From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Subject: bug#27943: tar complains about too-long names (guix release) Date: Thu, 30 Nov 2017 14:55:52 +0100 Message-ID: <877eu750rb.fsf@gnu.org> References: <20170804092212.77f65fef@scratchpost.org> <87shcyzdhg.fsf@gnu.org> <20171130130510.GT991@macbook41> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:44343) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eKPJw-0006CQ-L7 for bug-guix@gnu.org; Thu, 30 Nov 2017 08:56:12 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eKPJq-0007kp-Qv for bug-guix@gnu.org; Thu, 30 Nov 2017 08:56:08 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:57215) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eKPJq-0007kZ-Mt for bug-guix@gnu.org; Thu, 30 Nov 2017 08:56:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1eKPJq-0000df-G1 for bug-guix@gnu.org; Thu, 30 Nov 2017 08:56:02 -0500 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <20171130130510.GT991@macbook41> (Efraim Flashner's message of "Thu, 30 Nov 2017 15:05:10 +0200") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Efraim Flashner Cc: 27943@debbugs.gnu.org Hi Efraim, Efraim Flashner skribis: > It gets worse than that, our t1lib-CVE-2010-2462 is also CVE-2011-0433 > and CVE-2011-5244.=C2=B9 > > I tried creating a blank patch (touch t1lib-CVE...) and adding that to > satisfy the linter (and bookeeping) but unsuprisingly patch didn't like > trying to apply a blank file as a patch. Yeah that=E2=80=99s no good. > Debian removed it after squeeze=C2=B2, which was Debian 6, so about 6 yea= rs > ago. Gentoo apparently still has it=C2=B3. We don't have anything that > depends on it so I'm in favor of removing it; even the upstream homepage > is gone. I don=E2=80=99t have an opinion. Could you poll guix-devel? > This doesn't deal with the possibility that patches that address > multiple CVEs that can't be split easily and have a very long name will > continue to occur, so the best option I can think of right now is to > change the linter to logic like this: > > CVE- -> The following are all CVEs > YYYY-ZZZZ???? -> Full CVE reference > ZZZZ???? -> Follows the year of the previous CVE > > which would change t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554 -> > t1lib-CVE-2011-1552+1553+1554, > and our under-referenced t1lib-CVE-2010-2642 -> > t1lib-CVE-2010-2642+2011-0433+5244 I thought about it, but since it=E2=80=99s an unsual case, what about addin= g a special property to packages instead? You=E2=80=99d write: (package ;; =E2=80=A6 (properties '((fixed-vulnerabilities "CVE-123-4567" "CVE-123-4568")))) =E2=80=98guix lint=E2=80=99 would honor this property, and that would addre= ss both cases like this and situations where a CVE is known to no longer apply, as is the case with unversioned CVEs=C2=B9. Thoughts? Ludo=E2=80=99. =C2=B9 http://www.openwall.com/lists/oss-security/2017/03/15/3