs debbugs this morning, but apparently some
messages didn’t show up.

Ludo’.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#22831: [PATCH 2/2] WIP: gnu: openssl: Restrict allowed references for openssl.
  2016-03-01 20:46       ` Ludovic Courtès
@ 2016-03-01 21:04         ` Leo Famulari
  2016-03-02  8:42           ` Ludovic Courtès
  0 siblings, 1 reply; 24+ messages in thread
From: Leo Famulari @ 2016-03-01 21:04 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 22831

On Tue, Mar 01, 2016 at 09:46:26PM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> 
> > From 00807e4421757f8d9204f1601de9a8286a408f91 Mon Sep 17 00:00:00 2001
> > From: Leo Famulari <leo@famulari.name>
> > Date: Mon, 29 Feb 2016 19:24:20 -0500
> > Subject: [PATCH] gnu: openssl: Restrict allowed references for openssl.
> >
> > * gnu/packages/tls.scm (openssl)[arguments]: Add #:allowed-references.
> 
> For some reason I hadn’t seen it in M-x debbugs-gnu for this report
> today, but the patch looks good to me!
> 
> If we apply it now, it won’t trigger a rebuild (yay!), but will still
> trigger a bunch of regrafting, which is slightly annoying.  What about
> applying it in the next ‘security-updates’ branch?

Sure. Is it okay if I create that branch?

> 
> Thanks!
> 
> Ludo’.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#22831: [PATCH 2/2] WIP: gnu: openssl: Restrict allowed references for openssl.
  2016-03-01 21:04         ` Leo Famulari
@ 2016-03-02  8:42           ` Ludovic Courtès
  2016-03-02 19:20             ` Leo Famulari
  0 siblings, 1 reply; 24+ messages in thread
From: Ludovic Courtès @ 2016-03-02  8:42 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 22831

Leo Famulari <leo@famulari.name> skribis:

> On Tue, Mar 01, 2016 at 09:46:26PM +0100, Ludovic Courtès wrote:
>> Leo Famulari <leo@famulari.name> skribis:
>> 
>> > From 00807e4421757f8d9204f1601de9a8286a408f91 Mon Sep 17 00:00:00 2001
>> > From: Leo Famulari <leo@famulari.name>
>> > Date: Mon, 29 Feb 2016 19:24:20 -0500
>> > Subject: [PATCH] gnu: openssl: Restrict allowed references for openssl.
>> >
>> > * gnu/packages/tls.scm (openssl)[arguments]: Add #:allowed-references.
>> 
>> For some reason I hadn’t seen it in M-x debbugs-gnu for this report
>> today, but the patch looks good to me!
>> 
>> If we apply it now, it won’t trigger a rebuild (yay!), but will still
>> trigger a bunch of regrafting, which is slightly annoying.  What about
>> applying it in the next ‘security-updates’ branch?
>
> Sure. Is it okay if I create that branch?

Sure, no problem.

Thanks,
Ludo’.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#22831: [PATCH 2/2] WIP: gnu: openssl: Restrict allowed references for openssl.
  2016-03-02  8:42           ` Ludovic Courtès
@ 2016-03-02 19:20             ` Leo Famulari
  2016-03-02 20:59               ` Ludovic Courtès
  0 siblings, 1 reply; 24+ messages in thread
From: Leo Famulari @ 2016-03-02 19:20 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 22831

On Wed, Mar 02, 2016 at 09:42:41AM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> 
> > On Tue, Mar 01, 2016 at 09:46:26PM +0100, Ludovic Courtès wrote:
> >> Leo Famulari <leo@famulari.name> skribis:
> >> 
> >> > From 00807e4421757f8d9204f1601de9a8286a408f91 Mon Sep 17 00:00:00 2001
> >> > From: Leo Famulari <leo@famulari.name>
> >> > Date: Mon, 29 Feb 2016 19:24:20 -0500
> >> > Subject: [PATCH] gnu: openssl: Restrict allowed references for openssl.
> >> >
> >> > * gnu/packages/tls.scm (openssl)[arguments]: Add #:allowed-references.
> >> 
> >> For some reason I hadn’t seen it in M-x debbugs-gnu for this report
> >> today, but the patch looks good to me!
> >> 
> >> If we apply it now, it won’t trigger a rebuild (yay!), but will still
> >> trigger a bunch of regrafting, which is slightly annoying.  What about
> >> applying it in the next ‘security-updates’ branch?
> >
> > Sure. Is it okay if I create that branch?
> 
> Sure, no problem.

