From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id mHNoNu5/VGChMgAA0tVLHw (envelope-from ) for ; Fri, 19 Mar 2021 10:41:50 +0000 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id uFsUMu5/VGD8EQAAbx9fmQ (envelope-from ) for ; Fri, 19 Mar 2021 10:41:50 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 4ABA42A1D4 for ; Fri, 19 Mar 2021 11:41:50 +0100 (CET) Received: from localhost ([::1]:50734 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lNCZh-0002Uh-Am for larch@yhetil.org; Fri, 19 Mar 2021 06:41:49 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:53562) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lNCXy-0000zo-8j for bug-guix@gnu.org; Fri, 19 Mar 2021 06:40:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:37363) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lNCXx-00087U-SA for bug-guix@gnu.org; Fri, 19 Mar 2021 06:40:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lNCXx-0007IL-Oy for bug-guix@gnu.org; Fri, 19 Mar 2021 06:40:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47228: Check binary consistency after grafting with e.g. ldd Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 19 Mar 2021 10:40:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47228 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: =?UTF-8?Q?L=C3=A9o?= Le Bouter Received: via spool by 47228-submit@debbugs.gnu.org id=B47228.161615039428021 (code B ref 47228); Fri, 19 Mar 2021 10:40:01 +0000 Received: (at 47228) by debbugs.gnu.org; 19 Mar 2021 10:39:54 +0000 Received: from localhost ([127.0.0.1]:48909 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lNCXp-0007Ht-Og for submit@debbugs.gnu.org; Fri, 19 Mar 2021 06:39:54 -0400 Received: from eggs.gnu.org ([209.51.188.92]:60482) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lNCXo-0007Hg-23 for 47228@debbugs.gnu.org; Fri, 19 Mar 2021 06:39:52 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:53405) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lNCXi-0007wn-HC; Fri, 19 Mar 2021 06:39:46 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=57496 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lNCXh-00035e-Ro; Fri, 19 Mar 2021 06:39:46 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <22d6fde28a4646254061f56c342fb75d2a2846d9.camel@zaclys.net> <878s6kpoon.fsf@gnu.org> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 29 =?UTF-8?Q?Vent=C3=B4se?= an 229 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Fri, 19 Mar 2021 11:39:44 +0100 In-Reply-To: ("=?UTF-8?Q?L=C3=A9o?= Le Bouter"'s message of "Fri, 19 Mar 2021 09:58:55 +0100") Message-ID: <87sg4rfmvj.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 47228@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616150510; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=p9wrtMBKJlVTHFlU6Dd+eKTG/lvstt+hFy8wVaxmnSs=; b=sA/J1/6KdnaBoqdxSRJH7JNv3ufNoXa7Tek9/Bbc5yNwFa6tPiEmZFFmMcz9cc2rhB7bx2 DwZXnuGWe5/4/R99NMC/to1JZCXiTtq2ZnaADIz4j2Ci058aCrITl7e+QEUVoa7etxp8Vr ZJMK+cl5+rX5vNGCtVU7BCLI0UeHM+zKCVkiU22a8Wd4k2U5o40/+FptYDCekyy+Jy1icy PBdIJ+p3AtvKdsW/04hROJP0V2Xje0k1Be19nJh5Svh72yT47J83VGEuW2eon1NUQDcekC D1E857PD9q9JONdxlLcbJ+iFNbs01kkAVzCOeYlfbwTcaanXkUjqeWqLFleUrw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616150510; a=rsa-sha256; cv=none; b=iDUQ3HD1w20LfqaUzaZNhbpt+LCNSXcUPqSZwvjK5teZ+wGN+02jVEn4ewQ12rPVR4WA2b k5v5IuSCvw3EZKMM9uTMfq2U6MsamcrMy4EpKUrY7ydknIBF7pvVQq5OwT5G+urJ1BLJbB 0DLjeSKJQIamZ5h83qECBvzG7b6wLT/joC3N0f0PdtIEu8H5NrF65l+XnK85XHFmhs18x2 nhzkL2yL1/JdwnZwpMWuer18Aa2d04VXuaLLjImjsCcEsD45tMlsHj3/Qnf4BgmvkABoIX Uk4OKGtYLgSos+ZYGmw6+0UPvP/r1COuU+LuZwV3vLtFcEm3NUtsaQp+ltTb1Q== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -2.91 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 4ABA42A1D4 X-Spam-Score: -2.91 X-Migadu-Scanner: scn0.migadu.com X-TUID: DWRy1aWefnRu Hi, L=C3=A9o Le Bouter skribis: > On Thu, 2021-03-18 at 14:38 +0100, Ludovic Court=C3=A8s wrote: >> I don=E2=80=99t think all the testing that needs to be done when graftin= g can >> be >> automated. > > Not all but part of it? Not even sure; at least I don=E2=80=99t have any ideas. >> In particular, packagers who want to introduce a replacement for a >> library should use libabigail=E2=80=99s =E2=80=98abi-diff=E2=80=99 tool = to check that the >> package and its replacement are ABI-compatible. It=E2=80=99s also a good >> idea >> to make some quick manual tests. > > That's great! Maybe we can have some quick tooling to in GNU Guix to > aid that? Again it=E2=80=99s on a case-by-case basis, it depends on what you=E2=80=99= re grafting, so I wouldn=E2=80=99t know how to do that. Perhaps a first step would be consolidate this =E2=80=9Cinsider knowledge= =E2=80=9D about security updates and grafts into a check list. >> The .so file symlinks in >> < >> https://git.savannah.gnu.org/cgit/guix.git/commit/?id=3D2e0ff59f0cd836b1= 56f1ef2e78791d864ce3cfcd >> > >> look very scary to me. To me, it=E2=80=99s likely to hide the ABI >> incompatibility issue rather than =E2=80=9Cfix=E2=80=9D it. > > :-/ Yes it is scary, we were having an user with an Inkscape issue on > IRC and this commit fixed it for them and they could work without an > issue though, we were discussing with rekado and rekado suggested we > cheat like this and I've done it, the only alternative we have is > porting/applying all patches to our version by digging commit history > (with always the doubt of adding an incomplete fix which is likely if > we have to dig commit history manually). It=E2=80=99s the kind of patch that should be reviewed before it gets in. In this case, review will have to happen after the fact, but it still has to happen IMO. I=E2=80=99d prefer not to do it myself; perhaps Leo F. = can take a look? > If nobody can put time to dig patches for all individuals CVEs until we > ungraft then I'd rather have this scary commit in. Security is a spectrum; we=E2=80=99ll never close all CVEs. :-) Security issues often call for quick reaction, but to me that doesn=E2=80= =99t mean we should dismiss our practices and workflow, in particular peer review. Thanks, Ludo=E2=80=99.