* bug#22831: OpenSSL should not depend on Perl
@ 2016-02-27 17:05 Ludovic Courtès
2016-02-28 1:10 ` Leo Famulari
` (2 more replies)
0 siblings, 3 replies; 24+ messages in thread
From: Ludovic Courtès @ 2016-02-27 17:05 UTC (permalink / raw)
To: 22831
Commit 784d6e91 changed OpenSSL such that it does not depend on Perl,
but one of the subsequent upgrades broke it:
--8<---------------cut here---------------start------------->8---
$ guix build perl
/gnu/store/x2p2biyybcb2wac77qz9468asc5fm48i-perl-5.22.1
$ grep -r x2p2biyybcb2wac77qz9468asc5fm48i $(guix build openssl)
/gnu/store/qvx4q6lbwi4s3cwr8wqaa7kcva0a5c4b-openssl-1.0.2f/bin/c_rehash:#!/gnu/store/x2p2biyybcb2wac77qz9468asc5fm48i-perl-5.22.1/bin/perl
--8<---------------cut here---------------end--------------->8---
Somehow ‘openssl-c-rehash.patch’ seems to no longer have the desired
effect.
Ludo’.
^ permalink raw reply [flat|nested] 24+ messages in thread
* bug#22831: OpenSSL should not depend on Perl
2016-02-27 17:05 bug#22831: OpenSSL should not depend on Perl Ludovic Courtès
@ 2016-02-28 1:10 ` Leo Famulari
2016-02-28 13:35 ` Ludovic Courtès
2016-02-28 13:37 ` Ludovic Courtès
2016-03-01 0:39 ` bug#22831: [PATCH 0/2] OpenSSL / Perl run-time dependency Leo Famulari
2016-03-21 2:20 ` bug#22831: [PATCH 0/1] Disallow reference to Perl from OpenSSL Leo Famulari
2 siblings, 2 replies; 24+ messages in thread
From: Leo Famulari @ 2016-02-28 1:10 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 22831
On Sat, Feb 27, 2016 at 06:05:29PM +0100, Ludovic Courtès wrote:
> Commit 784d6e91 changed OpenSSL such that it does not depend on Perl,
> but one of the subsequent upgrades broke it:
Bisecting, I narrowed it down to:
86c8f1daf8ed10f13f2b1e973a28845629b8ce47
(gnu: openssl: Update to 1.0.2e [fixes CVE-2015-{3193,3194,3195}].).
I'll get the openssl sources corresponding to the good and bad commmits
and try to figure out what changed that pulled perl back in.
>
> --8<---------------cut here---------------start------------->8---
> $ guix build perl
> /gnu/store/x2p2biyybcb2wac77qz9468asc5fm48i-perl-5.22.1
> $ grep -r x2p2biyybcb2wac77qz9468asc5fm48i $(guix build openssl)
> /gnu/store/qvx4q6lbwi4s3cwr8wqaa7kcva0a5c4b-openssl-1.0.2f/bin/c_rehash:#!/gnu/store/x2p2biyybcb2wac77qz9468asc5fm48i-perl-5.22.1/bin/perl
> --8<---------------cut here---------------end--------------->8---
>
> Somehow ‘openssl-c-rehash.patch’ seems to no longer have the desired
> effect.
>
> Ludo’.
>
>
>
^ permalink raw reply [flat|nested] 24+ messages in thread
* bug#22831: OpenSSL should not depend on Perl
2016-02-28 1:10 ` Leo Famulari
@ 2016-02-28 13:35 ` Ludovic Courtès
2016-02-29 8:47 ` Leo Famulari
2016-02-28 13:37 ` Ludovic Courtès
1 sibling, 1 reply; 24+ messages in thread
From: Ludovic Courtès @ 2016-02-28 13:35 UTC (permalink / raw)
To: Leo Famulari; +Cc: 22831
Leo Famulari <leo@famulari.name> skribis:
> On Sat, Feb 27, 2016 at 06:05:29PM +0100, Ludovic Courtès wrote:
>> Commit 784d6e91 changed OpenSSL such that it does not depend on Perl,
>> but one of the subsequent upgrades broke it:
>
> Bisecting, I narrowed it down to:
> 86c8f1daf8ed10f13f2b1e973a28845629b8ce47
> (gnu: openssl: Update to 1.0.2e [fixes CVE-2015-{3193,3194,3195}].).
>
> I'll get the openssl sources corresponding to the good and bad commmits
> and try to figure out what changed that pulled perl back in.
Awesome. Hopefully we can apply the fix when we upgrade OpenSSL this
Tuesday.
