From debbugs-submit-bounces@debbugs.gnu.org Fri Aug 04 03:22:37 2017 Received: (at submit) by debbugs.gnu.org; 4 Aug 2017 07:22:37 +0000 Received: from localhost ([127.0.0.1]:40744 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ddWwO-00075Q-MP for submit@debbugs.gnu.org; Fri, 04 Aug 2017 03:22:36 -0400 Received: from eggs.gnu.org ([208.118.235.92]:46062) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ddWwM-00075C-4g for submit@debbugs.gnu.org; Fri, 04 Aug 2017 03:22:34 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ddWwF-0008AF-IS for submit@debbugs.gnu.org; Fri, 04 Aug 2017 03:22:28 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:38271) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ddWwF-00089P-CU for submit@debbugs.gnu.org; Fri, 04 Aug 2017 03:22:27 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36932) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ddWwD-0004LQ-7a for bug-guix@gnu.org; Fri, 04 Aug 2017 03:22:26 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ddWw9-00082H-LJ for bug-guix@gnu.org; Fri, 04 Aug 2017 03:22:25 -0400 Received: from dd1012.kasserver.com ([85.13.128.8]:38580) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ddWw9-0007wK-DU for bug-guix@gnu.org; Fri, 04 Aug 2017 03:22:21 -0400 Received: from localhost (178.113.252.190.wireless.dyn.drei.com [178.113.252.190]) by dd1012.kasserver.com (Postfix) with ESMTPSA id B000F1CA00D7 for ; Fri, 4 Aug 2017 09:22:15 +0200 (CEST) Date: Fri, 4 Aug 2017 09:22:12 +0200 From: Danny Milosavljevic To: Subject: tar complains about too-long names (guix release) Message-ID: <20170804092212.77f65fef@scratchpost.org> X-Mailer: Claws Mail 3.15.0-dirty (GTK+ 2.24.31; x86_64-unknown-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) guix $ make release ... || chmod -R a+r "guix-0.13.0.1849-cf189-dirty" tardir=guix-0.13.0.1849-cf189-dirty && ${TAR-tar} chof - "$tardir" | GZIP=--best gzip -c >guix-0.13.0.1849-cf189-dirty.tar.gz gzip: warning: GZIP environment variable is deprecated; use an alias or script tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/ghc-dont-pass-linker-flags-via-response-files.patch: file name is too long (max 99); not dumped tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/libevent-2.0-evbuffer-add-use-last-with-datap.patch: file name is too long (max 99); not dumped tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/python-genshi-stripping-of-unsafe-script-tags.patch: file name is too long (max 99); not dumped tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch: file name is too long (max 99); not dumped tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch: file name is too long (max 99); not dumped tar: Exiting with failure status due to previous errors make[1]: Leaving directory '/home/dannym/src/guix-master/guix' From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 05 09:03:17 2017 Received: (at control) by debbugs.gnu.org; 5 Sep 2017 13:03:17 +0000 Received: from localhost ([127.0.0.1]:50555 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dpDVd-000693-E8 for submit@debbugs.gnu.org; Tue, 05 Sep 2017 09:03:17 -0400 Received: from eggs.gnu.org ([208.118.235.92]:48815) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dpDVc-00068r-9D for control@debbugs.gnu.org; Tue, 05 Sep 2017 09:03:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dpDVO-0000jN-48 for control@debbugs.gnu.org; Tue, 05 Sep 2017 09:03:11 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:35210) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dpDVO-0000jG-1B for control@debbugs.gnu.org; Tue, 05 Sep 2017 09:03:02 -0400 Received: from [193.50.110.184] (port=41168 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dpDVN-0003Mi-KI for control@debbugs.gnu.org; Tue, 05 Sep 2017 09:03:01 -0400 Date: Tue, 05 Sep 2017 15:03:00 +0200 Message-Id: <87pob5s3gb.fsf@gnu.org> To: control@debbugs.gnu.org From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: control message for bug #27943 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) severity 