GNU bug report logs

#31444 'guix health': a tool to report vulnerable packages

PackageSource(s)Maintainer(s)
guix-patches PTS Buildd Popcon
Full log

Message #28 received at 31444@debbugs.gnu.org (full text, mbox, reply):

Received: (at 31444) by debbugs.gnu.org; 21 Jul 2023 16:44:29 +0000
From debbugs-submit-bounces@debbugs.gnu.org Fri Jul 21 12:44:29 2023
Received: from localhost ([127.0.0.1]:34765 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1qMtEy-0007HM-Si
	for submit@debbugs.gnu.org; Fri, 21 Jul 2023 12:44:29 -0400
Received: from mail-qk1-x730.google.com ([2607:f8b0:4864:20::730]:50576)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@gmail.com>)
 id 1qMtEv-0007H3-UE; Fri, 21 Jul 2023 12:44:26 -0400
Received: by mail-qk1-x730.google.com with SMTP id
 af79cd13be357-76ad8892d49so151896685a.1; 
 Fri, 21 Jul 2023 09:44:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1689957860; x=1690562660;
 h=content-transfer-encoding:mime-version:user-agent:message-id
 :in-reply-to:date:references:subject:cc:to:from:from:to:cc:subject
 :date:message-id:reply-to;
 bh=+HL9GtkpeE8XcxP6VpOUafvPTFFTibH/Jc88bbsgFAk=;
 b=IcevtwkZYBB5MKpU8Ee0jqbM8qktvhmQP6Bv6OUWFfPThL9KKOSU07EKphchmrEshH
 taHb63PP3SC2JQMlXB94RUN+u4PNolUsoBD17mdJr2F5KvJuT/syVm0F/grqqTZpFtU2
 6KTRxusLWWi1kytPtzdxwbMdRggslurtRweju4HQIqG/dBZIIV/gGOAglWpcWZA9Ed0B
 +iw11vCNdq8JIWe83nDOzx40FkF4jTdlGLuXcXbionLPBHQ2vQ9aRSem9qq7H7nf0m3P
 YhPtsGI0ZunDpnrvaOrhiuXJXQvTpZxLaKoxx7gRm6m3x/t67ZMC/lgkWsNNa/7TO5Ba
 Oumw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1689957860; x=1690562660;
 h=content-transfer-encoding:mime-version:user-agent:message-id
 :in-reply-to:date:references:subject:cc:to:from:x-gm-message-state
 :from:to:cc:subject:date:message-id:reply-to;
 bh=+HL9GtkpeE8XcxP6VpOUafvPTFFTibH/Jc88bbsgFAk=;
 b=B6BTEJc9Shcb0d5PAPL9L2KlcqZg+Q2eKSB1EXrXbphD+VMPL0kn+KV6zlBy1Ruqfr
 eyDbniJ5OS7XLgL62D30NRTESDXH8nLGKp2PszfBhzOo1vubU+70CBXMmcIX+PAsRVeT
 Ok9Xr/qq2OQg8/PZqBB9VwnxiBPKBOl0Pc1L1oOGMHLWgeuJYK0gJCtrLLWIksjWQynS
 YjJ0aHOWjbeQ5hlo171Lz6JzNQqt6vEouD2qoe8nLjXVY1mwyi8R8Z9EZiF/ZHjDwrXe
 FAce54OCp/Y20QMyKhK4ICrwhG5BHMktPN4HVBQM3eY5vhvGOxFrsAcHCCUwzUnfuAAX
 1xlQ==
X-Gm-Message-State: ABy/qLZHFSfHfAl2VJh3WCwWG5kn/PjWYlrOXhG+j7Qvh2Ec6e3cWzJf
 ciHnyHZz1Ub8jk5gONoyi/rT1tm0La4=
X-Google-Smtp-Source: APBJJlHSyMI5NvxiwzPutOiwRifIMNER0PF+Kmjag8fSb3CI4RslKlcoUjHyBymLbO5zCX94mahbng==
X-Received: by 2002:a05:620a:17a7:b0:765:aac3:7667 with SMTP id
 ay39-20020a05620a17a700b00765aac37667mr707744qkb.0.1689957859958; 
 Fri, 21 Jul 2023 09:44:19 -0700 (PDT)
Received: from hurd (dsl-10-135-166.b2b2c.ca. [72.10.135.166])
 by smtp.gmail.com with ESMTPSA id
 m12-20020ae9f20c000000b0075cd80fde9esm1216427qkg.89.2023.07.21.09.44.16
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 21 Jul 2023 09:44:19 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: zimoun <zimon.toutoune@gmail.com>
Subject: Re: bug#31444: 'guix health': a tool to report vulnerable packages
References: <87fu2vjj76.fsf@gnu.org> <864knuk8nk.fsf@gmail.com>
Date: Fri, 21 Jul 2023 12:44:11 -0400
In-Reply-To: <864knuk8nk.fsf@gmail.com> (zimoun's message of "Sat, 19 Sep 2020
 00:43:59 +0200")
Message-ID: <87o7k5i59g.fsf_-_@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 31444
Cc: Ricardo Wurmus <rekado@elephly.net>, Mathieu Othacehe <othacehe@gnu.org>,
 Ludovic Courtès <ludo@gnu.org>, 31444@debbugs.gnu.org,
 31442@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Simon,

zimoun <zimon.toutoune@gmail.com> writes:

> Hi,
>
> Digging in old bugs with patches, hit this one. :-)
>
>
> On Mon, 14 May 2018 at 00:15, ludo@gnu.org (Ludovic Courtès) wrote:
>
>> On IRC davidl shared a shell script that checks the output of ‘guix lint
>> -c cve’ and uses that to determine vulnerable packages in a profile.
>> That reminds me of the plan for ‘guix health’ (a tool to do just that),
>> so I went ahead and tried to make it a reality at last.
>>
>> This ‘guix health’ reports information about “leaf” packages in a
>> profile, but not about their dependencies:
>
> Well, I do not know what was the idea at the time. :-)
> (The search http://logs.guix.gnu.org/guix/search?query=nick%3Adavidl
> does not list logs before 2019 for the nickname.  Do I miss something?)
>
> And I do not know if the idea is to report only “leaf” packages.
>
> Well, instead to create another new command, I think it would be better
> to include the “leaf” packages to “guix graph” and then pipe to “guix
> lint”.  Other said, “guix graph” should help to manipulate the graph of
> packages.

I like this idea to allow composing our already existing commands, the
UNIX way.  It'd be useful not just for this use case, but to better
exploit the Guix command line API in general.

> I am not sure it fits the idea behind “guix health” but the patch #43477
> allows to only output the nodes, for example.
>
>   <http://issues.guix.gnu.org/issue/43477>
>
>
> Here an example, to verify the SWH health of one profile.  (Note I
> choose the archival checker because it display stuff. :-))
>
> $ guix package -p ~/.config/guix/profiles/apps/apps -I | cut -f1
> youtube-dl
> mb2md
> isync
> xournal
> ghostscript
> imagemagick
> mupdf
>
> $for pkg in \
>> $(guix package -p ~/.config/guix/profiles/apps/apps -I | cut -f1 | xargs ./pre-inst-env guix graph -b plain); \
>> do guix lint -c archival $pkg ; done
> gnu/packages/video.scm:2169:12: youtube-dl@2020.09.14: source not archived on Software Heritage
> gnu/packages/video.scm:1412:12: ffmpeg@4.3.1: source not archived on Software Heritage
> gnu/packages/autotools.scm:286:12: automake@1.16.2: source not archived on Software Heritage
> guix lint: error: autoconf-wrapper: package not found for version 2.69
> gnu/packages/perl.scm:89:12: perl@5.30.2: source not archived on Software Heritage
> gnu/packages/guile.scm:141:11: guile@2.0.14: source not archived on Software Heritage
> gnu/packages/ed.scm:32:12: ed@1.16: source not archived on Software Heritage
>
> [...]
>
> gnu/packages/xorg.scm:5280:6: libxcb@1.14: source not archived on Software Heritage
> guix lint: error: tzdata: package not found for version 2019c
> gnu/packages/python.scm:514:2: python-minimal@3.8.2: source not archived on Software Heritage
> gnu/packages/xorg.scm:2140:6: xcb-proto@1.14: source not archived on Software Heritage
>
> [...]
>
> gnu/packages/shells.scm:376:12: tcsh@6.22.02: source not archived on Software Heritage
> gnu/packages/icu4c.scm:43:11: icu4c@66.1: Software Heritage rate limit reached; try again later
> C-c
>
> Obviously, the for-loop should be avoided.  But raising an error by
> “guix lint” breaks the stream.  Well, that’s another story. :-)
>
>
> To summary, instead of “guix health”, I suggest to add “features“ to
> ‘guix graph’ (support manifest files, more facilities to manipulate/show
> the DAG).

I like this idea too.

>
>> The difficulty here is that we need to know a package’s CPE name before
>> we can check the CVE database, and we also need to know whether the
>> package already includes fixes for known CVEs.  This patch set attaches
>> this information to manifest entries, so that ‘guix health’ can then
>> rely on it.
>
> Well, I am not sure to understand.  Is it not somehow an issue of ‘guix
> lint -c cve’?

This is my understand as well.

Ludo, if your proposition has gone stale and you don't plan to work on
it anytime soon, feel free to close it.

-- 
Thanks,
Maxim

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Tue Sep 9 03:50:54 2025; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.