From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: OpenSSL =?utf-8?B?4oCcRFJPV07igJ0=?= vulnerability & grafts Date: Tue, 01 Mar 2016 22:16:47 +0100 Message-ID: <87twkpnbk0.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:58678) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aarf9-0005zj-M7 for guix-devel@gnu.org; Tue, 01 Mar 2016 16:17:00 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aarf4-0002vy-ID for guix-devel@gnu.org; Tue, 01 Mar 2016 16:16:59 -0500 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:41478) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aarf4-0002vu-ET for guix-devel@gnu.org; Tue, 01 Mar 2016 16:16:54 -0500 Received: from reverse-83.fdn.fr ([80.67.176.83]:35716 helo=pluto) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.82) (envelope-from ) id 1aarf3-0004bw-PS for guix-devel@gnu.org; Tue, 01 Mar 2016 16:16:54 -0500 List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: guix-devel --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello! OpenSSL 1.0.2g was released today, fixing several serious security vulnerabilities, several of which are referred to as =E2=80=9CDROWN=E2=80= =9D (as has become security-marketing tradition.) This gave a good incentive to fix the =E2=80=9Cgrafting=E2=80=9D mechanism = described at: https://www.gnu.org/software/guix/manual/html_node/Security-Updates.html The problem was that until now, grafting was not recursive: . This is fixed in c22a132, so we =E2=80=9Crush= ed=E2=80=9D to use it in =E2=80=98master=E2=80=99 for the OpenSSL upgrade, which is don= e in caeadfd. So now is the time to find out how well the new implementation scales and to address any limitations. :-) A potentially disturbing thing with the new code is that it starts building/downloading things early, typically before it has written =E2=80= =9CThe following derivations will be built=E2=80=9D; see . A limitation of the current implementation is that the replacement package must have exactly the same name and version as the package being replaced. So OpenSSL 1.0.2g shows up as /gnu/store/=E2=80=A6-openssl-1.0.2= f. The store file name of the old OpenSSL is given by: guix build openssl --no-grafts =E2=80=A6 and the new one is given by: guix build openssl For example, to verify which OpenSSL(s) your whole profile refers to, you can run: guix gc -R $(readlink -f ~/.guix-profile) | grep openssl and check the store file names that you get (make sure to turn off guix-prettify-mode :-)). Likewise for a GuixSD generation: guix gc -R $(guix system build config.scm) | grep openssl And for running processes: lsof | grep /gnu/store/.*openssl Seems like this tricks could go in the manual under =E2=80=9CSecurity Updat= es=E2=80=9D no? Feedback welcome! Ludo=E2=80=99. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJW1gbDAAoJEAkLEZk9muu1qBwP/jENyBfjcqzNUgU4HiRjV1BC f52C1kzsdqBHKQiorWFoDxij60CpfPQXMwkaGTuxOdyQMGMQyM4rOIbgzIhjDQkt PtGeNGAafZww1eoLT8lI9CinngX809VuGdOZDloZQ/CYd2JaDPJU23DctPAVdTsm 05lNjPNVxUswAsVuCVZBnvOS6smlCgeg5z/7SSF7I9pYrQZjcnx7gvqjr0M6Jpyo VjLxJkJ6t2p0z38JYzUUJWfnUajRDW4npz8JWkbpKIR85Ci1XQ8WHfW+j3/qzrmB sd+3TD/o1mYDDhpxo20IUb3WVOpaAOj27+HaTFjioDZp9RRnktzd99hk1UTzyQvs NLBwcCUVlWOImM9lJqOSTkmG8Gh1RguYtQFq8rMcgY9r2s8OMHPVXM8iI94cbgmR 22grwBaeiCmy3OhjmmPCDgWLldSm5BRmVOoITTBKRMXDLq8+MlGmwcYgXiN/F/lv X7Y+OCDme5ON2+ucbd1vb6MXufZzZ42CU4AnSRiB+T0K6BS+BdqjVWYJnoE+KP4u JqBlXofDppYR1m2P+A0atEAf9vIPj5Ls+0/qtbgJGdcYSlRbB2RFsNy/1ghbOUve m0nd3yEt0RwJcf91xC5gK9eeWhkz2qSzCcdkAdlUBxOWqfdeqmDOkS0BlCH06gpS 0O/+/Bujq4BqCGsvgIWI =/iEK -----END PGP SIGNATURE----- --=-=-=--