27943 important From debbugs-submit-bounces@debbugs.gnu.org Tue Nov 28 09:26:12 2017 Received: (at 27943) by debbugs.gnu.org; 28 Nov 2017 14:26:12 +0000 Received: from localhost ([127.0.0.1]:33661 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eJgpw-00068s-Do for submit@debbugs.gnu.org; Tue, 28 Nov 2017 09:26:12 -0500 Received: from [141.255.128.1] (port=53896 helo=hera.aquilenet.fr) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eJgpv-00068k-Cn for 27943@debbugs.gnu.org; Tue, 28 Nov 2017 09:26:11 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 68A14F0B1; Tue, 28 Nov 2017 15:26:13 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Sh9CSBwtFVs; Tue, 28 Nov 2017 15:26:12 +0100 (CET) Received: from ribbon (unknown [193.50.110.215]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 996AFBE86; Tue, 28 Nov 2017 15:26:06 +0100 (CET) From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Danny Milosavljevic Subject: Re: bug#27943: tar complains about too-long names (guix release) References: <20170804092212.77f65fef@scratchpost.org> Date: Tue, 28 Nov 2017 15:26:03 +0100 In-Reply-To: <20170804092212.77f65fef@scratchpost.org> (Danny Milosavljevic's message of "Fri, 4 Aug 2017 09:22:12 +0200") Message-ID: <87shcyzdhg.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 2.2 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi Danny, Danny Milosavljevic skribis: > guix $ make release > ... || chmod -R a+r "guix-0.13.0.1849-cf189-dirty" > tardir=guix-0.13.0.1849-cf189-dirty && ${TAR-tar} chof - "$tardir" | GZIP=--best gzip -c >guix-0.13.0.1849-cf189-dirty.tar.gz > gzip: warning: GZIP environment variable is deprecated; use an alias or script > tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/ghc-dont-pass-linker-flags-via-response-files.patch: file name is too long (max 99); not dumped > tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/libevent-2.0-evbuffer-add-use-last-with-datap.patch: file name is too long (max 99); not dumped > tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/python-genshi-stripping-of-unsafe-script-tags.patch: file name is too long (max 99); not dumped > tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch: file name is too long (max 99); not dumped > tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch: file name is too long (max 99); not dumped > tar: Exiting with failure status due to previous errors > make[1]: Leaving directory '/home/dannym/src/guix-master/guix' [...] Content analysis details: (2.2 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=helo; id=hera.aquilenet.fr; ip=141.255.128.1; r=debbugs.gnu.org] 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Debbugs-Envelope-To: 27943 Cc: 27943@debbugs.gnu.org, Efraim Flashner X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 2.2 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi Danny, Danny Milosavljevic skribis: > guix $ make release > ... || chmod -R a+r "guix-0.13.0.1849-cf189-dirty" > tardir=guix-0.13.0.1849-cf189-dirty && ${TAR-tar} chof - "$tardir" | GZIP=--best gzip -c >guix-0.13.0.1849-cf189-dirty.tar.gz > gzip: warning: GZIP environment variable is deprecated; use an alias or script > tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/ghc-dont-pass-linker-flags-via-response-files.patch: file name is too long (max 99); not dumped > tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/libevent-2.0-evbuffer-add-use-last-with-datap.patch: file name is too long (max 99); not dumped > tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/python-genshi-stripping-of-unsafe-script-tags.patch: file name is too long (max 99); not dumped > tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch: file name is too long (max 99); not dumped > tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch: file name is too long (max 99); not dumped > tar: Exiting with failure status due to previous errors > make[1]: Leaving directory '/home/dannym/src/guix-master/guix' [...] Content analysis