From: ludo@gnu.org (Ludovic Courtès)
To: Nils Gillmann <ng0@n0.is>
Cc: 31444@debbugs.gnu.org
Subject: [bug#31444] 'guix health': a tool to report vulnerable packages
Date: Tue, 15 May 2018 09:24:59 +0200 [thread overview]
Message-ID: <87y3gljs8k.fsf@gnu.org> (raw)
In-Reply-To: <20180514164941.kjokoakkooajpunx@abyayala> (Nils Gillmann's message of "Mon, 14 May 2018 16:49:41 +0000")
Hi!
Nils Gillmann <ng0@n0.is> skribis:
> Did you intend to attach a patch to one of the 3 or 4 messages that made
> it to the bugtracker? I've checked when you've sent the message and today
> and saw no patches. I'm interested in the code, the general idea sounds good.
They eventually made it there:
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=31442
But Debbugs is weird; for some reason for it failed to reply for several
hours.
>> I think that longer-term we probably need to attach this kind of
>> meta-data to packages themselves, by adding a bunch of files in each
>> package, say under PREFIX/guix. We could do that for search paths as
>> well.
>
> If you mean with metadata what I understand:
> I've started playing with this idea a while back. It would be good to attach
> more information to the package, mentioned in the past was "support the developers"
> links (not everyone publishes this on their website).
> Personally I'm going to make use of the "maintainer" function for packages,
> so people know where (hopefully relatively) exactly the package came from.
Well this is not the kind of meta-data I had in mind, and for that I
think a field in <package> is good enough.
> Anyways, I have some other package related experiments.. Did you have anything
> else in mind, other than search-paths and CVE information?
Not really, but that would be extensible.
The bigger picture is that of packages that would remain live data
structures, as Ricardo proposed a while back. I don’t think we can go
this far (in the sense of being able to reconstruct a <package> from its
output), but having some metadata kept around can help.
Thanks,
Ludo’.
next prev parent reply other threads:[~2018-05-15 7:26 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-13 22:15 [bug#31444] 'guix health': a tool to report vulnerable packages Ludovic Courtès
2018-05-14 8:06 ` Martin Castillo
2018-05-14 9:07 ` Ludovic Courtès
2018-05-14 16:49 ` Nils Gillmann
2018-05-15 7:24 ` Ludovic Courtès [this message]
2020-09-18 22:43 ` zimoun
2020-09-25 16:34 ` Ludovic Courtès
2023-07-21 16:44 ` Maxim Cournoyer
2023-09-08 16:25 ` Ludovic Courtès
2023-09-09 22:14 ` Maxim Cournoyer
2023-09-11 11:23 ` Closing submission incomplete since years? Simon Tournier
2023-09-11 17:54 ` Maxim Cournoyer
2023-09-11 18:17 ` Simon Tournier
2023-09-11 20:43 ` Maxim Cournoyer
2023-09-13 19:58 ` [bug#31444] 'guix health': a tool to report vulnerable packages Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87y3gljs8k.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=31444@debbugs.gnu.org \
--cc=ng0@n0.is \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.