From debbugs-submit-bounces@debbugs.gnu.org Mon May 14 12:49:16 2018 Received: (at 31444) by debbugs.gnu.org; 14 May 2018 16:49:16 +0000 Received: from localhost ([127.0.0.1]:34615 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fIGex-0000FW-UG for submit@debbugs.gnu.org; Mon, 14 May 2018 12:49:16 -0400 Received: from static.195.114.201.195.clients.your-server.de ([195.201.114.195]:60230 helo=conspiracy.of.n0.is) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fIGeu-0000FM-V2 for 31444@debbugs.gnu.org; Mon, 14 May 2018 12:49:13 -0400 Received: by conspiracy.of.n0.is (OpenSMTPD) with ESMTPSA id 19600453 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Mon, 14 May 2018 16:49:10 +0000 (UTC) Date: Mon, 14 May 2018 16:49:41 +0000 From: Nils Gillmann To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [bug#31444] 'guix health': a tool to report vulnerable packages Message-ID: <20180514164941.kjokoakkooajpunx@abyayala> References: <87fu2vjj76.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87fu2vjj76.fsf@gnu.org> X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 31444 Cc: 31444@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Ludovic Courtès transcribed 3.4K bytes: > Hello Guix! > > On IRC davidl shared a shell script that checks the output of ‘guix lint > -c cve’ and uses that to determine vulnerable packages in a profile. > That reminds me of the plan for ‘guix health’ (a tool to do just that), > so I went ahead and tried to make it a reality at last. > > This ‘guix health’ reports information about “leaf” packages in a > profile, but not about their dependencies: Did you intend to attach a patch to one of the 3 or 4 messages that made it to the bugtracker? I've checked when you've sent the message and today and saw no patches. I'm interested in the code, the general idea sounds good. > --8<---------------cut here---------------start------------->8--- > $ ./pre-inst-env guix health -p /run/current-system/profile/ > guix health: warning: util-linux@2.31.1 may be vulnerable to CVE-2018-7738 > guix health: warning: util-linux@2.31.1 is available but does not fix any of these > hint: Run `guix pull' and then re-run `guix health' to see if fixes are available. If > none are available, please consider submitting a patch for the package definition of > 'util-linux'. > > > guix health: warning: shadow@4.5 may be vulnerable to CVE-2018-7169 > guix health: warning: shadow@4.6 is available and fixes CVE-2018-7169, consider ugprading > guix health: warning: tar@1.29 may be vulnerable to CVE-2016-6321 > guix health: warning: tar@1.29 is available but does not fix any of these > hint: Run `guix pull' and then re-run `guix health' to see if fixes are available. If > none are available, please consider submitting a patch for the package definition of > 'tar'. > --8<---------------cut here---------------end--------------->8--- > > The difficulty here is that we need to know a package’s CPE name before > we can check the CVE database, and we also need to know whether the > package already includes fixes for known CVEs. This patch set attaches > this information to manifest entries, so that ‘guix health’ can then > rely on it. > > Fundamentally, that means we cannot reliably tell much about > dependencies: in cases where the CPE name differs from the Guix name, we > won’t have any match, and more generally, we cannot know what CVE are > patched in the package; we could infer part of this by looking at the > same-named package in the current Guix, but that’s hacky. > > I think that longer-term we probably need to attach this kind of > meta-data to packages themselves, by adding a bunch of files in each > package, say under PREFIX/guix. We could do that for search paths as > well. If you mean with metadata what I understand: I've started playing with this idea a while back. It would be good to attach more information to the package, mentioned in the past was "support the developers" links (not everyone publishes this on their website). Personally I'm going to make use of the "maintainer" function for packages, so people know where (hopefully relatively) exactly the package came from. Anyways, I have some other package related experiments.. Did you have anything else in mind, other than search-paths and CVE information? > Should we satisfy ourselves with the current approach in the meantime? > Thoughts? > > Besides, support for properties in manifest entries seems useful to me, > so we may want to keep it regardless of whether we take ‘guix health’ > as-is. > > Ludo’. > > Ludovic Courtès (5): > profiles: Add '%current-profile', 'user-friendly-profile', & co. > packages: Add 'package-patched-vulnerabilities'. > profiles: Add 'properties' field to manifest entries. > profiles: Record fixed vulnerabilities as properties of entries. > DRAFT Add 'guix health'. > > Makefile.am | 1 + > guix/packages.scm | 28 +++++++ > guix/profiles.scm | 91 ++++++++++++++++++++-- > guix/scripts/health.scm | 158 +++++++++++++++++++++++++++++++++++++++ > guix/scripts/lint.scm | 23 +----- > guix/scripts/package.scm | 40 ---------- > po/guix/POTFILES.in | 1 + > tests/packages.scm | 15 ++++ > tests/profiles.scm | 22 ++++++ > 9 files changed, 312 insertions(+), 67 deletions(-) > create mode 100644 guix/scripts/health.scm > > -- > 2.17.0 > > >