details: (2.2 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=helo;id=hera.aquilenet.fr;ip=141.255.128.1;r=debbugs.gnu.org] 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS Hi Danny, Danny Milosavljevic skribis: > guix $ make release > ... || chmod -R a+r "guix-0.13.0.1849-cf189-dirty" > tardir=3Dguix-0.13.0.1849-cf189-dirty && ${TAR-tar} chof - "$tardir" | GZ= IP=3D--best gzip -c >guix-0.13.0.1849-cf189-dirty.tar.gz > gzip: warning: GZIP environment variable is deprecated; use an alias or s= cript > tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/ghc-dont-pass-link= er-flags-via-response-files.patch: file name is too long (max 99); not dump= ed > tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/libevent-2.0-evbuf= fer-add-use-last-with-datap.patch: file name is too long (max 99); not dump= ed > tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/python-genshi-stri= pping-of-unsafe-script-tags.patch: file name is too long (max 99); not dump= ed > tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/python2-pygobject-= 2-gi-info-type-error-domain.patch: file name is too long (max 99); not dump= ed > tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/t1lib-CVE-2011-155= 2+CVE-2011-1553+CVE-2011-1554.patch: file name is too long (max 99); not du= mped > tar: Exiting with failure status due to previous errors > make[1]: Leaving directory '/home/dannym/src/guix-master/guix' =E2=80=9Cmake dist=E2=80=9D works fine for me with tar 1.29: --8<---------------cut here---------------start------------->8--- || chmod -R a+r "guix-0.13.0.3626-da9b8" tardir=3Dguix-0.13.0.3626-da9b8 && ${TAR-tar} chof - "$tardir" | eval GZIP= =3D gzip --best -c >guix-0.13.0.3626-da9b8.tar.gz make[1]: Leaving directory '/home/ludo/src/guix' --8<---------------cut here---------------end--------------->8--- Actually, =E2=80=9Cguix-0.13.0.1849-cf189-dirty/gnu/packages/patches/ghc-dont-pass-li= nker-flags-via-response-files.patch=E2=80=9D is 101-character long, so without the =E2=80=9C-dirty=E2=80=9D prefix as ab= ove, we=E2=80=99re doing OK. :-) Anyway, commit eef01cfe8eac8dee8ecf727e4ca459ae065e15ea augments the =E2=80=98patch-file-names=E2=80=99 linter to catch this issue. There=E2=80=99s one problematic case left, which is t1lib, but I volunteered Efraim to split the big CVE patch in several ones. :-) Thanks, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 30 08:05:19 2017 Received: (at 27943) by debbugs.gnu.org; 30 Nov 2017 13:05:19 +0000 Received: from localhost ([127.0.0.1]:37633 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eKOWl-0007tD-27 for submit@debbugs.gnu.org; Thu, 30 Nov 2017 08:05:19 -0500 Received: from flashner.co.il ([178.62.234.194]:58447) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eKOWj-0007sz-6G for 27943@debbugs.gnu.org; Thu, 30 Nov 2017 08:05:17 -0500 Received: from localhost (46-117-129-230.bb.netvision.net.il [46.117.129.230]) by flashner.co.il (Postfix) with ESMTPSA id 39A4A4016D; Thu, 30 Nov 2017 13:05:11 +0000 (UTC) Date: Thu, 30 Nov 2017 15:05:10 +0200 From: Efraim Flashner To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#27943: tar complains about too-long names (guix release) Message-ID: <20171130130510.GT991@macbook41> References: <20170804092212.77f65fef@scratchpost.org> <87shcyzdhg.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="apg+fY3UKMMABzWO" Content-Disposition: inline In-Reply-To: <87shcyzdhg.fsf@gnu.org> User-Agent: Mutt/1.9.1 (2017-09-22) X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 27943 Cc: Danny Milosavljevic , 27943@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) --apg+fY3UKMMABzWO Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 28, 2017 at 03:26:03PM +0100, Ludovic Court=C3=A8s wrote: > Hi Danny, >=20 > Danny Milosavljevic skribis: >=20 > > guix $ make release > > ... || chmod -R a+r "guix-0.13.0.1849-cf189-dirty" > > tardir=3Dguix-0.13.0.1849-cf189-dirty && ${TAR-tar} chof - "$tardir" | = GZIP=3D--best gzip -c >guix-0.13.0.1849-cf189-dirty.tar.gz > > gzip: warning: GZIP environment variable is deprecated; use an alias or= script > > tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/ghc-dont-pass-li= nker-flags-via-response-files.patch: file name is too long (max 99); not du= mped > > tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/libevent-2.0-evb= uffer-add-use-last-with-datap.patch: file name is too long (max 99); not du= mped > > tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/python-genshi-st= ripping-of-unsafe-script-tags.patch: file name is too long (max 99); not du= mped > > tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/python2-pygobjec= t-2-gi-info-type-error-domain.patch: file name is too long (max 99); not du= mped > > tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/t1lib-CVE-2011-1= 552+CVE-2011-1553+CVE-2011-1554.patch: file name is too long (max 99); not = dumped > > tar: Exiting with failure status due to previous errors > > make[1]: Leaving directory '/home/dannym/src/guix-master/guix' >=20 > =E2=80=9Cmake dist=E2=80=9D works fine for me with tar 1.29: >=20 > --8<---------------cut here---------------start------------->8--- > || chmod -R a+r "guix-0.13.0.3626-da9b8" > tardir=3Dguix-0.13.0.3626-da9b8 && ${TAR-tar} chof - "$tardir" | eval GZI= P=3D gzip --best -c >guix-0.13.0.3626-da9b8.tar.gz > make[1]: Leaving directory '/home/ludo/src/guix' > --8<---------------cut here---------------end--------------->8--- >=20 > Actually, > =E2=80=9Cguix-0.13.0.1849-cf189-dirty/gnu/packages/patches/ghc-dont-pass-= linker-flags-via-response-files.patch=E2=80=9D > is 101-character long, so without the =E2=80=9C-dirty=E2=80=9D prefix as = above, we=E2=80=99re > doing OK. :-) >=20 > Anyway, commit eef01cfe8eac8dee8ecf727e4ca459ae065e15ea augments the > =E2=80=98patch-file-names=E2=80=99 linter to catch this issue. >=20 > There=E2=80=99s one problematic case left, which is t1lib, but I voluntee= red > Efraim to split the big CVE patch in several ones. :-) >=20 > Thanks, > Ludo=E2=80=99. It gets worse than that, our t1lib-CVE-2010-2462 is also CVE-2011-0433 and CVE-2011-5244.=C2=B9 I tried creating a blank patch (touch t1lib-CVE...) and adding that to satisfy the linter (and bookeeping) but unsuprisingly patch didn't like trying to apply a blank file as a patch. Debian removed it after squeeze=C2=B2, which was Debian 6, so about 6 years ago. Gentoo apparently still has it=C2=B3. We don't have anything that depends on it so I'm in favor of removing it; even the upstream homepage is gone. This doesn't deal with the possibility that patches that address multiple CVEs that can't be split easily and have a very long name will continue to occur, so the best option I can think of right now is to change the linter to logic like this: CVE- -> The following are all CVEs YYYY-ZZZZ???? -> Full CVE reference ZZZZ???? -> Follows the year of the previous CVE which would change t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554 -> t1lib-CVE-2011-1552+1553+1554, and our under-referenced t1lib-CVE-2010-2642 -> t1lib-CVE-2010-2642+2011-0433+5244 =C2=B9 https://github.com/gentoo/gentoo/pull/2906/files =C2=B2 https://sources.debian.net/src/t1lib/ =C2=B3 https://security.gentoo.org/glsa/201701-57 --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --apg+fY3UKMMABzWO Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAlogAgMACgkQQarn3Mo9 g1HHCxAAjGof9tX07DvEkvuq8ApQF3ZEaSPToPDhIiBYwAbLMJL6jlnCyMJkhjh3 xd61ne6z4pE0XeO57FBXfyEKDCC4mY9UqxtN6db1N9w1E9IPyQMeX2MUaN8WzjeW Mg1lfzWcLhJYMGDH7HMc1PKPG2Hl1k/hOQ+AydRH+69felyufVx4YWzc+hRqGEou ovUmT+BJqEeurlbn5NXMFP0LT3/945oqFeKhVIq6b0wa3cJ4ADNkAesvvDWzqz68 UlfDsc4WzSltt2kdTJZLbGgriGQRUl2j2d33ySunTQ/o67vTxyyXbZK42K6ddWdj rmxqzU9riLib5vYv7ky2qjfXnTGW0tF4Vwp7HNjNmxj4mWhFwJvCfb5v/g0N8zrO f3lykvOwcR4FJGF0X5WDAASGm93cw+NYGQGbi/1ErfOBFzSMPT+PvL/KzEOo3VEe /40PX+LRQs4LAASP2wEFMPy1k6VkgqExtyXUVaUEc2o494jwqWuOD/OldZy+iiSd x28oLd4Rjictu97eNVfoRjM/uH1SqRq/g4BQ/UC9SRctKJNB3jHqLoMYNsT07Ot5 QHiD3e2fp6R/ggq/u21uyAB29yYmAMvjeL5VKleJID5/SjrLdBJWAyfANI1P3wob