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 24+ messages in thread
* bug#22831: OpenSSL should not depend on Perl
2016-02-28 1:10 ` Leo Famulari
2016-02-28 13:35 ` Ludovic Courtès
@ 2016-02-28 13:37 ` Ludovic Courtès
2016-02-29 8:48 ` Leo Famulari
1 sibling, 1 reply; 24+ messages in thread
From: Ludovic Courtès @ 2016-02-28 13:37 UTC (permalink / raw)
To: Leo Famulari; +Cc: 22831
Leo Famulari <leo@famulari.name> skribis:
> On Sat, Feb 27, 2016 at 06:05:29PM +0100, Ludovic Courtès wrote:
>> Commit 784d6e91 changed OpenSSL such that it does not depend on Perl,
>> but one of the subsequent upgrades broke it:
>
> Bisecting, I narrowed it down to:
> 86c8f1daf8ed10f13f2b1e973a28845629b8ce47
> (gnu: openssl: Update to 1.0.2e [fixes CVE-2015-{3193,3194,3195}].).
>
> I'll get the openssl sources corresponding to the good and bad commmits
> and try to figure out what changed that pulled perl back in.
Also we should add something like:
#:allowed-references (list (canonical-package glibc)
(list (canonical-package gcc) "lib")
"out")
to avoid regressions.
(A case where #:disallowed-references would be more convenient, but it’s
not yet implemented. :-))
Ludo’.
^ permalink raw reply [flat|nested] 24+ messages in thread
* bug#22831: OpenSSL should not depend on Perl
2016-02-28 13:35 ` Ludovic Courtès
@ 2016-02-29 8:47 ` Leo Famulari
2016-03-01 13:38 ` Ludovic Courtès
0 siblings, 1 reply; 24+ messages in thread
From: Leo Famulari @ 2016-02-29 8:47 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 22831
On Sun, Feb 28, 2016 at 02:35:12PM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
>
> > On Sat, Feb 27, 2016 at 06:05:29PM +0100, Ludovic Courtès wrote:
> >> Commit 784d6e91 changed OpenSSL such that it does not depend on Perl,
> >> but one of the subsequent upgrades broke it:
> >
> > Bisecting, I narrowed it down to:
> > 86c8f1daf8ed10f13f2b1e973a28845629b8ce47
> > (gnu: openssl: Update to 1.0.2e [fixes CVE-2015-{3193,3194,3195}].).
> >
> > I'll get the openssl sources corresponding to the good and bad commmits
> > and try to figure out what changed that pulled perl back in.
>
> Awesome. Hopefully we can apply the fix when we upgrade OpenSSL this
> Tuesday.
'openssl-c-rehash.patch' is being applied, but at some point in the
build process the change is reverted.
I haven't figured out why yet. Ludo is right, it would be really good to
only change our OpenSSL package one day this week.
So, I'm asking for help with this problem!
I will spend some time on it tomorrow, but I really don't have any
promising leads. My plan is to step through the build process and learn
when the shebang is recreated. Hopefully then I will get some
inspiration.
I suppose a nasty short term fix would be to patch the file after
installing it. I will submit that patch if it seems there is no other
option in time for the security update.
^ permalink raw reply [flat|nested] 24+ messages in thread
* bug#22831: OpenSSL should not depend on Perl
2016-02-28 13:37 ` Ludovic Courtès
@ 2016-02-29 8:48 ` Leo Famulari
2016-03-01 0:43 ` Leo Famulari
0 siblings, 1 reply; 24+ messages in thread
From: Leo Famulari @ 2016-02-29 8:48 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 22831
On Sun, Feb 28, 2016 at 02:37:54PM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
>
> > On Sat, Feb 27, 2016 at 06:05:29PM +0100, Ludovic Courtès wrote:
> >> Commit 784d6e91 changed OpenSSL such that it does not depend on Perl,
> >> but one of the subsequent upgrades broke it:
> >
> > Bisecting, I narrowed it down to:
> > 86c8f1daf8ed10f13f2b1e973a28845629b8ce47
> > (gnu: openssl: Update to 1.0.2e [fixes CVE-2015-{3193,3194,3195}].).
> >
> > I'll get the openssl sources corresponding to the good and bad commmits
> > and try to figure out what changed that pulled perl back in.
>
> Also we should add something like:
>
> #:allowed-references (list (canonical-package glibc)
> (list (canonical-package gcc) "lib")
> "out")
>
> to avoid regressions.
Okay, good idea.
>
> (A case where #:disallowed-references would be more convenient, but it’s
> not yet implemented. :-))
>
> Ludo’.
^ permalink raw reply [flat|nested] 24+ messages in thread
* bug#22831: [PATCH 0/2] OpenSSL / Perl run-time dependency
2016-02-27 17:05 bug#22831: OpenSSL should not depend on Perl Ludovic Courtès
2016-02-28 1:10 ` Leo Famulari
@ 2016-03-01 0:39 ` Leo Famulari
2016-03-01 0:39 ` bug#22831: [PATCH 1/2] gnu: openssl: Remove run-time dependency on Perl Leo Famulari
2016-03-01 0:39 ` bug#22831: [PATCH 2/2] WIP: gnu: openssl: Restrict allowed references for openssl Leo Famulari
2016-03-21 2:20 ` bug#22831: [PATCH 0/1] Disallow reference to Perl from OpenSSL Leo Famulari
2 siblings, 2 replies; 24+ messages in thread
From: Leo Famulari @ 2016-03-01 0:39 UTC (permalink / raw)
To: 22831
Patch 1/2 updates the patch we use to keep Perl from becoming a
registered run-time dependency of OpenSSL.