Since there was already a security-updates job started, how about
putting on core-updates?

> 
> Thanks,
> Ludo’.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#22831: [PATCH 2/2] WIP: gnu: openssl: Restrict allowed references for openssl.
  2016-03-02 19:20             ` Leo Famulari
@ 2016-03-02 20:59               ` Ludovic Courtès
  0 siblings, 0 replies; 24+ messages in thread
From: Ludovic Courtès @ 2016-03-02 20:59 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 22831

Leo Famulari <leo@famulari.name> skribis:

> On Wed, Mar 02, 2016 at 09:42:41AM +0100, Ludovic Courtès wrote:
>> Leo Famulari <leo@famulari.name> skribis:
>> 
>> > On Tue, Mar 01, 2016 at 09:46:26PM +0100, Ludovic Courtès wrote:
>> >> Leo Famulari <leo@famulari.name> skribis:
>> >> 
>> >> > From 00807e4421757f8d9204f1601de9a8286a408f91 Mon Sep 17 00:00:00 2001
>> >> > From: Leo Famulari <leo@famulari.name>
>> >> > Date: Mon, 29 Feb 2016 19:24:20 -0500
>> >> > Subject: [PATCH] gnu: openssl: Restrict allowed references for openssl.
>> >> >
>> >> > * gnu/packages/tls.scm (openssl)[arguments]: Add #:allowed-references.
>> >> 
>> >> For some reason I hadn’t seen it in M-x debbugs-gnu for this report
>> >> today, but the patch looks good to me!
>> >> 
>> >> If we apply it now, it won’t trigger a rebuild (yay!), but will still
>> >> trigger a bunch of regrafting, which is slightly annoying.  What about
>> >> applying it in the next ‘security-updates’ branch?
>> >
>> > Sure. Is it okay if I create that branch?
>> 
>> Sure, no problem.
>
> Since there was already a security-updates job started, how about
> putting on core-updates?

Dunno, what does Mark think?  Let’s check with Mark on IRC.  :-)

Ludo’.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#22831: [PATCH 0/1] Disallow reference to Perl from OpenSSL
  2016-02-27 17:05 bug#22831: OpenSSL should not depend on Perl Ludovic Courtès
  2016-02-28  1:10 ` Leo Famulari
  2016-03-01  0:39 ` bug#22831: [PATCH 0/2] OpenSSL / Perl run-time dependency Leo Famulari
@ 2016-03-21  2:20 ` Leo Famulari
  2016-03-21  2:20   ` bug#22831: [PATCH 1/1] gnu: openssl: Enforce non-reference to perl Leo Famulari
  2 siblings, 1 reply; 24+ messages in thread
From: Leo Famulari @ 2016-03-21  2:20 UTC (permalink / raw)
  To: 22831

Now that #:disallowed-references has been implemented (thanks Ludo!),
here it is applied to OpenSSL.

To core-updates?

Leo Famulari (1):
  gnu: openssl: Enforce non-reference to perl.

 gnu/packages/tls.scm | 4 ++++
 1 file changed, 4 insertions(+)

-- 
2.7.3

^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#22831: [PATCH 1/1] gnu: openssl: Enforce non-reference to perl.
  2016-03-21  2:20 ` bug#22831: [PATCH 0/1] Disallow reference to Perl from OpenSSL Leo Famulari
@ 2016-03-21  2:20   ` Leo Famulari
  2016-03-21  9:29     ` Ludovic Courtès
  0 siblings, 1 reply; 24+ messages in thread
From: Leo Famulari @ 2016-03-21  2:20 UTC (permalink / raw)
  To: 22831