ECyN5hfoWJDXWFIbJcFV8lp2wSz6OsvU5QDm8ROz2FmmaCQw/00= =hNom -----END PGP SIGNATURE----- --apg+fY3UKMMABzWO-- From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 30 08:55:57 2017 Received: (at 27943) by debbugs.gnu.org; 30 Nov 2017 13:55:57 +0000 Received: from localhost ([127.0.0.1]:37663 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eKPJl-0000dD-3g for submit@debbugs.gnu.org; Thu, 30 Nov 2017 08:55:57 -0500 Received: from [141.255.128.1] (port=60006 helo=hera.aquilenet.fr) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eKPJi-0000d5-Qr for 27943@debbugs.gnu.org; Thu, 30 Nov 2017 08:55:55 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 2EFF3100B8; Thu, 30 Nov 2017 14:55:56 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W_WEYYXMNX66; Thu, 30 Nov 2017 14:55:55 +0100 (CET) Received: from ribbon (unknown [193.50.110.211]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 321DF10037; Thu, 30 Nov 2017 14:55:55 +0100 (CET) From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Efraim Flashner Subject: Re: bug#27943: tar complains about too-long names (guix release) References: <20170804092212.77f65fef@scratchpost.org> <87shcyzdhg.fsf@gnu.org> <20171130130510.GT991@macbook41> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 10 Frimaire an 226 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Thu, 30 Nov 2017 14:55:52 +0100 In-Reply-To: <20171130130510.GT991@macbook41> (Efraim Flashner's message of "Thu, 30 Nov 2017 15:05:10 +0200") Message-ID: <877eu750rb.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 2.2 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi Efraim, Efraim Flashner skribis: > It gets worse than that, our t1lib-CVE-2010-2462 is also CVE-2011-0433 > and CVE-2011-5244.¹ > > I tried creating a blank patch (touch t1lib-CVE...) and adding that to > satisfy the linter (and bookeeping) but unsuprisingly patch didn't like > trying to apply a blank file as a patch. [...] Content analysis details: (2.2 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=helo;id=hera.aquilenet.fr;ip=141.255.128.1;r=debbugs.gnu.org] 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Debbugs-Envelope-To: 27943 Cc: Danny Milosavljevic , 27943@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 2.2 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi Efraim, Efraim Flashner skribis: > It gets worse than that, our t1lib-CVE-2010-2462 is also CVE-2011-0433 > and CVE-2011-5244.¹ > > I tried creating a blank patch (touch t1lib-CVE...) and adding that to > satisfy the linter (and bookeeping) but unsuprisingly patch didn't like > trying to apply a blank file as a patch. [...] Content analysis details: (2.2 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=helo;id=hera.aquilenet.fr;ip=141.255.128.1;r=debbugs.gnu.org] 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS Hi Efraim, Efraim Flashner skribis: > It gets worse than that, our t1lib-CVE-2010-2462 is also CVE-2011-0433 > and CVE-2011-5244.=C2=B9 > > I tried creating a blank patch (touch t1lib-CVE...) and adding that to > satisfy the linter (and bookeeping) but unsuprisingly patch didn't like > trying to apply a blank file as a patch. Yeah that=E2=80=99s no good. > Debian removed it after squeeze=C2=B2, which was Debian 6, so about 6 yea= rs > ago. Gentoo apparently still has it=C2=B3. We don't have anything that > depends on it so I'm in favor of removing it; even the upstream homepage > is gone. I don=E2=80=99t have an opinion. Could you poll guix-devel? > This doesn't deal with the possibility that patches that address > multiple CVEs that can't be split easily and have a very long name will > continue to occur, so the best option I can think of right now is to > change the linter to logic like this: > > CVE- -> The following are all CVEs > YYYY-ZZZZ???? -> Full CVE reference > ZZZZ???? -> Follows the year of the previous CVE > > which would change t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554 -> > t1lib-CVE-2011-1552+1553+1554, > and our