Patch 2/2 is an attempt to use #:allowed-references to prevent
Perl from sneaking back in again. Unfortunately, it fails when gcc is an
allowed reference. It "works" when gcc is not in the list. Here's the
backtrace:
Backtrace:
In ice-9/boot-9.scm:
157: 19 [catch system-error #<procedure 1fc8930 at ice-9/eval.scm:416:20 ()> ...]
In ice-9/eval.scm:
481: 18 [lp (#<fluid 1>) (absolute)]
411: 17 [eval # #]
481: 16 [lp (#<fluid 32>) (#t)]
In srfi/srfi-1.scm:
646: 15 [append-map #<procedure 1fca0c0 at ice-9/eval.scm:416:20 (a)> (#)]
578: 14 [map #<procedure 1fca0c0 at ice-9/eval.scm:416:20 (a)> (#)]
In ice-9/eval.scm:
387: 13 [eval # #]
411: 12 [eval # #]
In ice-9/r4rs.scm:
39: 11 [call-with-values #<procedure 5e8f960 at ice-9/eval.scm:416:20 ()> ...]
In ice-9/eval.scm:
411: 10 [eval # #]
481: 9 [lp (#<fluid 24> #<fluid 25>) ("x86_64-linux" #f)]
481: 8 [lp (#<fluid 25>) (#f)]
411: 7 [eval # #]
387: 6 [eval # #]
387: 5 [eval # #]
387: 4 [eval # #]
387: 3 [eval # #]
387: 2 [eval # #]
393: 1 [eval # #]
In unknown file:
?: 0 [memoize-variable-access! #<memoized gcc> #<directory # 41083f0>]
ERROR: In procedure memoize-variable-access!:
ERROR: Unbound variable: gcc
Leo Famulari (2):
gnu: openssl: Remove run-time dependency on Perl.
WIP: gnu: openssl: Restrict allowed references for openssl.
gnu/packages/patches/openssl-c-rehash.patch | 14 ++++++++++++++
gnu/packages/tls.scm | 7 +++++++
2 files changed, 21 insertions(+)
--
2.7.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* bug#22831: [PATCH 1/2] gnu: openssl: Remove run-time dependency on Perl.
2016-03-01 0:39 ` bug#22831: [PATCH 0/2] OpenSSL / Perl run-time dependency Leo Famulari
@ 2016-03-01 0:39 ` Leo Famulari
2016-03-01 0:39 ` bug#22831: [PATCH 2/2] WIP: gnu: openssl: Restrict allowed references for openssl Leo Famulari
1 sibling, 0 replies; 24+ messages in thread
From: Leo Famulari @ 2016-03-01 0:39 UTC (permalink / raw)
To: 22831
Fixes <http://bugs.gnu.org/22831>.
* gnu/packages/patches/openssl-c-rehash.patch: Update patch to also replace the
shebang of 'c_rehash.in'.
---
gnu/packages/patches/openssl-c-rehash.patch | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/gnu/packages/patches/openssl-c-rehash.patch b/gnu/packages/patches/openssl-c-rehash.patch
index f873a9a..62cf662 100644
--- a/gnu/packages/patches/openssl-c-rehash.patch
+++ b/gnu/packages/patches/openssl-c-rehash.patch
@@ -15,3 +15,17 @@ package.
# Perl c_rehash script, scan all files in a directory
# and add symbolic links to their hash values.
+
+diff --git a/tools/c_rehash.in b/tools/c_rehash.in
+index b086ff9..5908a97 100644
+--- a/tools/c_rehash.in
++++ b/tools/c_rehash.in
+@@ -1,4 +1,6 @@
+-#!/usr/local/bin/perl
++eval '(exit $?0)' && eval 'exec perl -wS "$0" ${1+"$@"}'
++ & eval 'exec perl -wS "$0" $argv:q'
++ if 0;
+
+ # Perl c_rehash script, scan all files in a directory
+ # and add symbolic links to their hash values.
+
--
2.7.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* bug#22831: [PATCH 2/2] WIP: gnu: openssl: Restrict allowed references for openssl.
2016-03-01 0:39 ` bug#22831: [PATCH 0/2] OpenSSL / Perl run-time dependency Leo Famulari
2016-03-01 0:39 ` bug#22831: [PATCH 1/2] gnu: openssl: Remove run-time dependency on Perl Leo Famulari
@ 2016-03-01 0:39 ` Leo Famulari
2016-03-01 7:18 ` Leo Famulari
2016-03-01 7:20 ` Leo Famulari
1 sibling, 2 replies; 24+ messages in thread
From: Leo Famulari @ 2016-03-01 0:39 UTC (permalink / raw)
To: 22831
* gnu/packages/tls.scm (openssl)[arguments]: Add #:allowed-references.
