From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id MCOiCnOPumVpFQAA62LTzQ:P1 (envelope-from ) for ; Wed, 31 Jan 2024 19:20:35 +0100 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id MCOiCnOPumVpFQAA62LTzQ (envelope-from ) for ; Wed, 31 Jan 2024 19:20:35 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lease-up.com header.s=2017 header.b=YcP6EqJ9; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1706725235; a=rsa-sha256; cv=none; b=GY9foBy07tu4CRtoK8wozg5PhTNhTxLVSDBEDqxyPuoHdPUYFpINBGFtDk3XUtHH0t12+4 f6rJotLXVkclgz0xK/ulNPaoqi9iWunJY4oVDgBNGzol1aDWVcHvNdKjZ9EzSFyJ59rQr9 TXcBsPxW/uN1TilGUJGs23di9OHv5pTtcT/rItY5x2Cp5U1qqw4o2oXnbuOw2uOQ5WiAzV eTAv0ttHapGBmo5UGQHbgee9wqypes6dGsQxOCW7779hAa3DSbEUAneCaNSb8qz42ZZPP5 rQ0QTUtiBglW/r6M2PjKDGOB3MKqKX8QKSMcv2MJO70xE+wzSrD3xh09Ygd62A== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lease-up.com header.s=2017 header.b=YcP6EqJ9; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1706725235; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=DWVdM8sdTGeQxu5SKXch0xYRWbmQQRBhES9HJB5M5rQ=; b=JNhGYXlyXa6MqvcPgR3CXyL2N3MXWBlqmhMlVJNeKonVdAHIh/RG0lpEVpLIinqJ2NTjae 4Ekv4WOTp/O2GWiRrXdk25e3uM1xuQH8+jBc+TY036TTl6D6eDZNPZrTBFsXKfilK3tulh svYO6/9nckVRInfUIGDTIxKQ1tqqaaTZmhErH5C9N+/rnF6W9QYEvCG+xmYzWSVR4Mkpbz J52BKRZVdswHMEsTyP77dEQHgmqIpTnVJPtQTpn72WFVoi5oR7s4Y+cTMW/34+mhSH2VKw lGiTaVRNleZD0om7jl6kmYz20w6+3N+XfonmXx5T0FVps1ywwsHvvBT20gNkOQ== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E615677277 for ; Wed, 31 Jan 2024 19:20:34 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rVFBk-0001BW-M2; Wed, 31 Jan 2024 13:19:56 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rVFBj-0001B8-1g for guix-devel@gnu.org; Wed, 31 Jan 2024 13:19:55 -0500 Received: from sail-ipv4.us-core.com ([208.82.101.137]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim 4.90_1) (envelope-from ) id 1rVFBg-00089t-Td for guix-devel@gnu.org; Wed, 31 Jan 2024 13:19:54 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=cQCsUJdVoEsdaxS Mqo6cWa764oZbPkiOT1CNicZD8Ao=; h=date:references:in-reply-to:subject: cc:to:from; d=lease-up.com; b=YcP6EqJ9aS5dqJuE0iA0RvSVjisM3QeIwm4X1q2X tNn8mRkvPW5DuspOFwAWS088XsmwSKS2QDFSN8WHcPhyAeAekVprGACCfATSgUdr4vIgTw DUHt6BKI7YjishexnNrhIKfkkXELc3MEjtOOMMZEmkDhp56KXrRtV1uiqbheI= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 1734eaba (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Wed, 31 Jan 2024 18:19:50 +0000 (UTC) To: Josselin Poiret , guix-devel@gnu.org Cc: Subject: Re: Core-updates coordination and plans In-Reply-To: <87h6itzc4a.fsf@jpoiret.xyz> References: <87h6itzc4a.fsf@jpoiret.xyz> Date: Wed, 31 Jan 2024 10:19:49 -0800 Message-ID: <87sf2dl60q.fsf@lease-up.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=208.82.101.137; envelope-from=felix.lechner@lease-up.com; helo=sail-ipv4.us-core.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Felix Lechner From: Felix Lechner via "Development of GNU Guix and the GNU System distribution." Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Scanner: mx10.migadu.com X-Spam-Score: -7.17 X-Migadu-Queue-Id: E615677277 X-Migadu-Spam-Score: -7.17 X-TUID: Nj8LRpdL9hFo Hi Josselin, On Wed, Jan 31 2024, Josselin Poiret wrote: > One conundrum we have for now: glibc 2.38 has a couple of new CVEs The authors describe CVE-2023-6246, which is probably the most serious of the four vulnerabilities, as "significant" [1] and Red Bat ranks it as "8.4 (HIGH)" under the new CVD scale. [2] Most important, "This flaw allows local privilege escalation, enabling an unprivileged user to gain full root access, as demonstrated in Fedora 38." [again, 1] > we have three options: > 1) change glibc to track the 2.38 release branch =E2=86=92 world rebuild. > 2) graft glibc =E2=86=92 bad user experience (and we're not supposed to g= raft > outside of master). > 3) switch to 2.39 =E2=86=92 world rebuild + possibly more work fixing new= build > failures. Personally, I would go straight to Glibc 2.39. I am not sure it's helpful to obsess about "world rebuilds." The fear and cost of rebuilding in Guix is real, but it is a necessary consequence of the way Guix works. The fear is also a dominant and persistent mental obstacle to making Guix better. [3] > I'd ideally prefer 3 but we don't know yet if there is going to be a > lot of breakage Your argument that more work may be needed is well-placed, however.. We won't know until we get there. Perhaps we can revert to version 2.38 prior to your merge if the problems are severe. > glibc 2.39 should hopefully release tomorrow (01/02/2024) Fortunately, your merge schedule conincides more or less with Glib's release cycle. There should be plenty of data from around the world about the new Glibc version's performance in two or three weeks. > most of the patches ... got pushed, are there any other ... ? I don't know whether eudev is a core-package but I personally find it irresponsible that my patch to fix the use of MAC-based addresses for network interfaces [4][5] has not been accepted in some form. In a functional OS like Guix, no administrator should rely on device enumerations provided by the BIOS, by UEFI or by the Linux kernel. The fix is a one-liner. [6] I used 'regexp-quote' to avoid Guile's quoting madness. [7] As an alternative, we could quote the literals with the old Perl::Critic trick that avoids escapes for metacharacters: [8] (substitute* "src/udev/Makefile.am" (("[$][(]udevrulesdir[)]") "/etc/udev/rules.d")) Either way, I'd appreciate if Eudev could please be fixed in this core-updates cycle. The fix has been available for more than half a year. The fix was furthermore deployed on all my systems, including the one running the test deployment of Debbugs in Guix, which is available at debbugs.juix.org. The fix works. Thanks! Kind regards Felix [1] https://blog.qualys.com/vulnerabilities-threat-research/2024/01/30/qual= ys-tru-discovers-important-vulnerabilities-in-gnu-c-librarys-syslog [2] https://nvd.nist.gov/vuln/detail/CVE-2023-6246 [3] https://lists.gnu.org/archive/html/guix-devel/2024-01/msg00243.html [4] https://issues.guix.gnu.org/63508 [5] https://issues.guix.gnu.org/63787 [6] https://issues.guix.gnu.org/63508#12-lineno51 [7] https://www.gnu.org/software/guile/manual/html_node/Backslash-Escapes.h= tml [8] https://metacpan.org/pod/Perl::Critic::Policy::RegularExpressions::Proh= ibitEscapedMetacharacters