GNU bug report logs

#31444 'guix health': a tool to report vulnerable packages

PackageSource(s)Maintainer(s)
guix-patches PTS Buildd Popcon
Full log

Message #34 received at 31444@debbugs.gnu.org (full text, mbox, reply):

Received: (at 31444) by debbugs.gnu.org; 9 Sep 2023 22:14:27 +0000
From debbugs-submit-bounces@debbugs.gnu.org Sat Sep 09 18:14:27 2023
Received: from localhost ([127.0.0.1]:48575 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1qf6Dj-00047l-A4
	for submit@debbugs.gnu.org; Sat, 09 Sep 2023 18:14:27 -0400
Received: from mail-ot1-x32d.google.com ([2607:f8b0:4864:20::32d]:53623)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@gmail.com>)
 id 1qf6Dg-00047Q-3r; Sat, 09 Sep 2023 18:14:24 -0400
Received: by mail-ot1-x32d.google.com with SMTP id
 46e09a7af769-6bdcbde9676so2333795a34.3; 
 Sat, 09 Sep 2023 15:14:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1694297655; x=1694902455; darn=debbugs.gnu.org;
 h=content-transfer-encoding:mime-version:user-agent:message-id
 :in-reply-to:date:references:subject:cc:to:from:from:to:cc:subject
 :date:message-id:reply-to;
 bh=siklqpScQMxCvKJKQmLwes/eUt8wJAaEjmupMdjVKqk=;
 b=i07Ukeh1IPEkuOKeT4okKL/ujkhf8iCykeU3i9ycS5OAIEclFqL5Nr1V46I/TPea/d
 7zXH/OpSd2oZ5XL+KzntsaxKVAshHN0Mlzp4uM+L238OuYLnrFaiUlJMZMCECdWJoFO7
 SYJiUeIouax26XsHkKtmTVRb6UizzMA474VNH21gNyLZNmgoqC5qqsxPErDoIOTmkIYe
 47IgZUPprKefaD9QMwC5/mTsuFe1KTvYaXRu1eUt1D+yc/jdOZpQ2AMt9Gowvv3l16ib
 DvcMSgg0qcRwR65INkYuOSSeR0h76Q5w4NsX8lMfrEtul7kNxTnNuI7bOqd5ckXHKwp5
 NNBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1694297655; x=1694902455;
 h=content-transfer-encoding:mime-version:user-agent:message-id
 :in-reply-to:date:references:subject:cc:to:from:x-gm-message-state
 :from:to:cc:subject:date:message-id:reply-to;
 bh=siklqpScQMxCvKJKQmLwes/eUt8wJAaEjmupMdjVKqk=;
 b=IKejdC8uBZ7YlL9J7W9OyxjdLBD2Z+76xSmnm41kJXurEz5tP88tUWYS8KbNpamLGu
 Q4TS0W/njGJu7mxpyHrz7rOLwb4L5HYCFC00DuL1WEgxpmn95uqHbe0f27gNWsc3cmjz
 IExAjdYCRKtRZ36ByMiiCP2JjUSuNnecd0pMnikpqaHvUHyMCoBLf4RJxnRyeEloOHLi
 zeAEMMq8gRuBaBbZczjCHAXLQ0trKu1tn+QrPYpGW4hGfJMeI2OOZmkmlzIkYKD7ryxA
 e9onbCpGriqOa+/fHyIHdtTLXNHaye1yTtSiZaMXXVMYyB3RaHl+6wQrje5XCu922jjd
 s+Ug==
X-Gm-Message-State: AOJu0YxQpzivOzb6Oz3p/cVTR/I8pM1qsYe/EPDFrMxjTQOan8BtPGv3
 oFSBlUp7o36ZeWV1YHJd3m/l3/mujtE=
X-Google-Smtp-Source: AGHT+IE8DWN2OPiCezbxlfpPeDsdhSt+Ae01Q0Vpv3VnVkFPnxjh6oI2wpvL3FPKgt51LoM7zwnPng==
X-Received: by 2002:a05:6358:2906:b0:13a:4f34:8063 with SMTP id
 y6-20020a056358290600b0013a4f348063mr5788575rwb.32.1694297655115; 
 Sat, 09 Sep 2023 15:14:15 -0700 (PDT)
Received: from hurd (dsl-155-89.b2b2c.ca. [66.158.155.89])
 by smtp.gmail.com with ESMTPSA id
 p4-20020a05620a112400b007675c4b530fsm1523075qkk.28.2023.09.09.15.14.14
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sat, 09 Sep 2023 15:14:14 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: Ludovic Courtès <ludo@gnu.org>
Subject: Re: bug#31444: 'guix health': a tool to report vulnerable packages
References: <87fu2vjj76.fsf@gnu.org> <864knuk8nk.fsf@gmail.com>
 <87o7k5i59g.fsf_-_@gmail.com> <87jzt04ooe.fsf@gnu.org>
Date: Sat, 09 Sep 2023 18:14:13 -0400
In-Reply-To: <87jzt04ooe.fsf@gnu.org> ("Ludovic Courtès"'s message of "Fri, 08 Sep 2023 18:25:53 +0200")
Message-ID: <871qf7xadm.fsf@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 31444
Cc: Ricardo Wurmus <rekado@elephly.net>, Mathieu Othacehe <othacehe@gnu.org>,
 31444@debbugs.gnu.org, 31442@debbugs.gnu.org,
 zimoun <zimon.toutoune@gmail.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Ludovic,

Ludovic Courtès <ludo@gnu.org> writes:

[...]

> Reporting only leaf packages was a limitation, not a goal.  The
> limitation stemmed from the fact that, to determine whether a package is
> vulnerable, we need to (1) map its store file name to its package name,
> and (2) map its package name to its CPE name.
>
> We can do #1 via manifests, but only for leaf packages (because there’s
> no metadata available for other store items).

[...]

> There’s been progress since I posted this patch: manifests now include
> provenance info, which means we can map profiles back to package
> definitions!  So we could make a proper ‘guix health’ at this stage.
>
> I’d like to say I’ll work on it soon but reality is that I’m a bit
> swamped.  Anyhow, I think it remains a useful tool, and whether it’s me
> or someone else working on it, we should probably aim for it at some
> point.

Thanks for the update.  It's OK to keep it here if all that is missing
is some extra work to push it to the finish line, so let's keep this one
open.

On a related note sometimes we have WIP kind of work that stays on our
tracker with deeper questions / problems to solve, and I don't think
it's fair for our reviewers to have these linger on for years on the
tracker (they take a lot of time to get familiar with, and would then
require quit more investment to be completed, sometimes with the
original submitter no longer active in the discussion) -- I think for
these situations it's fair to close it.  An interested person can
hopefully find these in the archives and resume work on it if they are
so inclined.

-- 
Thanks,
Maxim

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Tue Sep 9 03:22:19 2025; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.