---
gnu/packages/tls.scm | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 57f0ca1..5990413 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -200,6 +200,13 @@ required structures.")
`(#:parallel-build? #f
#:parallel-tests? #f
#:test-target "test"
+
+ ;; Perl is required at build-time, but ideally not at run-time.
+ ;; OpenSSL updates tend to pull it back in. This prevents that.
+
+ #:allowed-references ,(list (canonical-package glibc)
+ (list (canonical-package gcc) "lib")
+ "out")
#:phases
(modify-phases %standard-phases
(add-before
--
2.7.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* Re: bug#22831: OpenSSL should not depend on Perl
2016-02-29 8:48 ` Leo Famulari
@ 2016-03-01 0:43 ` Leo Famulari
2016-03-01 20:48 ` Ludovic Courtès
0 siblings, 1 reply; 24+ messages in thread
From: Leo Famulari @ 2016-03-01 0:43 UTC (permalink / raw)
To: guix-devel
On Mon, Feb 29, 2016 at 03:48:15AM -0500, Leo Famulari wrote:
> On Sun, Feb 28, 2016 at 02:37:54PM +0100, Ludovic Courtès wrote:
> > Leo Famulari <leo@famulari.name> skribis:
> >
> > > On Sat, Feb 27, 2016 at 06:05:29PM +0100, Ludovic Courtès wrote:
> > >> Commit 784d6e91 changed OpenSSL such that it does not depend on Perl,
> > >> but one of the subsequent upgrades broke it:
> > >
> > > Bisecting, I narrowed it down to:
> > > 86c8f1daf8ed10f13f2b1e973a28845629b8ce47
> > > (gnu: openssl: Update to 1.0.2e [fixes CVE-2015-{3193,3194,3195}].).
> > >
> > > I'll get the openssl sources corresponding to the good and bad commmits
> > > and try to figure out what changed that pulled perl back in.
> >
> > Also we should add something like:
> >
> > #:allowed-references (list (canonical-package glibc)
> > (list (canonical-package gcc) "lib")
> > "out")
> >
> > to avoid regressions.
>
> Okay, good idea.
Normally I wouldn't forward mail from bug-guix to guix-devel. I need
help with a patch addressing a bug that I'd like to see fixed alongside
tomorrow's OpenSSL update, so I'm trying to increase the exposure.
I need help setting up #:allowed-references:
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22831#23
^ permalink raw reply [flat|nested] 24+ messages in thread
* bug#22831: [PATCH 2/2] WIP: gnu: openssl: Restrict allowed references for openssl.
2016-03-01 0:39 ` bug#22831: [PATCH 2/2] WIP: gnu: openssl: Restrict allowed references for openssl Leo Famulari
@ 2016-03-01 7:18 ` Leo Famulari
2016-03-01 7:20 ` Leo Famulari
1 sibling, 0 replies; 24+ messages in thread
From: Leo Famulari @ 2016-03-01 7:18 UTC (permalink / raw)
To: 22831
On Mon, Feb 29, 2016 at 07:39:53PM -0500, Leo Famulari wrote:
> * gnu/packages/tls.scm (openssl)[arguments]: Add #:allowed-references.
I realized that it would work if I imported (gnu packages gcc) when
defining the tls module. I don't know if that's the right approach or
not, but the output now refers only to glibc, gcc:lib, and itself.
> ---
> gnu/packages/tls.scm | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
> index 57f0ca1..5990413 100644
> --- a/gnu/packages/tls.scm
> +++ b/gnu/packages/tls.scm
> @@ -200,6 +200,13 @@ required structures.")
> `(#:parallel-build? #f
> #:parallel-tests? #f
> #:test-target "test"
> +
> + ;; Perl is required at build-time, but ideally not at run-time.
> + ;; OpenSSL updates tend to pull it back in. This prevents that.
> +
> + #:allowed-references ,(list (canonical-package glibc)
> + (list (canonical-package gcc) "lib")
> + "out")
> #:phases
> (modify-phases %standard-phases
> (add-before
> --
> 2.7.1
>
>
>
>
^ permalink raw reply [flat|nested] 24+ messages in thread
* bug#22831: [PATCH 2/2] WIP: gnu: openssl: Restrict allowed references for openssl.
2016-03-01 0:39 ` bug#22831: [PATCH 2/2] WIP: gnu: openssl: Restrict allowed references for openssl Leo Famulari
2016-03-01 7:18 ` Leo Famulari
@ 2016-03-01 7:20 ` Leo Famulari
2016-03-01 20:46 ` Ludovic Courtès
1 sibling, 1 reply; 24+ messages in thread
From: Leo Famulari @ 2016-03-01 7:20 UTC (permalink / raw)
To: 22831
[-- Attachment #1: Type: text/plain, Size: 160 bytes --]
On Mon, Feb 29, 2016 at 07:39:53PM -0500, Leo Famulari wrote:
> * gnu/packages/tls.scm (openssl)[arguments]: Add #:allowed-references.
