From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id GIc9LV4s1GI4xQAAbAwnHQ (envelope-from ) for ; Sun, 17 Jul 2022 17:35:58 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id kHb+LF4s1GK0YQAA9RJhRA (envelope-from ) for ; Sun, 17 Jul 2022 17:35:58 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 8031F4151A for ; Sun, 17 Jul 2022 17:35:58 +0200 (CEST) Received: from localhost ([::1]:57218 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oD6JJ-0001Ra-Kg for larch@yhetil.org; Sun, 17 Jul 2022 11:35:57 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52888) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oD6J5-0001RP-Gv for guix-devel@gnu.org; Sun, 17 Jul 2022 11:35:43 -0400 Received: from mailout.easymail.ca ([64.68.200.34]:46350) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oD6J3-0004dj-25; Sun, 17 Jul 2022 11:35:43 -0400 Received: from localhost (localhost [127.0.0.1]) by mailout.easymail.ca (Postfix) with ESMTP id 2542E62879; Sun, 17 Jul 2022 15:35:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=bokr.com; s=easymail; t=1658072137; bh=a+IauCEUUMRK/V2mvKE2HYixSSET+Q2kqe7GQIfUVOw=; h=From:Date:To:Cc:Subject:References:In-Reply-To:From; b=cGIjfp//oP2su5BqFQ4rnYs5M7VtA3M30JTdjj8nnBSa/cKPJtXrDehRdw4/NUaBd PpvkVy2JzC07KdXS+vVSL4IM+Fk7CzWeQNXWhdW9a/M7O/FnGjcMrJZ0dNMG/PsVq2 B49DMnx6SQ440vFo0V1HoHuAic3EOIUSOkVlx3Vn8cMwzXXTUYNDYj3/CPAZfg4Y0D vGmotTexTSW+PckYAQuvYwqUvsgxBhuXHmMdOT9khpKtaVPEkpAUKkXHcwSJRdCSGB IBVKie77lMBdBOMU8qLJLhqK1cWPZFuUMHx3ihLR80uMtcFtpQcKhsvgl6FIDkuFIB 3fKQLZ6Nk/ugQ== X-Virus-Scanned: Debian amavisd-new at emo09-pco.easydns.vpn Received: from mailout.easymail.ca ([127.0.0.1]) by localhost (emo09-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yL8nEXN3A0HE; Sun, 17 Jul 2022 15:35:35 +0000 (UTC) Received: from localhost (m90-129-196-20.cust.tele2.se [90.129.196.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mailout.easymail.ca (Postfix) with ESMTPSA id 62862627D7; Sun, 17 Jul 2022 15:35:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=bokr.com; s=easymail; t=1658072135; bh=a+IauCEUUMRK/V2mvKE2HYixSSET+Q2kqe7GQIfUVOw=; h=From:Date:To:Cc:Subject:References:In-Reply-To:From; b=jYXby+9bZ9kG1w4sET6Hm0KB5ypzDlpsxj2RPiP1N9QRGm3UbNVlP7I8EuOoa3++c MoPOhpJ2fowpEN5+x3ej3cvCBzUlxfyLJ0Ooh2V7Ymm0qPVK9i/F9kqp60OvLM4Mv9 GpgOoYDw0GdNmdX5KLN1KAy+HvzpiElFy1EF4a7nkPKYWqLbJpU/uhPGnft+uDLEaE COyPmVzZp1+5YvaSkAb7s/BBk3lV2gebW7AjxwBfDJswdCyAhZw6OxrzFAznnwktMn S296tqrQaO+TwN9XRciGwMyXItM4FbGVwr1BK2MZqzwY6Vx1to1te8nOyNE/sQCpU+ aa0uE2O4jJOBA== From: bokr@bokr.com Date: Sun, 17 Jul 2022 17:35:19 +0200 To: zimoun Cc: Ludovic =?utf-8?Q?Court=C3=A8s?= , Guix Devel , Marius Bakke Subject: Re: grafted package and CLI Message-ID: <20220717153519.GA17917@LionPure> References: <86ilocxvzv.fsf@gmail.com> <87czeh1hes.fsf@gnu.org> <86let5oxul.fsf@gmail.com> <877d4pyn76.fsf@gnu.org> <86wncooo5a.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <86wncooo5a.fsf@gmail.com> User-Agent: Mutt/1.10.1 (2018-07-13) Received-SPF: pass client-ip=64.68.200.34; envelope-from=bokr@bokr.com; helo=mailout.easymail.ca X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1658072158; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=chKoEGnSQLvpFFCzkamWyq+xpbQu48d4M2OuGXraycQ=; b=ZR9umXQrO2T1Wg4H/2j5j21L3jAJ2X3sSo5cOBxJEFffu+cypNilwqGmy3TJOL6RbbGoOi 7mTtQM93L+45KKiFYQu+g7zf6e1RURmMNEzWHTdq9yUJ6+K5PQIudQANicWstWx/Lyck+S y+YO+418euez/v7wN6nc2u7UpwKRn+NECLnB7fpBmCsxYafhn8TzZ9kwwVzrDMVAWCnsty sgowr0H52s24HM2TxHZBQy+hgQed9YbZG0n9IQJI/GqIZhOaA4K6BRhy5sug41JY8jwpSc qROwkp3AgA/9SVcSh8pyMe/mDGABDDErRkWl0M7oxry+/mnSLc9WJVXdV7VMMw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1658072158; a=rsa-sha256; cv=none; b=dj1lJPUJBAnxxkndE1tCALIRJLLrUPcNshnUXz7bB1+OvMrH+D0SphW6nM0n2zB67m118I ZLCwwxt9+8+xsB96kGXT1FIw+1Y76UWc/cCvirAKJwfwjo+2RQICbTxhgzSSJxJaLOkNKM uT6CZdlC11MxurhlbNfaTssglDuvTjDw0CeV2NB0gsRJ03wmk0MKXvAkAtOrlEOqRsKyQG WgjkyqseKVZlkx6ThzwzSn02nCru6QkY9lZGEGZmN5+nUPlJbtk5bGw2yyV6qH6k+BoWcZ AO1cQWLLhSdrSt+/sNhiRtm2vUMYfX2TJNo66pr72WcMt9Ng5UAsI0nbcLT0+Q== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=bokr.com header.s=easymail header.b="cGIjfp//"; dkim=fail ("headers rsa verify failed") header.d=bokr.com header.s=easymail header.b=jYXby+9b; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 3.07 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=bokr.com header.s=easymail header.b="cGIjfp//"; dkim=fail ("headers rsa verify failed") header.d=bokr.com header.s=easymail header.b=jYXby+9b; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 8031F4151A X-Spam-Score: 3.07 X-Migadu-Scanner: scn0.migadu.com X-TUID: gf1TVp/rBLJK Hi Simon, On +2022-07-07 18:58:41 +0200, zimoun wrote: > Hi, > > On Thu, 07 Jul 2022 at 17:09, Ludovic Courtès wrote: > > > You mean hide with the ‘hidden?’ property? > > I do not know what I mean. ;-) > > The replacement could have an ’hidden?’ property or not being > ’define-public’. > > > Good question. There’s probably little point in exposing the original > > (replaced) version, so yes, hiding it makes sense I guess. Should we > > just do that systematically? > > Well, we should follow the same strategy independently of the version > bump. Systematically hide original (replaced) original version. > > Bah I do not know, what other think? > > > Cheers, > simon > "Other" here, reacting to word "hidden": (equal? hidden some-trojan-horse-contents) :-) I like "hidden" when it de-clutters my workflow, BUT: Only when I know it comes with a simple toggle to a view that reveals what is hidden, to any desired detail, e.g., with a brief summary and a menu (a la info, with Ctl-s searchability) to inspect potentially everything reachable. Otherwise I worry about what's hidden :) E.g., I'd like to be able to toggle into a first level inspection view with some default info and a command line prompt where I could type a repl CLI command like reveal-vulns [OPTS]... that by default starts in the current command line parsing environment, and with a "-all" opt would show things like OTTOMH e.g., (not all vuln spots here) * current execution context, e.g. pidparents defined as: -----------cut here---------------start------------->8--- #!/usr/bin/bash # ~/bin/pidparents pid=${1:-$$} #this process if no pid specified as $1 while [ $(($pid)) -gt 0 ]; do ps h -p $pid -o comm,tt,pid,stat,args pid=$(ps -q $pid -o ppid=) done -----------cut here---------------end--------------->8--- * door to "systemctl status" etc if available * OS kernel info -- uname -a and doors to details * GPU info, other potential attack-via-DMA programmable devices * CPU info, fully capable of secure hypervising of VMs? etc. * BIOS type, current booting mode, etc, or info how to boot grub2 or whatever tool on the current system to explore that. * what is not built from guix cloned repo sources (substituted binaries, etc) * what is trusted mirror list, with estimate of timeliness vs master sources * what is invocable that uses setuid or setgid or sudo or su * can a setgid video group invoker present me with a spoof screen? * will a newly plugged in USB be accepted as a keyboard just because it claims to be, without vetting by asking human and auth by serial? - will keystrokes from it be injected into the current keyboard input stream? (Insanely promiscuous legacy practice IMO) * unusual ELF files (summary: how many exist,+ doors to detailed views) * impure references in /gnu/... simple summaries, doors to full details * status w.r.t. CVE announcements, (carefully, no tipoffs re exploitables) * databases in use, SQL injection vulns? * mystery daemons running? * hardware error rates, trends * ... In short, I'd like reveal-vulns to give me a complete inventory of my current vulnerablilities to a selectable detail level. I know "complete" would be magic :) I imagine there must be many attempted versions in existence. Is there a guix package? (I confess not having searched ;/ ) -- Regards, Bengt Richter