From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: bug#27943: tar complains about too-long names (guix release) Date: Thu, 30 Nov 2017 18:12:20 -0500 Message-ID: <20171130231220.GA908@jasmine.lan> References: <20170804092212.77f65fef@scratchpost.org> <87shcyzdhg.fsf@gnu.org> <20171130130510.GT991@macbook41> <877eu750rb.fsf@gnu.org> <20171130214901.GA19582@macbook41> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="SLDf9lqlvOQaIe6s" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:52091) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eKY0v-0006ME-PR for bug-guix@gnu.org; Thu, 30 Nov 2017 18:13:06 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eKY0s-0007gO-Ef for bug-guix@gnu.org; Thu, 30 Nov 2017 18:13:05 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:58287) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eKY0s-0007g9-1N for bug-guix@gnu.org; Thu, 30 Nov 2017 18:13:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1eKY0r-0008Hg-Kh for bug-guix@gnu.org; Thu, 30 Nov 2017 18:13:01 -0500 Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline In-Reply-To: <20171130214901.GA19582@macbook41> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Efraim Flashner Cc: 27943@debbugs.gnu.org --SLDf9lqlvOQaIe6s Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > On Thu, Nov 30, 2017 at 02:55:52PM +0100, Ludovic Court=C3=A8s wrote: > > I thought about it, but since it=E2=80=99s an unsual case, what about a= dding a > > special property to packages instead? You=E2=80=99d write: > >=20 > > (package > > ;; =E2=80=A6 > > (properties '((fixed-vulnerabilities "CVE-123-4567" "CVE-123-4568")= ))) > >=20 > > =E2=80=98guix lint=E2=80=99 would honor this property, and that would a= ddress both cases > > like this and situations where a CVE is known to no longer apply, as is > > the case with unversioned CVEs=C2=B9. > >=20 > > Thoughts? I'd rather the property's name more clearly reflect that it doesn't actually fix the vulnerability, but just prevents the linter from complaining about it. Someone who sees this property used in a package could reasonably assume that it's required to list all fixed CVEs in a 'fixed-vulnerabilities' list, and that it is the "single source of truth" for which bugs apply to a package. But, it would not actually have anything to do with that, just being a way to silence the linter. However, I can't think of a good idea for another name... On Thu, Nov 30, 2017 at 11:49:01PM +0200, Efraim Flashner wrote: > I like that idea. It also allows us to mitigate a CVE without needing to > specifically add a patch. I've attached my first attempt at implementing > it. I think of `guix lint -c cve` as one of many tools for discovering important problems in our packages, but I don't think that we must absolutely silence the linter. It's always going to be imprecise, with both false negative and positive results. --SLDf9lqlvOQaIe6s Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlogkFEACgkQJkb6MLrK fwgoSg/9GN8oCFfGMD0DVD61waePPphdeLs8gJWY9x17ctOKnMYPTjPOzdd9MHpL ZdEOJYzrfaIw8eqk8ew3Hv8xaa/EDrxYU4annXB1vrzS3DI3rCTNgbMSISb8XFWk hDxrLPoK+MN4jUWoTYmbGSgM7Sxn7optqa1ohMbl7xAnRuNwOHNgQoOT8ibuVP8H HaFLCXHg7hp7QqoKib9QGH+D3LfGZ0kRuAQj2KBugOf9CcXP1UjU7lP04igLaAWp c0pYHiRF1329b+P7Q1jQTrWK7rvT1nhRlmhX/rGMS7X0ag6g2Ue/6YefMgyI+uFV zsE4olKFRbAvNkoYSjKr9TMBxkLPlSgkYdAdDSjXxbKWvieSShXWN1X4+CWgDAtH 1Q5yxjFkRVww0e0jlah3fLM5O5F2In5n6Anbf5UHec3MpehisTu3jJOmZMuOxaMs xJ2XcwcL8/FL3omrPGLFCbq0ZQG1HYz2lKy7klUGwOLMeHNyeR6Mk1LK3NKPH2Ob FsCfQZM9i+2g+Y2H/daZGiCYuSrhQliicZQSBLOAMfFz7Y+C6z17gnbLA0vFTcsM rruuun+0xd4UApPT7mPLYGN/1kasg2Wbgj5i8vIGUdmnRyIEV6JPAk60ng/sVDUR 5r/cRzfNew/SvVBYUQQZs7f4+b0++Eo/XVW6J+NROeGQ5Yue3do= =Z612 -----END PGP SIGNATURE----- --SLDf9lqlvOQaIe6s--