Working patch attached.
[-- Attachment #2: 0001-gnu-openssl-Restrict-allowed-references-for-openssl.patch --]
[-- Type: text/x-diff, Size: 1312 bytes --]
From 00807e4421757f8d9204f1601de9a8286a408f91 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Mon, 29 Feb 2016 19:24:20 -0500
Subject: [PATCH] gnu: openssl: Restrict allowed references for openssl.
* gnu/packages/tls.scm (openssl)[arguments]: Add #:allowed-references.
---
gnu/packages/tls.scm | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 90971f2..8c72f3b 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -32,6 +32,7 @@
#:use-module (guix build-system python)
#:use-module (gnu packages compression)
#:use-module (gnu packages)
+ #:use-module (gnu packages gcc)
#:use-module (gnu packages guile)
#:use-module (gnu packages libffi)
#:use-module (gnu packages libidn)
@@ -200,6 +201,12 @@ required structures.")
`(#:parallel-build? #f
#:parallel-tests? #f
#:test-target "test"
+
+ ;; We want to limit what the output of this derivation refers to.
+ ;; Specifically, we don't want it to refer to Perl.
+ #:allowed-references ,(list (canonical-package glibc)
+ (list (canonical-package gcc) "lib")
+ "out")
#:phases
(modify-phases %standard-phases
(add-before
--
2.7.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* bug#22831: OpenSSL should not depend on Perl
2016-02-29 8:47 ` Leo Famulari
@ 2016-03-01 13:38 ` Ludovic Courtès
2016-03-01 17:24 ` Ludovic Courtès
0 siblings, 1 reply; 24+ messages in thread
From: Ludovic Courtès @ 2016-03-01 13:38 UTC (permalink / raw)
To: Leo Famulari; +Cc: 22831
Leo Famulari <leo@famulari.name> skribis:
> On Sun, Feb 28, 2016 at 02:35:12PM +0100, Ludovic Courtès wrote:
>> Leo Famulari <leo@famulari.name> skribis:
>>
>> > On Sat, Feb 27, 2016 at 06:05:29PM +0100, Ludovic Courtès wrote:
>> >> Commit 784d6e91 changed OpenSSL such that it does not depend on Perl,
>> >> but one of the subsequent upgrades broke it:
>> >
>> > Bisecting, I narrowed it down to:
>> > 86c8f1daf8ed10f13f2b1e973a28845629b8ce47
>> > (gnu: openssl: Update to 1.0.2e [fixes CVE-2015-{3193,3194,3195}].).
>> >
>> > I'll get the openssl sources corresponding to the good and bad commmits
>> > and try to figure out what changed that pulled perl back in.
>>
>> Awesome. Hopefully we can apply the fix when we upgrade OpenSSL this
>> Tuesday.
>
> 'openssl-c-rehash.patch' is being applied, but at some point in the
> build process the change is reverted.
In the source, I see:
--8<---------------cut here---------------start------------->8---
$ find -name c_rehash\*
./tools/c_rehash
./tools/c_rehash.in
./doc/apps/c_rehash.pod
--8<---------------cut here---------------end--------------->8---
Could it be that the unpatched one ends up being installed or something?
Ludo’.
^ permalink raw reply [flat|nested] 24+ messages in thread
* bug#22831: OpenSSL should not depend on Perl
2016-03-01 13:38 ` Ludovic Courtès
@ 2016-03-01 17:24 ` Ludovic Courtès
0 siblings, 0 replies; 24+ messages in thread
From: Ludovic Courtès @ 2016-03-01 17:24 UTC (permalink / raw)
To: Leo Famulari; +Cc: 22831-done
ludo@gnu.org (Ludovic Courtès) skribis:
> Leo Famulari <leo@famulari.name> skribis:
>
>> On Sun, Feb 28, 2016 at 02:35:12PM +0100, Ludovic Courtès wrote:
>>> Leo Famulari <leo@famulari.name> skribis:
>>>
>>> > On Sat, Feb 27, 2016 at 06:05:29PM +0100, Ludovic Courtès wrote:
>>> >> Commit 784d6e91 changed OpenSSL such that it does not depend on Perl,
>>> >> but one of the subsequent upgrades broke it:
>>> >
>>> > Bisecting, I narrowed it down to:
>>> > 86c8f1daf8ed10f13f2b1e973a28845629b8ce47
>>> > (gnu: openssl: Update to 1.0.2e [fixes CVE-2015-{3193,3194,3195}].).
>>> >
>>> > I'll get the openssl sources corresponding to the good and bad commmits
>>> > and try to figure out what changed that pulled perl back in.
>>>
>>> Awesome. Hopefully we can apply the fix when we upgrade OpenSSL this
>>> Tuesday.
