From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id 4LIZDeKYkmGf7gAAgWs5BA (envelope-from ) for ; Mon, 15 Nov 2021 18:29:06 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id cOOoCOKYkmF4AwAAbx9fmQ (envelope-from ) for ; Mon, 15 Nov 2021 17:29:06 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id DC49E3025D for ; Mon, 15 Nov 2021 18:29:05 +0100 (CET) Received: from localhost ([::1]:36792 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mmfmz-0003pW-1g for larch@yhetil.org; Mon, 15 Nov 2021 12:29:05 -0500 Received: from eggs.gnu.org ([209.51.188.92]:41088) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mmfmd-0003p1-G1 for guix-devel@gnu.org; Mon, 15 Nov 2021 12:28:46 -0500 Received: from [2607:f8b0:4864:20::42d] (port=37610 helo=mail-pf1-x42d.google.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mmfma-0004P4-Iy for guix-devel@gnu.org; Mon, 15 Nov 2021 12:28:42 -0500 Received: by mail-pf1-x42d.google.com with SMTP id 8so3736052pfo.4 for ; Mon, 15 Nov 2021 09:28:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=9jEnzuVcwHFgEvh8glvbUnma1yb2ujgEF08L+AfGc88=; b=pPxLJtPOhyZN7x43F8s/SrjZ2/7dRtXO6YCnm9hZANypN1UejmPNOXluoRymUdrW5b o0tT18M8XbuBh7TlKTvd9E164ukG7dzR8Pi+7nSPxN7F9nV8sqrvn6ajEoBC2OASikwh 0xwQPDHL0NEP6x3WKwD0CfHM0NxPfBTa2jBu7aA1NY+JoL9pvhHkuuQXHaKXfZhel+rh lwctu/tkTi2/SA2Ubvv2Q8XlJ+E6oozmFOH34mEUYAhugpZqdbR+3hNWFH3pQqYnp/XO AYUHUIwgCDqnsEE/m16msQwgRSH6tAg+kTJGna/8UBdXuB/eeRAtCXFCELFivxTM3Bo0 fsQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=9jEnzuVcwHFgEvh8glvbUnma1yb2ujgEF08L+AfGc88=; b=hVOq7Cf0Xsm5EnyrRvpZDuwl1ipMiVB8KbosIUbrEOPDBYyeY3e/TWh6kCyN1RCCc3 4rUYwOzjHKHuXwBnt31tLLQ+iMwlGbGZVBG7ZYCUNyln0vyVw+wzdQwH+sLiymYTY255 JR2Tf/FXtxUpIv4jrfUCnFIwR8me0KUFgw5whEswpVs/97QFKEKY1IAimDPQmz1FPHUj UNaomKV2k+zwstWRL2xo6m4Vb7hAIMXn2niVKDlp9EPj9xQay/DITllOUkpqOggr3Bh7 0b294f/T9JH+Ch2pTEbXYLEjzS1I/t0hNdl+qLOFhg1MWR0Efz4rQuJoG06ScFQEL4VX /bQA== X-Gm-Message-State: AOAM533RyeWgEFxlGABdJN/TPwOYF6wWM834dIK2EFC37xEgE9LB/USE y8Wftefw5thH7TpvDnaJ0tj8Iw5VSzppCgllkkhHMG6+ULA= X-Google-Smtp-Source: ABdhPJwoQTA+J7jgyKkgu4y+ffURbz5HCTDjKXFCkVvOIL6vir/WcD45GMKsb/gxN8li3LOtGBlKGb8txzrc0FWpG+A= X-Received: by 2002:a05:6e02:190b:: with SMTP id w11mr309818ilu.211.1636996862887; Mon, 15 Nov 2021 09:21:02 -0800 (PST) MIME-Version: 1.0 References: <87fssgi04h.fsf@xelera.eu> <87tugli7jd.fsf@gnu.org> In-Reply-To: <87tugli7jd.fsf@gnu.org> From: zimoun Date: Mon, 15 Nov 2021 18:20:51 +0100 Message-ID: Subject: Re: "Trojan Source" (CVE-2021-42574 and CVE-2021-42694): can 'guix lint' help someway? To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Host-Lookup-Failed: Reverse DNS lookup failed for 2607:f8b0:4864:20::42d (failed) Received-SPF: pass client-ip=2607:f8b0:4864:20::42d; envelope-from=zimon.toutoune@gmail.com; helo=mail-pf1-x42d.google.com X-Spam_score_int: -12 X-Spam_score: -1.3 X-Spam_bar: - X-Spam_report: (-1.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, PDS_HP_HELO_NORDNS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Guix Devel Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1636997345; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=9jEnzuVcwHFgEvh8glvbUnma1yb2ujgEF08L+AfGc88=; b=lK8RYCCv1OEbPwcjytOBt9QiiWGwoO0XeJ6OantBZ0wtvzzhTXoLzNiIFmcl2wNlsvP7d6 NGsdBEFLSVdKnywtbthlf2G7q7Z48TrYH8v6TqrY1RnkBtvHs5OgOVErTlJgFXp6mT95DN eUyjtSu5XtMkSbIgU75jDSGbkY414xpY7D7QqjlJnyUAZ+NFrEOLcf0rj3/t5sg6M9Ixqb 7IHVnCqiWIo85AZ+qZa+R14UkksKsNSBjjyNGTfa2jgsHrLSWf8EF8hnaq+OG1tyksDOAC hYNzT5Yks4okDprYU/2ERdJj3XM3yE1MBxMHgZD2sT6YL8+/uh5eE2eyx2TJzA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1636997345; a=rsa-sha256; cv=none; b=PZWmAGJJaahmkd3ZEm6F3zwNg9wu8k5oIF4tt3IcvF+Vj9QSAjFBM4UoFCdD0MJi+IDunt b2PKnSeh81M9O2sqjvixBhJlj3vnGRirtTJ6l54NPKp7bW3hGPenOtnm65b8JdCysSaZ7l PIP7UwnCKZHBz+rA7iZHyoJAmh8OdrNMCsWrrgSg8xcI+rh7GBlKofUvXGLPnDzCU2f6Ey CBqT7vfZ75/vu05DB+n+Hlyaa6G9KCFR62ovIeXm0nGCaskRsUkfFuXXGv16p3NMt3S3SD sIOp80W7yQzfJ3sV5hzggvrxXPRAyc+iPfAiUpGLC0kojdqFkzCC0giP8K/U8Q== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=pPxLJtPO; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -0.84 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=pPxLJtPO; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: DC49E3025D X-Spam-Score: -0.84 X-Migadu-Scanner: scn0.migadu.com X-TUID: Zgo7QH8SyyMX Hi, On Tue, 9 Nov 2021 at 18:10, Ludovic Court=C3=A8s wrote: > Giovanni Biscuolo skribis: > > Is there a way for "guix lint" to check for the listed (other?) > > "dangerous" codepoints and warn code reviewers? > > That would be an expensive operation since that means unpacking the > source and reading each and every file. =E2=80=98guix lint=E2=80=99 usua= lly does > inexpensive checks. I agree. I miss what practical action could be done on the Guix side. Somehow, we can clean and fix Guix code (and related source as Guile or other strong direct dependencies) but the Guix project cannot fix all the broken world of all source code of packages. > > Is it possible for the Guix community to start a coordinated effort to > > analyze all the source code (ever?!?) published in out git repo to chec= k > > for the presence of this attack? > > That sounds unreasonable to me. It appears already unaffordable for only one Guix revision of 17k+ packages, so for all the source code (ever) published. ;-) Cheers, simon