under-referenced t1lib-CVE-2010-2642 -> > t1lib-CVE-2010-2642+2011-0433+5244 I thought about it, but since it=E2=80=99s an unsual case, what about addin= g a special property to packages instead? You=E2=80=99d write: (package ;; =E2=80=A6 (properties '((fixed-vulnerabilities "CVE-123-4567" "CVE-123-4568")))) =E2=80=98guix lint=E2=80=99 would honor this property, and that would addre= ss both cases like this and situations where a CVE is known to no longer apply, as is the case with unversioned CVEs=C2=B9. Thoughts? Ludo=E2=80=99. =C2=B9 http://www.openwall.com/lists/oss-security/2017/03/15/3 From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 30 16:49:18 2017 Received: (at 27943) by debbugs.gnu.org; 30 Nov 2017 21:49:18 +0000 Received: from localhost ([127.0.0.1]:38700 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eKWhl-0006NO-35 for submit@debbugs.gnu.org; Thu, 30 Nov 2017 16:49:17 -0500 Received: from flashner.co.il ([178.62.234.194]:59727) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eKWhg-0006N9-K1 for 27943@debbugs.gnu.org; Thu, 30 Nov 2017 16:49:11 -0500 Received: from localhost (46-117-129-230.bb.netvision.net.il [46.117.129.230]) by flashner.co.il (Postfix) with ESMTPSA id 6AF07402F8; Thu, 30 Nov 2017 21:49:02 +0000 (UTC) Date: Thu, 30 Nov 2017 23:49:01 +0200 From: Efraim Flashner To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#27943: tar complains about too-long names (guix release) Message-ID: <20171130214901.GA19582@macbook41> References: <20170804092212.77f65fef@scratchpost.org> <87shcyzdhg.fsf@gnu.org> <20171130130510.GT991@macbook41> <877eu750rb.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="24zk1gE8NUlDmwG9" Content-Disposition: inline In-Reply-To: <877eu750rb.fsf@gnu.org> User-Agent: Mutt/1.9.1 (2017-09-22) X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 27943 Cc: Danny Milosavljevic , 27943@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) --24zk1gE8NUlDmwG9 Content-Type: multipart/mixed; boundary="h31gzZEtNLTqOjlF" Content-Disposition: inline --h31gzZEtNLTqOjlF Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 30, 2017 at 02:55:52PM +0100, Ludovic Court=C3=A8s wrote: > Hi Efraim, >=20 > Efraim Flashner skribis: >=20 > > It gets worse than that, our t1lib-CVE-2010-2462 is also CVE-2011-0433 > > and CVE-2011-5244.=C2=B9 > > > > I tried creating a blank patch (touch t1lib-CVE...) and adding that to > > satisfy the linter (and bookeeping) but unsuprisingly patch didn't like > > trying to apply a blank file as a patch. >=20 > Yeah that=E2=80=99s no good. >=20 > > Debian removed it after squeeze=C2=B2, which was Debian 6, so about 6 y= ears > > ago. Gentoo apparently still has it=C2=B3. We don't have anything that > > depends on it so I'm in favor of removing it; even the upstream homepage > > is gone. >=20 > I don=E2=80=99t have an opinion. Could you poll guix-devel? >=20 > > This doesn't deal with the possibility that patches that address > > multiple CVEs that can't be split easily and have a very long name will > > continue to occur, so the best option I can think of right now is to > > change the linter to logic like this: > > > > CVE- -> The following are all CVEs > > YYYY-ZZZZ???? -> Full CVE reference > > ZZZZ???? -> Follows the year of the previous CVE > > > > which would change t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554 -> > > t1lib-CVE-2011-1552+1553+1554, > > and our under-referenced t1lib-CVE-2010-2642 -> > > t1lib-CVE-2010-2642+2011-0433+5244 >=20 > I thought about it, but since it=E2=80=99s an unsual case, what about add= ing a > special property to packages instead? You=E2=80=99d write: >=20 > (package > ;; =E2=80=A6 > (properties '((fixed-vulnerabilities "CVE-123-4567" "CVE-123-4568")))) >=20 > =E2=80=98guix lint=E2=80=99 would honor this property, and that would add= ress both cases > like this and situations where a CVE is known to no longer apply, as is > the case with unversioned CVEs=C2=B9. >=20 > Thoughts? >=20 > Ludo=E2=80=99. >=20 > =C2=B9 