>>
>> 'openssl-c-rehash.patch' is being applied, but at some point in the
>> build process the change is reverted.
>
> In the source, I see:
>
> $ find -name c_rehash\*
> ./tools/c_rehash
> ./tools/c_rehash.in
> ./doc/apps/c_rehash.pod
>
> Could it be that the unpatched one ends up being installed or something?
Indeed. Fixed in caeadfd, though without #:allowed-references—it’ll be
more convenient to use #:disallowed-references when it’s implemented.
Ludo’.
^ permalink raw reply [flat|nested] 24+ messages in thread
* bug#22831: [PATCH 2/2] WIP: gnu: openssl: Restrict allowed references for openssl.
2016-03-01 7:20 ` Leo Famulari
@ 2016-03-01 20:46 ` Ludovic Courtès
2016-03-01 21:04 ` Leo Famulari
0 siblings, 1 reply; 24+ messages in thread
From: Ludovic Courtès @ 2016-03-01 20:46 UTC (permalink / raw)
To: Leo Famulari; +Cc: 22831
Leo Famulari <leo@famulari.name> skribis:
> From 00807e4421757f8d9204f1601de9a8286a408f91 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Mon, 29 Feb 2016 19:24:20 -0500
> Subject: [PATCH] gnu: openssl: Restrict allowed references for openssl.
>
> * gnu/packages/tls.scm (openssl)[arguments]: Add #:allowed-references.
For some reason I hadn’t seen it in M-x debbugs-gnu for this report
today, but the patch looks good to me!
If we apply it now, it won’t trigger a rebuild (yay!), but will still
trigger a bunch of regrafting, which is slightly annoying. What about
applying it in the next ‘security-updates’ branch?
Thanks!
Ludo’.
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: bug#22831: OpenSSL should not depend on Perl
2016-03-01 0:43 ` Leo Famulari
@ 2016-03-01 20:48 ` Ludovic Courtès
0 siblings, 0 replies; 24+ messages in thread
From: Ludovic Courtès @ 2016-03-01 20:48 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
Apologies for not replying earlier today. I skipped guix-devel and
looked at things in Emacs debbugs this morning, but apparently some
messages didn’t show up.
Ludo’.
^ permalink raw reply [flat|nested] 24+ messages in thread
* bug#22831: [PATCH 2/2] WIP: gnu: openssl: Restrict allowed references for openssl.
2016-03-01 20:46 ` Ludovic Courtès
@ 2016-03-01 21:04 ` Leo Famulari
2016-03-02 8:42 ` Ludovic Courtès
0 siblings, 1 reply; 24+ messages in thread
From: Leo Famulari @ 2016-03-01 21:04 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 22831
On Tue, Mar 01, 2016 at 09:46:26PM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
>
> > From 00807e4421757f8d9204f1601de9a8286a408f91 Mon Sep 17 00:00:00 2001
> > From: Leo Famulari <leo@famulari.name>
> > Date: Mon, 29 Feb 2016 19:24:20 -0500
> > Subject: [PATCH] gnu: openssl: Restrict allowed references for openssl.
> >
> > * gnu/packages/tls.scm (openssl)[arguments]: Add #:allowed-references.
>
> For some reason I hadn’t seen it in M-x debbugs-gnu for this report
> today, but the patch looks good to me!
>
> If we apply it now, it won’t trigger a rebuild (yay!), but will still
> trigger a bunch of regrafting, which is slightly annoying. What about
> applying it in the next ‘security-updates’ branch?
Sure. Is it okay if I create that branch?
>
> Thanks!
>
> Ludo’.
^ permalink raw reply [flat|nested] 24+ messages in thread
* bug#22831: [PATCH 2/2] WIP: gnu: openssl: Restrict allowed references for openssl.
2016-03-01 21:04 ` Leo Famulari
@ 2016-03-02 8:42 ` Ludovic Courtès
2016-03-02 19:20 ` Leo Famulari
0 siblings, 1 reply; 24+ messages in thread
From: Ludovic Courtès @ 2016-03-02 8:42 UTC (permalink / raw)
To: Leo Famulari; +Cc: 22831
Leo Famulari <leo@famulari.name> skribis:
> On Tue, Mar 01, 2016 at 09:46:26PM +0100, Ludovic Courtès wrote:
>> Leo Famulari <leo@famulari.name> skribis:
>>
>> > From 00807e4421757f8d9204f1601de9a8286a408f91 Mon Sep 17 00:00:00 2001
>> > From: Leo Famulari <leo@famulari.name>
>> > Date: Mon, 29 Feb 2016 19:24:20 -0500
>> > Subject: [PATCH] gnu: openssl: Restrict allowed references for openssl.
>> >
>> > * gnu/packages/tls.scm (openssl)[arguments]: Add #:allowed-references.
>>
>> For some reason I hadn’t seen it in M-x debbugs-gnu for this report
>> today, but the patch looks good to me!
