From: Mark H Weaver <mhw@netris.org>
To: Hartmut Goebel <h.goebel@crazy-compilers.com>
Cc: guix-devel@gnu.org
Subject: Re: store reference detection (was Re: JARs and reference scanning)
Date: Fri, 12 May 2017 17:51:36 -0400 [thread overview]
Message-ID: <871srthhg7.fsf@netris.org> (raw)
In-Reply-To: <591612F8.40408@crazy-compilers.com> (Hartmut Goebel's message of "Fri, 12 May 2017 21:54:32 +0200")
Hartmut Goebel <h.goebel@crazy-compilers.com> writes:
> Am 12.05.2017 um 19:39 schrieb Mark H Weaver:
>
> It would not interfere, but it could have the effect of *hiding*
> security problems due to a failure to graft properly.
> [...]
> If we create a redundant set of references in another file, then
> problems like this could go undetected for a long time.
>
> Reading you comments (and words like "hidden"), I assume you are
> referring to some compressed or otherwise unreadable data.
>
> Please don't confuse this: We are *not* talking about compressed
> files, but about plain text (or stored uncomressed within e.g. a
> zip-file).
Apologies if I've misunderstood. Earlier, you wrote:
> So I propose to add a small text file ".guix-dependencies' to all
> language's packages which do not add some kind of references
> themselves: Python, Perl, Java, etc.
What's the motivation for this proposal, if not to allow the scanner to
see references that would otherwise be obfuscated?
Mark
next prev parent reply other threads:[~2017-05-12 21:51 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-13 11:29 Need help from Java-developers Hartmut Goebel
2017-04-23 8:41 ` Chris Marusich
2017-04-23 22:57 ` Chris Marusich
2017-04-25 19:28 ` JARs and reference scanning (was: Need help from Java-developers) Hartmut Goebel
2017-04-26 5:34 ` JARs and reference scanning Chris Marusich
2017-04-26 11:53 ` store reference detection (was Re: JARs and reference scanning) Thomas Danckaert
2017-04-26 19:31 ` Maxim Cournoyer
2017-04-27 13:46 ` Ludovic Courtès
2017-04-27 14:14 ` store reference detection Thomas Danckaert
2017-04-27 17:46 ` store reference detection (was Re: JARs and reference scanning) Hartmut Goebel
2017-05-02 12:43 ` Ludovic Courtès
2017-05-07 12:48 ` Hartmut Goebel
2017-05-07 20:23 ` Chris Marusich
2017-05-08 7:06 ` Ricardo Wurmus
2017-05-08 14:11 ` Ludovic Courtès
2017-05-11 8:41 ` Chris Marusich
2017-05-11 11:27 ` Ricardo Wurmus
2017-05-12 6:54 ` Chris Marusich
2017-05-12 8:21 ` Ricardo Wurmus
2017-05-12 9:35 ` Hartmut Goebel
2017-05-12 18:22 ` Mark H Weaver
2017-05-12 20:05 ` Hartmut Goebel
2017-05-12 21:24 ` Mark H Weaver
2017-05-12 6:18 ` Mark H Weaver
2017-05-12 8:19 ` Chris Marusich
2017-05-12 9:46 ` store reference detection Hartmut Goebel
2017-05-12 17:39 ` store reference detection (was Re: JARs and reference scanning) Mark H Weaver
2017-05-12 18:27 ` Leo Famulari
2017-05-12 19:54 ` Hartmut Goebel
2017-05-12 21:51 ` Mark H Weaver [this message]
2017-05-13 7:15 ` Hartmut Goebel
2017-05-23 7:29 ` Chris Marusich
2017-04-25 8:44 ` Need help from Java-developers Ricardo Wurmus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871srthhg7.fsf@netris.org \
--to=mhw@netris.org \
--cc=guix-devel@gnu.org \
--cc=h.goebel@crazy-compilers.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.