From mboxrd@z Thu Jan  1 00:00:00 1970
From: Efraim Flashner <efraim@flashner.co.il>
Subject: Re: OpenSSL =?utf-8?B?4oCcRFJPV04=?= =?utf-8?B?4oCd?= vulnerability
	& grafts
Date: Wed, 2 Mar 2016 20:43:08 +0200
Message-ID: <20160302184308.GA11131@debian-netbook>
References: <87twkpnbk0.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="VS++wcV0S1rZb1Fb"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:33845)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <efraim@flashner.co.il>) id 1abBjx-0008UC-7o
	for guix-devel@gnu.org; Wed, 02 Mar 2016 13:43:18 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <efraim@flashner.co.il>) id 1abBjs-0005Om-OK
	for guix-devel@gnu.org; Wed, 02 Mar 2016 13:43:16 -0500
Content-Disposition: inline
In-Reply-To: <87twkpnbk0.fsf@gnu.org>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: guix-devel <guix-devel@gnu.org>


--VS++wcV0S1rZb1Fb
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Mar 01, 2016 at 10:16:47PM +0100, Ludovic Court=C3=A8s wrote:
> Hello!
>=20
> OpenSSL 1.0.2g was released today, fixing several serious security
> vulnerabilities, several of which are referred to as =E2=80=9CDROWN=E2=80=
=9D (as has
> become security-marketing tradition.)
>=20
> This gave a good incentive to fix the =E2=80=9Cgrafting=E2=80=9D mechanis=
m described at:
>=20
>   https://www.gnu.org/software/guix/manual/html_node/Security-Updates.html
>=20
> The problem was that until now, grafting was not recursive:
> <http://bugs.gnu.org/22139>.  This is fixed in c22a132, so we =E2=80=9Cru=
shed=E2=80=9D
> to use it in =E2=80=98master=E2=80=99 for the OpenSSL upgrade, which is d=
one in caeadfd.
>=20
> So now is the time to find out how well the new implementation scales
> and to address any limitations.  :-)
>=20
> A potentially disturbing thing with the new code is that it starts
> building/downloading things early, typically before it has written =E2=80=
=9CThe
> following derivations will be built=E2=80=9D; see
> <http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D22139#13>.
>=20
> A limitation of the current implementation is that the replacement
> package must have exactly the same name and version as the package being
> replaced.  So OpenSSL 1.0.2g shows up as /gnu/store/=E2=80=A6-openssl-1.0=
=2E2f.
>=20
> The store file name of the old OpenSSL is given by:
>=20
>   guix build openssl --no-grafts
>=20
> =E2=80=A6 and the new one is given by:
>=20
>   guix build openssl
>=20
> For example, to verify which OpenSSL(s) your whole profile refers to,
> you can run:
>=20
>   guix gc -R $(readlink -f ~/.guix-profile) | grep openssl
>=20
> and check the store file names that you get (make sure to turn off
> guix-prettify-mode :-)).  Likewise for a GuixSD generation:
>=20
>   guix gc -R $(guix system build config.scm) | grep openssl
>=20
> And for running processes:
>=20
>   lsof | grep /gnu/store/.*openssl
>=20
> Seems like this tricks could go in the manual under =E2=80=9CSecurity Upd=
ates=E2=80=9D
> no?
>=20
> Feedback welcome!
>=20
> Ludo=E2=80=99.

BIG thanks for getting this working, its a great way to keep our systems
up and running while taking care of the security issues.

One issue that I noticed on my slow netbook is that `guix package -u`,
with no updates, now takes ~15 minutes, while before it was ~30 seconds.

--=20
Efraim Flashner   <efraim@flashner.co.il>   =D7=90=D7=A4=D7=A8=D7=99=D7=9D =
=D7=A4=D7=9C=D7=A9=D7=A0=D7=A8
GPG key =3D A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

--VS++wcV0S1rZb1Fb
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJW1zQ7AAoJEPTB05F+rO6T2acP/0wZRspuAatVWvGTtR+f6vLA
cSd404vFmOL16HMLj+pJRR1iFOgOszoA+O0ByN2ibPauwZD34iiX3i4+wN7i+jfv
qeivBZB77J72fqaGGwUAp6Q23vcbkeF23zef9rJuiZfdRgRBvXc7A3UKFFccCWPv
7vhZYtpysJAf6+Q9hDa1X6QBpz2V9bLNRVtEhbgIbeRnpq5DcjJRZbm5K0VtreDD
2tVOro20U1TvYo/FwIz1hQS8onX76t+aUdcwwHJe/eB92SaoiYeIK5syQf8wP7cJ
FgMLqgvh+o3uAzNrVU0zTj7Cb80nqLnpc2yuc6jdqFuvvtmEP5+ZVfniA8o/LL+i
0iN1yxliJaG5cuc2DBGwi0xhv5VsQYMEINZGGGviJFXEx/F2MUXxaBDb/Dw3JQB5
rwQbbJFC9sP5wFPffO9C1/m9bLJRWXXDhi/EvYUFI4M2dUC4QFwiNtaidGC7dswx
u5a2Ix0z6DBzDzJzNM+7/OAeHTSET0Rfz4Pk4crLyV9qGwe0NdVNUpP2iqIK14SQ
pR5hcyOjCgXrSggFNiJPVRMvXiDeclru34jGtpjL0fMB9srMepnygvIzuY1IC3qz
eyp4sBlG/9H24uEftU8ssk7qEFp7S59Ad3XGQGWu0/7WsIE3ev7ObzS8Y7V80eYR
GNtQinmKiyDwpfRllvQE
=6ZjN
-----END PGP SIGNATURE-----

--VS++wcV0S1rZb1Fb--