>>
>> If we apply it now, it won’t trigger a rebuild (yay!), but will still
>> trigger a bunch of regrafting, which is slightly annoying. What about
>> applying it in the next ‘security-updates’ branch?
>
> Sure. Is it okay if I create that branch?
Sure, no problem.
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 24+ messages in thread
* bug#22831: [PATCH 2/2] WIP: gnu: openssl: Restrict allowed references for openssl.
2016-03-02 8:42 ` Ludovic Courtès
@ 2016-03-02 19:20 ` Leo Famulari
2016-03-02 20:59 ` Ludovic Courtès
0 siblings, 1 reply; 24+ messages in thread
From: Leo Famulari @ 2016-03-02 19:20 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 22831
On Wed, Mar 02, 2016 at 09:42:41AM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
>
> > On Tue, Mar 01, 2016 at 09:46:26PM +0100, Ludovic Courtès wrote:
> >> Leo Famulari <leo@famulari.name> skribis:
> >>
> >> > From 00807e4421757f8d9204f1601de9a8286a408f91 Mon Sep 17 00:00:00 2001
> >> > From: Leo Famulari <leo@famulari.name>
> >> > Date: Mon, 29 Feb 2016 19:24:20 -0500
> >> > Subject: [PATCH] gnu: openssl: Restrict allowed references for openssl.
> >> >
> >> > * gnu/packages/tls.scm (openssl)[arguments]: Add #:allowed-references.
> >>
> >> For some reason I hadn’t seen it in M-x debbugs-gnu for this report
> >> today, but the patch looks good to me!
> >>
> >> If we apply it now, it won’t trigger a rebuild (yay!), but will still
> >> trigger a bunch of regrafting, which is slightly annoying. What about
> >> applying it in the next ‘security-updates’ branch?
> >
> > Sure. Is it okay if I create that branch?
>
> Sure, no problem.
Since there was already a security-updates job started, how about
putting on core-updates?
>
> Thanks,
> Ludo’.
^ permalink raw reply [flat|nested] 24+ messages in thread
* bug#22831: [PATCH 2/2] WIP: gnu: openssl: Restrict allowed references for openssl.
2016-03-02 19:20 ` Leo Famulari
@ 2016-03-02 20:59 ` Ludovic Courtès
0 siblings, 0 replies; 24+ messages in thread
From: Ludovic Courtès @ 2016-03-02 20:59 UTC (permalink / raw)
To: Leo Famulari; +Cc: 22831
Leo Famulari <leo@famulari.name> skribis:
> On Wed, Mar 02, 2016 at 09:42:41AM +0100, Ludovic Courtès wrote:
>> Leo Famulari <leo@famulari.name> skribis:
>>
>> > On Tue, Mar 01, 2016 at 09:46:26PM +0100, Ludovic Courtès wrote:
>> >> Leo Famulari <leo@famulari.name> skribis:
>> >>
>> >> > From 00807e4421757f8d9204f1601de9a8286a408f91 Mon Sep 17 00:00:00 2001
>> >> > From: Leo Famulari <leo@famulari.name>
>> >> > Date: Mon, 29 Feb 2016 19:24:20 -0500
>> >> > Subject: [PATCH] gnu: openssl: Restrict allowed references for openssl.
>> >> >
>> >> > * gnu/packages/tls.scm (openssl)[arguments]: Add #:allowed-references.
>> >>
>> >> For some reason I hadn’t seen it in M-x debbugs-gnu for this report
>> >> today, but the patch looks good to me!
>> >>
>> >> If we apply it now, it won’t trigger a rebuild (yay!), but will still
>> >> trigger a bunch of regrafting, which is slightly annoying. What about
>> >> applying it in the next ‘security-updates’ branch?
>> >
>> > Sure. Is it okay if I create that branch?
>>
>> Sure, no problem.
>
> Since there was already a security-updates job started, how about
> putting on core-updates?
Dunno, what does Mark think? Let’s check with Mark on IRC. :-)
Ludo’.
^ permalink raw reply [flat|nested] 24+ messages in thread
* bug#22831: [PATCH 0/1] Disallow reference to Perl from OpenSSL
2016-02-27 17:05 bug#22831: OpenSSL should not depend on Perl Ludovic Courtès
2016-02-28 1:10 ` Leo Famulari
2016-03-01 0:39 ` bug#22831: [PATCH 0/2] OpenSSL / Perl run-time dependency Leo Famulari
@ 2016-03-21 2:20 ` Leo Famulari
2016-03-21 2:20 ` bug#22831: [PATCH 1/1] gnu: openssl: Enforce non-reference to perl Leo Famulari
2 siblings, 1 reply; 24+ messages in thread
From: Leo Famulari @ 2016-03-21 2:20 UTC (permalink / raw)
To: 22831
Now that #:disallowed-references has been implemented (thanks Ludo!),
here it is applied to OpenSSL.
To core-updates?