http://www.openwall.com/lists/oss-security/2017/03/15/3 I like that idea. It also allows us to mitigate a CVE without needing to specifically add a patch. I've attached my first attempt at implementing it. --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --h31gzZEtNLTqOjlF Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="0001-lint-check-vulnerabilities-also-checks-package-prope.patch" Content-Transfer-Encoding: quoted-printable =46rom ad48d84c8659985d706cfe2f8e07314d6017611a Mon Sep 17 00:00:00 2001 =46rom: Efraim Flashner Date: Thu, 30 Nov 2017 23:41:29 +0200 Subject: [PATCH 1/2] lint: 'check-vulnerabilities' also checks package properties. * guix/scripts/lint.scm (check-vulnerabilities): Also check for CVEs listed as mitigated in the package properties. --- guix/scripts/lint.scm | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/guix/scripts/lint.scm b/guix/scripts/lint.scm index 1b43b0a63..8112595c8 100644 --- a/guix/scripts/lint.scm +++ b/guix/scripts/lint.scm @@ -7,6 +7,7 @@ ;;; Copyright =C2=A9 2016 Hartmut Goebel ;;; Copyright =C2=A9 2017 Alex Kost ;;; Copyright =C2=A9 2017 Tobias Geerinckx-Rice +;;; Copyright =C2=A9 2017 Efraim Flashner ;;; ;;; This file is part of GNU Guix. ;;; @@ -881,10 +882,11 @@ the NIST server non-fatal." (or (and=3D> (package-source package) origin-patches) '()))) + (known-safe (assq-ref (package-properties package) 'fixed-vu= lnerabilities)) (unpatched (remove (lambda (vuln) (find (cute string-contains <> (vulnerability-id vuln)) - patches)) + (append patches known-safe))) vulnerabilities))) (unless (null? unpatched) (emit-warning package --=20 2.15.0 --h31gzZEtNLTqOjlF Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="0002-gnu-t1lib-Change-how-patched-CVEs-are-listed.patch" Content-Transfer-Encoding: quoted-printable =46rom 3ae1af75fe7304a05ca8ac0edd8582d581108d05 Mon Sep 17 00:00:00 2001 =46rom: Efraim Flashner Date: Thu, 30 Nov 2017 23:46:55 +0200 Subject: [PATCH 2/2] gnu: t1lib: Change how patched CVEs are listed. * gnu/packages/fontutils.scm (t1lib)[source]: Change patch name. [properties]: New field, register patched CVEs. * gnu/packages/patches/CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch: Rename to CVE-2011-1552+.patch. * gnu/local.mk (dist_patch_DATA): Change patch name. --- gnu/local.mk | 2 +- gnu/packages/fontutils.scm | 8 ++++= ++-- ...E-2011-1553+CVE-2011-1554.patch =3D> t1lib-CVE-2011-1552+.patch} | 0 3 files changed, 7 insertions(+), 3 deletions(-) rename gnu/packages/patches/{t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-15= 54.patch =3D> t1lib-CVE-2011-1552+.patch} (100%) diff --git a/gnu/local.mk b/gnu/local.mk index 05a86ac17..398839682 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1079,7 +1079,7 @@ dist_patch_DATA =3D \ %D%/packages/patches/synfigstudio-fix-ui-with-gtk3.patch \ %D%/packages/patches/t1lib-CVE-2010-2642.patch \ %D%/packages/patches/t1lib-CVE-2011-0764.patch \ - %D%/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.pat= ch \ + %D%/packages/patches/t1lib-CVE-2011-1552+.patch \ %D%/packages/patches/tar-CVE-2016-6321.patch \ %D%/packages/patches/tar-skip-unreliable-tests.patch \ %D%/packages/patches/tcl-mkindex-deterministic.patch \ diff --git a/gnu/packages/fontutils.scm b/gnu/packages/fontutils.scm index d2306a942..2edbe31d1 100644 --- a/gnu/packages/fontutils.scm +++ b/gnu/packages/fontutils.scm @@ -302,9 +302,9 @@ high quality, anti-aliased and subpixel rendered text o= n a display.") (sha256 (base32 "0nbvjpnmcznib1nlgg8xckrmsw3haa154byds2h90y2g0nsjh4w2= ")) (patches (search-patches - "t1lib-CVE-2010-2642.patch" + "t1lib-CVE-2010-2642.patch" ; 2011-0443, 2011-5244 "t1lib-CVE-2011-0764.patch" - "t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.pa= tch")))) + "t1lib-CVE-2011-1552+.patch")))) ; 2011-1553, 2011-= 1554 (build-system gnu-build-system) (arguments ;; Making the documentation requires latex, but t1lib is also an input @@ -323,6 +323,10 @@ describe character bitmaps. It contains the bitmap da= ta as well as some metric information. But