From: "Ludovic Courtès" <ludo@gnu.org>
To: Maxime Devos <maximedevos@telenet.be>
Cc: 54111@debbugs.gnu.org
Subject: bug#54111: guile bundles (a compiled version of) UnicodeData.txt and binaries
Date: Mon, 28 Feb 2022 12:45:45 +0100 [thread overview]
Message-ID: <87wnhfdxjq.fsf@gnu.org> (raw)
In-Reply-To: <da553c2dc42911fdef9d52d8df9f595add8fbc35.camel@telenet.be> (Maxime Devos's message of "Sun, 27 Feb 2022 20:45:50 +0100")
Hi,
Maxime Devos <maximedevos@telenet.be> skribis:
> Ludovic Courtès schreef op zo 27-02-2022 om 14:52 [+0100]:
[...]
>> We could rewrite ‘unidata_to_charset.pl’ in Scheme, but then Guile would
>> still need to provide a pre-compiled version of srfi-14.i.c for
>> bootstrapping purposes. Or we could rewrite it in Awk, since Guile
>> already depends on Awk anyway.
>>
>> Thoughts?
>
> The ‘blob’ seems relatively harmless to the compilation process, so
> when there are bootstrapping problems, I think we can leave it in.
>
> However, all this Unicode is important for some other things (e.g. some
> DNS and filesystem things). So it would be nice to validate that no
> attacker with access to the Guile repo stealthily introduced some wrong
> information in during an otherwise routine update of the Unicode
> information.
The threat model is that the repository is trusted (that’s a strong
assumption, but that’s how it is). You cannot protect against someone
with access to the repository.
We could use ‘guix git authenticate’ to improve on that.
> Hence, the following proposal:
>
> * Make perl an optional dependency of Guile (upstream) and add an
> '--with-unicode-data=[...]' configure flag or something like that.
>
> If perl is detected by './configure' and '--with-unicode-data=...'
> is set, then let one of the makefiles run 'unidata_to_charset.pl'
> and compare the 'new' srfi-14.i.c against the old srfi-14.i.c.
>
> In case of a mismatch, bail out.
>
> When there's no perl or --with-unicode-data, then just use the
> bundled srfi-14.i.c.
>
> * Add 'perl' (or 'perl-boot0' because that perl is probably good
> enough?) to the native-inputs of guile.
>
> Actually, the second is already done in 'guile-final'.
> Optionally, this can be combined with rewriting it in Scheme
> or some other language.
It might be easier to rewrite in Awk in build srfi-14.i.c
unconditionally no?
We can also add ‘--with-unicode-data’, though that’s orthogonal.
Thanks,
Ludo’.
next prev parent reply other threads:[~2022-02-28 11:55 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-22 16:42 bug#54111: guile bundles (a compiled version of) UnicodeData.txt and binaries Maxime Devos
2022-02-27 13:52 ` Ludovic Courtès
2022-02-27 19:45 ` Maxime Devos
2022-02-27 19:52 ` Maxime Devos
2022-02-27 23:07 ` Bengt Richter
2022-02-28 11:45 ` Ludovic Courtès [this message]
2022-02-28 17:46 ` Maxime Devos
2022-03-14 18:27 ` Timothy Sample
2022-03-16 10:47 ` Ludovic Courtès
2022-03-16 23:42 ` Timothy Sample
2022-03-19 18:20 ` Timothy Sample
2022-03-24 13:33 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wnhfdxjq.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=54111@debbugs.gnu.org \
--cc=maximedevos@telenet.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.