From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id +B4XO9l5YWBGWAEAgWs5BA (envelope-from ) for ; Mon, 29 Mar 2021 08:55:21 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id yKURNdl5YWCiIQAAB5/wlQ (envelope-from ) for ; Mon, 29 Mar 2021 06:55:21 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 6BD8B1BCFC for ; Mon, 29 Mar 2021 08:55:21 +0200 (CEST) Received: from localhost ([::1]:39770 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lQlo0-0000za-Jo for larch@yhetil.org; Mon, 29 Mar 2021 02:55:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45910) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lQlnq-0000zT-QV for guix-devel@gnu.org; Mon, 29 Mar 2021 02:55:10 -0400 Received: from albert.telenet-ops.be ([2a02:1800:110:4::f00:1a]:54490) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lQlno-0007vb-GE for guix-devel@gnu.org; Mon, 29 Mar 2021 02:55:10 -0400 Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d]) by albert.telenet-ops.be with bizsmtp id m6v5240020mfAB4066v5cg; Mon, 29 Mar 2021 08:55:05 +0200 Message-ID: <6d8fdc44cf956c4ac450c9d2713e9be4cfce5757.camel@telenet.be> Subject: Re: Needed: tooling to detect references to buggy */stable packages (was: Re: [PATCHES] ImageMagick security updates without grafting) From: Maxime Devos To: Mark H Weaver , guix-devel@gnu.org Date: Mon, 29 Mar 2021 08:54:59 +0200 In-Reply-To: <87zgymdi2n.fsf@netris.org> References: <878s68zqsd.fsf@netris.org> <927d66ccc760afacdb88485c5158731458d52dd6.camel@telenet.be> <87k0psdu25.fsf@netris.org> <9fb6ac4f0893446e3619d62395e035a446a9606f.camel@telenet.be> <875z1bdkmq.fsf@netris.org> <87zgymdi2n.fsf@netris.org> Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-zXytC9ztBxZw2gs0k3O2" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1617000905; bh=oJydoRQ7WtRpOOQmPwdHoaQPhnjT+KW+V74/JdOinNI=; h=Subject:From:To:Date:In-Reply-To:References; b=gImo1DKPe1URXNZou/BwLRn55kfHRi0hkRoEVHmKtu8jqtse9l7jsKfthRCGLqh1V cyBnBDLrP2GINaIXuy4QA4c32rUoMtKJ+t5hdk4LiBNdke/1rgNl/Y4uNrmxjX9ihy I8hEavJPOa9fDi+jFhbtq3yx1Sax1dZvX81W75p6gIXskdSoI0qhqlBHmgkYAhRKS3 tXV4SKvaElz2DextiYevsW9xeSKrD0i4ieBxLz6qETfy/AZEJQgpivB7BnNlbTnxya JNn/MRG+qzvL7wrTkzE4ywiPGYk1+svzlja049rRyk/jVEJ7Bp+s6l7YhemRnQWTKT Geqa9uGcu05ow== Received-SPF: pass client-ip=2a02:1800:110:4::f00:1a; envelope-from=maximedevos@telenet.be; helo=albert.telenet-ops.be X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617000921; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=oJydoRQ7WtRpOOQmPwdHoaQPhnjT+KW+V74/JdOinNI=; b=YgAxuQzAOS4O59P00xXMXOiAFQRUpIo09HpEyRoPwzm88uwg2DixDAs211SiUlER8lksLJ FttlqJVkQVjAJRXklijXjAzlzvOcVTbOA8bwRkUODKWJSqaQ2sOhGSym3JiCnvUubuvSoi Xyj2XI0m7m9FppwdzeiWagzTAEfuFK7jWQwAZC2c4IcRiqP20TG7clEEzSBwv7n8+HhnvD 9RlGEfkh17CCkQai97BK/QjO2iAPzQv07ojoIvTXuztTTaGzwj0QrhFwCX5RaPaYitXPj0 cnf3kb9fXt3iR38/eE5cixb3msv8KDosO4H6PDk7uWcdkOjNPV1ipXNlBH7gyg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617000921; a=rsa-sha256; cv=none; b=o3p1IKRbN1cuZvxRPy6CYftftC5ZdNjKRVhbNvU9SOenEr+rbTlSkz0XXhQ8ZtA3Pj1Xg7 O9iIZ9/j1lRsYRHc9/woWivvq24sF+BMzMecNOVBZMgLAzeFbrTad3rvcDg9wO0dfkVgXq EhBHZmpWPJsU9vnKwwdB56A6CGtsL0g5KLVrTcWVg/cx5k3vJy6oiQCCve/PVjUQhcP05A M0SqH+VBQtKacZFDMGe5e8wzEJ9y2eMiJFWNBItgMP29RYev51TuVO7yiAKXyeZ5QI9BYy 0i84ucZFZ8nrQd8MPkIIocXpl2AB5BHWSwiIK0VS/CgFfX1VB0so3qUx6tNPEw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=telenet.be header.s=r21 header.b=gImo1DKP; dmarc=pass (policy=none) header.from=telenet.be; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -5.22 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=telenet.be header.s=r21 header.b=gImo1DKP; dmarc=pass (policy=none) header.from=telenet.be; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 6BD8B1BCFC X-Spam-Score: -5.22 X-Migadu-Scanner: scn0.migadu.com X-TUID: 4AROh1Erdt45 --=-zXytC9ztBxZw2gs0k3O2 