From: "Ludovic Courtès" <ludo@gnu.org>
To: "Léo Le Bouter" <lle-bout@zaclys.net>
Cc: 47228@debbugs.gnu.org
Subject: bug#47228: Check binary consistency after grafting with e.g. ldd
Date: Fri, 19 Mar 2021 11:39:44 +0100 [thread overview]
Message-ID: <87sg4rfmvj.fsf@gnu.org> (raw)
In-Reply-To: <ea674f0bd142d0f308f778b3e18205a01d895111.camel@zaclys.net> ("Léo Le Bouter"'s message of "Fri, 19 Mar 2021 09:58:55 +0100")
Hi,
Léo Le Bouter <lle-bout@zaclys.net> skribis:
> On Thu, 2021-03-18 at 14:38 +0100, Ludovic Courtès wrote:
>> I don’t think all the testing that needs to be done when grafting can
>> be
>> automated.
>
> Not all but part of it?
Not even sure; at least I don’t have any ideas.
>> In particular, packagers who want to introduce a replacement for a
>> library should use libabigail’s ‘abi-diff’ tool to check that the
>> package and its replacement are ABI-compatible. It’s also a good
>> idea
>> to make some quick manual tests.
>
> That's great! Maybe we can have some quick tooling to in GNU Guix to
> aid that?
Again it’s on a case-by-case basis, it depends on what you’re grafting,
so I wouldn’t know how to do that.
Perhaps a first step would be consolidate this “insider knowledge” about
security updates and grafts into a check list.
>> The .so file symlinks in
>> <
>> https://git.savannah.gnu.org/cgit/guix.git/commit/?id=2e0ff59f0cd836b156f1ef2e78791d864ce3cfcd
>> >
>> look very scary to me. To me, it’s likely to hide the ABI
>> incompatibility issue rather than “fix” it.
>
> :-/ Yes it is scary, we were having an user with an Inkscape issue on
> IRC and this commit fixed it for them and they could work without an
> issue though, we were discussing with rekado and rekado suggested we
> cheat like this and I've done it, the only alternative we have is
> porting/applying all patches to our version by digging commit history
> (with always the doubt of adding an incomplete fix which is likely if
> we have to dig commit history manually).
It’s the kind of patch that should be reviewed before it gets in.
In this case, review will have to happen after the fact, but it still
has to happen IMO. I’d prefer not to do it myself; perhaps Leo F. can
take a look?
> If nobody can put time to dig patches for all individuals CVEs until we
> ungraft then I'd rather have this scary commit in.
Security is a spectrum; we’ll never close all CVEs. :-)
Security issues often call for quick reaction, but to me that doesn’t
mean we should dismiss our practices and workflow, in particular peer
review.
Thanks,
Ludo’.
prev parent reply other threads:[~2021-03-19 10:41 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-18 10:37 bug#47228: Check binary consistency after grafting with e.g. ldd Léo Le Bouter via Bug reports for GNU Guix
2021-03-18 13:38 ` Ludovic Courtès
2021-03-19 8:58 ` Léo Le Bouter via Bug reports for GNU Guix
2021-03-19 10:39 ` Ludovic Courtès [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87sg4rfmvj.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=47228@debbugs.gnu.org \
--cc=lle-bout@zaclys.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.