From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mark H Weaver <mhw@netris.org>
Subject: Re: store reference detection (was Re: JARs and reference scanning)
Date: Fri, 12 May 2017 02:18:53 -0400
Message-ID: <87shkafvhu.fsf@netris.org>
References: <87a876pwaq.fsf@gmail.com>
	<b1688120-ac7c-3012-bd3d-a19c622d6a96@crazy-compilers.com>
	<8760hr7mwl.fsf@gmail.com>
	<20170426.135333.1620868924745053745.post@thomasdanckaert.be>
	<87fugu6jzg.fsf@gnu.org> <59022E86.1020709@crazy-compilers.com>
	<8760hjig4r.fsf@gnu.org> <590F179B.4060306@crazy-compilers.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:43145)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1d93v7-0006rM-Po
	for guix-devel@gnu.org; Fri, 12 May 2017 02:19:22 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1d93v4-0001zh-LB
	for guix-devel@gnu.org; Fri, 12 May 2017 02:19:21 -0400
In-Reply-To: <590F179B.4060306@crazy-compilers.com> (Hartmut Goebel's message
	of "Sun, 7 May 2017 14:48:27 +0200")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Hartmut Goebel <h.goebel@crazy-compilers.com>
Cc: guix-devel@gnu.org

Hartmut Goebel <h.goebel@crazy-compilers.com> writes:

> Am 02.05.2017 um 14:43 schrieb Ludovic Court=C3=A8s:
>> Hartmut Goebel <h.goebel@crazy-compilers.com> skribis:
>>
>>> Am 27.04.2017 um 15:46 schrieb Ludovic Court=C3=A8s:
>>>> =E2=80=98propagated-inputs=E2=80=99 is one way to manually specify run=
-time references.
>>>> It works at the package level and not at the store level=E2=80=94that =
is, the
>>>> store item=E2=80=99s references are unaffected by what =E2=80=98propag=
ated-inputs=E2=80=99
>>>> contains.  It=E2=80=99s usually enough for our purposes though.
>>> I'm not sure if 'propagated-inputs' are enough. For example
>>> "python-passlib" as propagated-input python-py-bcrypt, but the later
>>> does not show up as reference, requisite nor referrer:
>> Right, that=E2=80=99s what I meant by =E2=80=9Cnot at the store level=E2=
=80=9D above.
>>
>> Ludo=E2=80=99.
>  So I propose to add a small text file ".guix-dependencies' to all
> language's packages which do not add some kind of references themselves:
> Python, Perl, Java, etc.

I have thought of doing this in the past, but there's another more
difficult problem that would also need to be solved: how to make
grafting work for these non-plaintext references.  If grafting doesn't
work, there's a good chance that software with known security flaws will
continue to be executed.

       Mark