From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Subject: bug#27943: tar complains about too-long names (guix release) Date: Fri, 01 Dec 2017 17:50:01 +0100 Message-ID: <87k1y6e6km.fsf@gnu.org> References: <20170804092212.77f65fef@scratchpost.org> <87shcyzdhg.fsf@gnu.org> <20171130130510.GT991@macbook41> <877eu750rb.fsf@gnu.org> <20171130214901.GA19582@macbook41> <20171130231220.GA908@jasmine.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:42535) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eKoWn-0001JR-V2 for bug-guix@gnu.org; Fri, 01 Dec 2017 11:51:07 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eKoWj-0001p5-Uz for bug-guix@gnu.org; Fri, 01 Dec 2017 11:51:06 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:59858) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eKoWj-0001p1-RN for bug-guix@gnu.org; Fri, 01 Dec 2017 11:51:01 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1eKoWj-0003LB-LY for bug-guix@gnu.org; Fri, 01 Dec 2017 11:51:01 -0500 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <20171130231220.GA908@jasmine.lan> (Leo Famulari's message of "Thu, 30 Nov 2017 18:12:20 -0500") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Leo Famulari Cc: 27943@debbugs.gnu.org Leo Famulari skribis: >> On Thu, Nov 30, 2017 at 02:55:52PM +0100, Ludovic Court=C3=A8s wrote: >> > I thought about it, but since it=E2=80=99s an unsual case, what about = adding a >> > special property to packages instead? You=E2=80=99d write: >> >=20 >> > (package >> > ;; =E2=80=A6 >> > (properties '((fixed-vulnerabilities "CVE-123-4567" "CVE-123-4568"= )))) >> >=20 >> > =E2=80=98guix lint=E2=80=99 would honor this property, and that would = address both cases >> > like this and situations where a CVE is known to no longer apply, as is >> > the case with unversioned CVEs=C2=B9. >> >=20 >> > Thoughts? > > I'd rather the property's name more clearly reflect that it doesn't > actually fix the vulnerability, but just prevents the linter from > complaining about it. > > Someone who sees this property used in a package could reasonably assume > that it's required to list all fixed CVEs in a 'fixed-vulnerabilities' > list, and that it is the "single source of truth" for which bugs apply > to a package. But, it would not actually have anything to do with that, > just being a way to silence the linter. Yes, I see it as a last resort, and thus rarely used. When used, it should be accompanied by a comment clearly explaining what we=E2=80=99re do= ing. I think people are unlikely to see it as a =E2=80=9Csingle source of truth= =E2=80=9D because it=E2=80=99ll be used in a handful of packages only, and because comments there should make it clear that it=E2=80=99s really just to placat= e the linter. > However, I can't think of a good idea for another name... Maybe =E2=80=98lint-hidden-vulnerabilities=E2=80=99 or =E2=80=98hidden-vuln= erabilities=E2=80=99, or =E2=80=98ignored-vulnerabilities=E2=80=99, or=E2=80=A6? What=E2=80=99s you= preference? :-) > On Thu, Nov 30, 2017 at 11:49:01PM +0200, Efraim Flashner wrote: >> I like that idea. It also allows us to mitigate a CVE without needing to >> specifically add a patch. I've attached my first attempt at implementing >> it. > > I think of `guix lint -c cve` as one of many tools for discovering > important problems in our packages, but I don't think that we must > absolutely silence the linter. It's always going to be imprecise, with > both false negative and positive results. I agree. Like patch file names, I view this new property as a way to silence the reader when we have reliable info to do that. Would you be OK with a more appropriate name and the understanding that it=E2=80=99s there to address rare cases like this one? Thanks for your feedback! Ludo=E2=80=99.