all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: Efraim Flashner <efraim@flashner.co.il>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: guix-devel <guix-devel@gnu.org>
Subject: Re: OpenSSL “DROWN” vulnerability & grafts
Date: Wed, 2 Mar 2016 20:43:08 +0200	[thread overview]
Message-ID: <20160302184308.GA11131@debian-netbook> (raw)
In-Reply-To: <87twkpnbk0.fsf@gnu.org>

[-- Attachment #1: Type: text/plain, Size: 2490 bytes --]

On Tue, Mar 01, 2016 at 10:16:47PM +0100, Ludovic Courtès wrote:
> Hello!
> 
> OpenSSL 1.0.2g was released today, fixing several serious security
> vulnerabilities, several of which are referred to as “DROWN” (as has
> become security-marketing tradition.)
> 
> This gave a good incentive to fix the “grafting” mechanism described at:
> 
>   https://www.gnu.org/software/guix/manual/html_node/Security-Updates.html
> 
> The problem was that until now, grafting was not recursive:
> <http://bugs.gnu.org/22139>.  This is fixed in c22a132, so we “rushed”
> to use it in ‘master’ for the OpenSSL upgrade, which is done in caeadfd.
> 
> So now is the time to find out how well the new implementation scales
> and to address any limitations.  :-)
> 
> A potentially disturbing thing with the new code is that it starts
> building/downloading things early, typically before it has written “The
> following derivations will be built”; see
> <http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22139#13>.
> 
> A limitation of the current implementation is that the replacement
> package must have exactly the same name and version as the package being
> replaced.  So OpenSSL 1.0.2g shows up as /gnu/store/…-openssl-1.0.2f.
> 
> The store file name of the old OpenSSL is given by:
> 
>   guix build openssl --no-grafts
> 
> … and the new one is given by:
> 
>   guix build openssl
> 
> For example, to verify which OpenSSL(s) your whole profile refers to,
> you can run:
> 
>   guix gc -R $(readlink -f ~/.guix-profile) | grep openssl
> 
> and check the store file names that you get (make sure to turn off
> guix-prettify-mode :-)).  Likewise for a GuixSD generation:
> 
>   guix gc -R $(guix system build config.scm) | grep openssl
> 
> And for running processes:
> 
>   lsof | grep /gnu/store/.*openssl
> 
> Seems like this tricks could go in the manual under “Security Updates”
> no?
> 
> Feedback welcome!
> 
> Ludo’.

BIG thanks for getting this working, its a great way to keep our systems
up and running while taking care of the security issues.

One issue that I noticed on my slow netbook is that `guix package -u`,
with no updates, now takes ~15 minutes, while before it was ~30 seconds.

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

  parent reply	other threads:[~2016-03-02 18:43 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-03-01 21:16 OpenSSL “DROWN” vulnerability & grafts Ludovic Courtès
2016-03-01 21:50 ` Christopher Allan Webber
2016-03-02 16:28 ` Ludovic Courtès
2016-03-02 17:47   ` Mathieu Lirzin
2016-03-02 18:00   ` Chris Marusich
2016-03-02 18:43 ` Efraim Flashner [this message]
2016-03-02 21:36   ` Ludovic Courtès
2016-03-03  6:45     ` Efraim Flashner
2016-03-04 23:24       ` Ludovic Courtès
2016-03-05 19:07         ` Efraim Flashner
2016-03-05 21:51           ` Ludovic Courtès

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160302184308.GA11131@debian-netbook \
    --to=efraim@flashner.co.il \
    --cc=guix-devel@gnu.org \
    --cc=ludo@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.