merge 59053 49898 thanks Hi Hilton, thanks for the renewed interest in spectre-meltdown-checker. See the other thread for a general discussion, but I'll repeat the most important points. Am Samstag, dem 05.11.2022 um 23:57 +0800 schrieb Hilton Chain: > * gnu/packages/patches/spectre-meltdown-checker-support-guix-system- > kernel.patch: New file. > * gnu/packages/linux.scm (spectre-meltdown-checker): New variable. > * gnu/local.mk (dist_patch_DATA): Add it. Note that "Add it" lost its context because the new variable is between it and the file added. > --- >  gnu/local.mk                                  |  1 + >  gnu/packages/linux.scm                        | 41 > +++++++++++++++++++ >  ...n-checker-support-guix-system-kernel.patch | 26 ++++++++++++ >  3 files changed, 68 insertions(+) >  create mode 100644 gnu/packages/patches/spectre-meltdown-checker- > support-guix-system-kernel.patch > > diff --git a/gnu/local.mk b/gnu/local.mk > index eb6ac3df58..88c1fa6278 100644 > --- a/gnu/local.mk > +++ b/gnu/local.mk > @@ -1848,6 +1848,7 @@ dist_patch_DATA > =                                         \ >    %D%/packages/patches/syslinux-strip-gnu-property.patch       \ >    %D%/packages/patches/snappy-add-O2-flag-in- > CmakeLists.txt.patch      \ >    %D%/packages/patches/snappy-add-inline-for-GCC.patch         \ > +  %D%/packages/patches/spectre-meltdown-checker-support-guix-system- > kernel.patch \ >    %D%/packages/patches/sphinxbase-fix-doxygen.patch            \ >    %D%/packages/patches/spice-vdagent-glib-2.68.patch           \ >    %D%/packages/patches/sssd-optional-systemd.patch             \ > diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm > index cf11a7fc1b..db199869a7 100644 > --- a/gnu/packages/linux.scm > +++ b/gnu/packages/linux.scm > @@ -9512,3 +9512,44 @@ (define-public tp-smapi-module >  @acronym{SMAPI, System Management Application Program Interface} and > direct >  access to the embedded controller.") >      (license license:gpl2+))) > + > +(define-public spectre-meltdown-checker > +  (package > +    (name "spectre-meltdown-checker") > +    (version "0.45") > +    (source (origin > +              (method git-fetch) > +              (uri (git-reference > +                    (url > "https://github.com/speed47/spectre-meltdown-checker") > +                    (commit (string-append "v" version)))) > +              (file-name (git-file-name name version)) > +              (patches > +               (search-patches > +                ;; > https://github.com/speed47/spectre-meltdown-checker/pull/441 > +                "spectre-meltdown-checker-support-guix-system- > kernel.patch")) > +              (sha256 > +               (base32 > +                > "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8")))) > +    (build-system copy-build-system) > +    (arguments > +     (list #:install-plan > +           #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown- > checker")) > +           #:phases > +           #~(modify-phases %standard-phases > +               (add-after 'unpack 'fixpath > +                 (lambda* (#:key inputs #:allow-other-keys) > +                   (substitute* "spectre-meltdown-checker.sh" > +                     (("\\$\\{opt_arch_prefix\\}readelf") > +                      (search-input-file inputs "/bin/readelf")) > +                     (("perl") > +                      (search-input-file inputs "/bin/perl")))))))) I'm pretty sure readelf and perl are not the only commands invoked. > +    (inputs (list binutils perl)) > +    (home-page > "https://github.com/speed47/spectre-meltdown-checker") > +    (synopsis > +     "Spectre, Meltdown, Foreshadow, Fallout, RIDL, ZombieLoad > vulnerability / > +mitigation checker for Linux & BSD") "for Linux & BSD" is gratuitous information imho. As for the vulnerabilities listed in the synopsis surely there must be a way of shortening that. > +    (description > +     "A shell script to assess your system's resilience against the > several > +transient execution CVEs that were published since early 2018, and > give you > +guidance as to how to mitigate them.") Not a full sentence. > +    (license license:gpl3))) > diff --git a/gnu/packages/patches/spectre-meltdown-checker-support- > guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown- > checker-support-guix-system-kernel.patch > new file mode 100644 > index 0000000000..afec52b418 > --- /dev/null > +++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix- > system-kernel.patch > @@ -0,0 +1,26 @@ > +From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00 > 2001 > +From: Hilton Chain > +Date: Sat, 5 Nov 2022 23:22:31 +0800 > +Subject: [PATCH] Add support for Guix System kernel. > + > +--- > + spectre-meltdown-checker.sh | 2 ++ > + 1 file changed, 2 insertions(+) > + > +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown- > checker.sh > +index 248a444..855a090 100755 > +--- a/spectre-meltdown-checker.sh > ++++ b/spectre-meltdown-checker.sh > +@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then > +               [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" > ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)" > +               # NixOS: > +               [ -e "/run/booted-system/kernel" ] && > opt_kernel="/run/booted-system/kernel" > ++              # Guix System: > ++              [ -e "/run/booted-system/kernel/bzImage" ] && > opt_kernel="/run/booted-system/kernel/bzImage" > +               # systemd kernel-install: > +               [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat > /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat > /etc/machine-id)/$(uname -r)/linux" > +               # Clear Linux: > + > +base-commit: a6c943d38f315f339697ec26e7374a09b88f2183 > +-- > +2.38.0 > > base-commit: 2211f50ec1ebcf5f880454b4133ac40e41abac21 This patch LGTM. Note that as discussed in the other thread, we'd also want the checker to not download proprietary firmware. Could you adjust the package accordingly? Cheers