* gnu/packages/tls.scm (openssl)[arguments]: Add #:disallowed-references.
---
 gnu/packages/tls.scm | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index b6bf257..28d7947 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -201,6 +201,10 @@ required structures.")
     `(#:parallel-build? #f
       #:parallel-tests? #f
       #:test-target "test"
+
+      ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
+      ;; so we explicitly disallow it here.
+      #:disallowed-references ,(list (canonical-package perl))
       #:phases
       (modify-phases %standard-phases
         (add-before
-- 
2.7.3

^ permalink raw reply related	[flat|nested] 24+ messages in thread

* bug#22831: [PATCH 1/1] gnu: openssl: Enforce non-reference to perl.
  2016-03-21  2:20   ` bug#22831: [PATCH 1/1] gnu: openssl: Enforce non-reference to perl Leo Famulari
@ 2016-03-21  9:29     ` Ludovic Courtès
  2016-03-21 16:23       ` Leo Famulari
  0 siblings, 1 reply; 24+ messages in thread
From: Ludovic Courtès @ 2016-03-21  9:29 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 22831

Leo Famulari <leo@famulari.name> skribis:

> * gnu/packages/tls.scm (openssl)[arguments]: Add #:disallowed-references.

Sounds good!  (And thanks for following commits closely.  ;-))

This should go to ‘core-updates’, but first, ‘master’ should be merged
in ‘core-updates’ so that #:disallowed-references is available.

Could you do that?

Thanks!

Ludo’.

^ permalink raw reply	[flat|nested] 24+ messages in thread

* bug#22831: [PATCH 1/1] gnu: openssl: Enforce non-reference to perl.
  2016-03-21  9:29     ` Ludovic Courtès
@ 2016-03-21 16:23       ` Leo Famulari
  0 siblings, 0 replies; 24+ messages in thread
From: Leo Famulari @ 2016-03-21 16:23 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 22831

On Mon, Mar 21, 2016 at 10:29:51AM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> 
> > * gnu/packages/tls.scm (openssl)[arguments]: Add #:disallowed-references.
> 
> Sounds good!  (And thanks for following commits closely.  ;-))
> 
> This should go to ‘core-updates’, but first, ‘master’ should be merged
> in ‘core-updates’ so that #:disallowed-references is available.
> 
> Could you do that?

Done!

^ permalink raw reply	[flat|nested] 24+ messages in thread

end of thread, other threads:[~2016-03-21 16:24 UTC | newest]

Thread overview: 24+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-02-27 17:05 bug#22831: OpenSSL should not depend on Perl Ludovic Courtès
2016-02-28  1:10 ` Leo Famulari
2016-02-28 13:35   ` Ludovic Courtès
2016-02-29  8:47     ` Leo Famulari
2016-03-01 13:38       ` Ludovic Courtès
2016-03-01 17:24         ` Ludovic Courtès
2016-02-28 13:37   ` Ludovic Courtès
2016-02-29  8:48     ` Leo Famulari
2016-03-01  0:43       ` Leo Famulari
2016-03-01 20:48         ` Ludovic Courtès
2016-03-01  0:39 ` bug#22831: [PATCH 0/2] OpenSSL / Perl run-time dependency Leo Famulari
2016-03-01  0:39   ` bug#22831: [PATCH 1/2] gnu: openssl: Remove run-time dependency on Perl Leo Famulari
2016-03-01  0:39   ` bug#22831: [PATCH 2/2] WIP: gnu: openssl: Restrict allowed references for openssl Leo Famulari
2016-03-01  7:18     ` Leo Famulari
2016-03-01  7:20     ` Leo Famulari
2016-03-01 20:46       ` Ludovic Courtès
2016-03-01 21:04         ` Leo Famulari
2016-03-02  8:42           ` Ludovic Courtès
2016-03-02 19:20             ` Leo Famulari
2016-03-02 20:59               ` Ludovic Courtès
2016-03-21  2:20 ` bug#22831: [PATCH 0/1] Disallow reference to Perl from OpenSSL Leo Famulari
2016-03-21  2:20   ` bug#22831: [PATCH 1/1] gnu: openssl: Enforce non-reference to perl Leo Famulari
2016-03-21  9:29     ` Ludovic Courtès
2016-03-21 16:23       ` Leo Famulari

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.