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sun, 2021-03-28 at 18:33 -0400, Mark H Weaver wrote: > Earlier, I wrote: > > One thing to be very careful about is to only use 'gtk-doc/stable', > > 'dblatex/stable', and 'imagemagick/stable' in native-inputs, and > > moreover to make sure that no references to these */stable packages > > remain in any package outputs. > >=20 > > Of course, if any package retains references to its 'native-inputs', > > that's always a bug, but I wouldn't be surprised if such bugs exist in > > Guix. Such bugs might be relatively harmless now (except when > > cross-compiling), but they could become a security bug if a package > > retains a reference to 'imagemagick/stable'. It just occurred to me: could we automatically add all native-inputs to #:disallowed-references when cross-compiling? This shouldn't break any packages, except possibly when cross-compiling. Or stronger, add all native-inputs to #:disallowed-references (unless they are also in inputs or propagated-inputs), even when compiling natively? Problems include: * I guess a world rebuild, as the derivations would be different. * In some places we have the following pattern: (native-inputs `(("autoconf" ,autoconf) ("automake" ,automake) ("pkg-config" ,pkg-config) ,@(if (%current-target-system) `(("guile" ,guile-3.0)) ;for 'guild compile' and 'guile-3.0.= pc' '()))) (inputs `(("guile" ,guile-3.0) ("lzlib" ,lzlib))) (synopsis "Guile bindings to lzlib") The (if (%current-target-system) ...) would need to be made unconditional= . * I guess an option to disable this behaviour might be useful. > It occurs to me that we will need some tooling to ensure that no > references to these buggy "*/stable" packages end up in package outputs > that users actually use. Otherwise, it is likely that sooner or later, > a runtime reference to one of these buggy packages will sneak in to our > systems. >=20 > An initial idea is that these "*/stable" packages could have a package > property (perhaps named something like 'build-time-only') that indicates > that references to its outputs should not occur within the outputs of > any other package that does not have that same property. Would this be (a) something enforced by the build process (using #:disallowed-references or #:allowed-references), or (b) a linter? > We'd also need to somehow ensure that users don't install these > 'build-time-only' packages directly, at least not without an additional > option (e.g. --force-unsafe-build-time-only) to override it. What about a developer running "guix environment eom"? IIUC, this would make the developer vulnerable (at least, once I've gotten around replacing the 'gtk-doc' input with 'gtk-doc/stable'), so it might make sense to replace /stable -> unstable packages here. However, now the developer ends up with a different set of packages than wil be seen in the build environment ... > Additionally, it might be good to issue warnings if 'build-time-only' > packages are not hidden, This seems good to me. This should prevent "guix install imagemagick@bad-version". > or if they are found within the 'inputs' or > 'propagated-inputs' fields of any package that's not also > 'build-time-only'. Both of these last two checks have loopholes, > however, so they are not reliable indicators. But these (automatic "guix lint") checks could still catch many problems in practice before they are committed! =20 > Thoughts? Other proposals? Is this something you will be writing "guix lint" checkers (or other checkers) for yourself? Greetings, Maxime. --=-zXytC9ztBxZw2gs0k3O2 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYGF5xBccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7jyHAP9DlDDQLYGomxLogXHP+j1uXXiL P2RQnQqzVFOwB7ZdBwEAqM6q+HTzcACz/sVBb8JG2xmknUmJQWFvWRXa1S0ahw0= =MgYD -----END PGP SIGNATURE----- --=-zXytC9ztBxZw2gs0k3O2--