Leo Famulari (1):
gnu: openssl: Enforce non-reference to perl.
gnu/packages/tls.scm | 4 ++++
1 file changed, 4 insertions(+)
--
2.7.3
^ permalink raw reply [flat|nested] 24+ messages in thread
* bug#22831: [PATCH 1/1] gnu: openssl: Enforce non-reference to perl.
2016-03-21 2:20 ` bug#22831: [PATCH 0/1] Disallow reference to Perl from OpenSSL Leo Famulari
@ 2016-03-21 2:20 ` Leo Famulari
2016-03-21 9:29 ` Ludovic Courtès
0 siblings, 1 reply; 24+ messages in thread
From: Leo Famulari @ 2016-03-21 2:20 UTC (permalink / raw)
To: 22831
* gnu/packages/tls.scm (openssl)[arguments]: Add #:disallowed-references.
---
gnu/packages/tls.scm | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index b6bf257..28d7947 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -201,6 +201,10 @@ required structures.")
`(#:parallel-build? #f
#:parallel-tests? #f
#:test-target "test"
+
+ ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
+ ;; so we explicitly disallow it here.
+ #:disallowed-references ,(list (canonical-package perl))
#:phases
(modify-phases %standard-phases
(add-before
--
2.7.3
^ permalink raw reply related [flat|nested] 24+ messages in thread
* bug#22831: [PATCH 1/1] gnu: openssl: Enforce non-reference to perl.
2016-03-21 2:20 ` bug#22831: [PATCH 1/1] gnu: openssl: Enforce non-reference to perl Leo Famulari
@ 2016-03-21 9:29 ` Ludovic Courtès
2016-03-21 16:23 ` Leo Famulari
0 siblings, 1 reply; 24+ messages in thread
From: Ludovic Courtès @ 2016-03-21 9:29 UTC (permalink / raw)
To: Leo Famulari; +Cc: 22831
Leo Famulari <leo@famulari.name> skribis:
> * gnu/packages/tls.scm (openssl)[arguments]: Add #:disallowed-references.
Sounds good! (And thanks for following commits closely. ;-))
This should go to ‘core-updates’, but first, ‘master’ should be merged
in ‘core-updates’ so that #:disallowed-references is available.
Could you do that?
Thanks!
Ludo’.
^ permalink raw reply [flat|nested] 24+ messages in thread
* bug#22831: [PATCH 1/1] gnu: openssl: Enforce non-reference to perl.
2016-03-21 9:29 ` Ludovic Courtès
@ 2016-03-21 16:23 ` Leo Famulari
0 siblings, 0 replies; 24+ messages in thread
From: Leo Famulari @ 2016-03-21 16:23 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 22831
On Mon, Mar 21, 2016 at 10:29:51AM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
>
> > * gnu/packages/tls.scm (openssl)[arguments]: Add #:disallowed-references.
>
> Sounds good! (And thanks for following commits closely. ;-))
>
> This should go to ‘core-updates’, but first, ‘master’ should be merged
> in ‘core-updates’ so that #:disallowed-references is available.
>
> Could you do that?
Done!
^ permalink raw reply [flat|nested] 24+ messages in thread
end of thread, other threads:[~2016-03-21 16:24 UTC | newest]
Thread overview: 24+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-02-27 17:05 bug#22831: OpenSSL should not depend on Perl Ludovic Courtès
2016-02-28 1:10 ` Leo Famulari
2016-02-28 13:35 ` Ludovic Courtès
2016-02-29 8:47 ` Leo Famulari
2016-03-01 13:38 ` Ludovic Courtès
2016-03-01 17:24 ` Ludovic Courtès
2016-02-28 13:37 ` Ludovic Courtès
2016-02-29 8:48 ` Leo Famulari
2016-03-01 0:43 ` Leo Famulari
2016-03-01 20:48 ` Ludovic Courtès
2016-03-01 0:39 ` bug#22831: [PATCH 0/2] OpenSSL / Perl run-time dependency Leo Famulari
2016-03-01 0:39 ` bug#22831: [PATCH 1/2] gnu: openssl: Remove run-time dependency on Perl Leo Famulari
2016-03-01 0:39 ` bug#22831: [PATCH 2/2] WIP: gnu: openssl: Restrict allowed references for openssl Leo Famulari
2016-03-01 7:18 ` Leo Famulari
2016-03-01 7:20 ` Leo Famulari
2016-03-01 20:46 ` Ludovic Courtès
2016-03-01 21:04 ` Leo Famulari
2016-03-02 8:42 ` Ludovic Courtès
2016-03-02 19:20 ` Leo Famulari
2016-03-02 20:59 ` Ludovic Courtès
2016-03-21 2:20 ` bug#22831: [PATCH 0/1] Disallow reference to Perl from OpenSSL Leo Famulari
2016-03-21 2:20 ` bug#22831: [PATCH 1/1] gnu: openssl: Enforce non-reference to perl Leo Famulari
2016-03-21 9:29 ` Ludovic Courtès
2016-03-21 16:23 ` Leo Famulari
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.