t1lib is in itself entirely independent of the X11-system or any other graphical user interface.") (license license:gpl2) + (properties `((fixed-vulnerabilities . ("CVE-2011-0433" + "CVE-2011-1553" + "CVE-2011-1554" + "CVE-2011-5244")))) (home-page "http://www.t1lib.org/"))) =20 (define-public teckit diff --git a/gnu/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-201= 1-1554.patch b/gnu/packages/patches/t1lib-CVE-2011-1552+.patch similarity index 100% rename from gnu/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011= -1554.patch rename to gnu/packages/patches/t1lib-CVE-2011-1552+.patch --=20 2.15.0 --h31gzZEtNLTqOjlF-- --24zk1gE8NUlDmwG9 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAlogfMoACgkQQarn3Mo9 g1EixQ//T4irVbn4pz4m4o1Mqj2CV261AwsQRtntK0HcnkWaJ4weK+ZsQsDQu8aU Mi/QR2r2aMpOuDaBs97j1BL9Pv7HcSDJSpZgxRPdue9GL/1q8NuyQAizayhNXR9r rJb+ayiROe6aAtF2t2SeQdX2sWufn6liCDu+4854+dbmGgru5l0ipbgNyFXTQ53d TIHXZF074HSaZMMa/14AWcqxqHxsh37ch5ObSCi+P0IVlIF/bKrdBP3e8fmJdLNW Z7EEbgEKzuV09tNmx7LSNIBdqMNdpdmLdgtUFl/ATdjdy+QYfEu4I43rguUse1DY 2gcTfkCI+ToTjn+j9DLQDuYeTkrjWMIH845ZfOIm6CGjgqkqG+06DiBn222C6Y04 /+vCJ2USHhn89y6eIFg4I8CpSR0Qp7+0r6Jv2Vjq4A//aeDKNZ44ww3/66HNKGuv cKajdCW2QQESiZMeAU9wTFfku7UR0dwIimm49HQui1rlRGKUoNwcAUs0o7uU8wcG ygRe7CIjv+XEqn9wMtrbJJ6gTWEB7NEDhspirIbczm5K7Uyc/FExSN+WZbTr4ZCk YpnS5ntuOIiGTeOTOZTPAmf9iL/1edJe1emfgTkzoKV7UrOMXg6yXigYe1CtG7Ux VrrmIzMPS2/xVq/YSKeaSrpp1uctNMoy9hbmP185DRD8npURrAw= =izJw -----END PGP SIGNATURE----- --24zk1gE8NUlDmwG9-- From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 30 18:12:28 2017 Received: (at 27943) by debbugs.gnu.org; 30 Nov 2017 23:12:28 +0000 Received: from localhost ([127.0.0.1]:38735 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eKY0K-0008Gw-HK for submit@debbugs.gnu.org; Thu, 30 Nov 2017 18:12:28 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:43467) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eKY0J-0008Gn-0V for 27943@debbugs.gnu.org; Thu, 30 Nov 2017 18:12:27 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 3AAA320A85; Thu, 30 Nov 2017 18:12:25 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Thu, 30 Nov 2017 18:12:25 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= mesmtp; bh=HVEWO/5YvVkAsR+h3IhTORNmsi8X+cx/DrDGfkwwGI8=; b=QUk0s HyYRKH+75RSSx+otZ0LyP19sup5pvYRp3Qe/r4hAMlMJjwyap75IUrY45T2G+uHH lCU407wAa/65GshiANIALFI6LMX36xbrSELXqQlvGgk+nDnfq9eb7ET02sJijAEg TqkLRq49NynJkqJUyLw62x8ieVFhv3aKp7Aoig= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=HVEWO/5YvVkAsR+h3IhTORNmsi8X+ cx/DrDGfkwwGI8=; b=fwWhEvzYGdUIwI6zC3czLtx03YIGm7B9GebVleKOv3reE w4tK1G95i2SmgAJiqAn1/nmme0fRD+/HlYvM0Fkq3mhrI+nk2Uf742/m28mYLP2a 3n+AxFFWhON0n4hH1sSTKRtpWofLlGLuIWb16pWggotC1cvgskKNBt7NU/OYO/et ZcuodAr/yXYSIkVAtDYXKK6ehJSn0NzTEXjnyRJaAvuk6UjYNuxKcnDunJQnPRND XbL3IIxMihoM2nXoF1iU4lou9aIBSCjCy8MO+AWPkw9hY0EGbGjLjvYJwpMbi+Vq zqpMd19ZUnSqs+qwJySWo7XgA2u1pM9ifEOTa7gnA== X-ME-Sender: Received: from localhost (96-64-66-194-static.hfc.comcastbusiness.net [96.64.66.194]) by mail.messagingengine.com (Postfix) with ESMTPA id DEF9F7FACC; Thu, 30 Nov 2017 18:12:24 -0500 (EST) Date: Thu, 30 Nov 2017 18:12:20 -0500 From: Leo Famulari To: Efraim Flashner Subject: Re: bug#27943: tar complains about too-long names (guix release) Message-ID: <20171130231220.GA908@jasmine.lan> References: <20170804092212.77f65fef@scratchpost.org> <87shcyzdhg.fsf@gnu.org> <20171130130510.GT991@macbook41> <877eu750rb.fsf@gnu.org> <20171130214901.GA19582@macbook41> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="SLDf9lqlvOQaIe6s" Content-Disposition: inline In-Reply-To: <20171130214901.GA19582@macbook41> User-Agent: Mutt/1.9.1 (2017-09-22) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 27943 Cc: Ludovic =?iso-8859-1?Q?Court=E8s?= , 27943@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --SLDf9lqlvOQaIe6s Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > On Thu, Nov 30, 2017 at 02:55:52PM +0100, Ludovic Court=C3=A8s wrote: > > I thought about it, but since it=E2=80=99s an unsual case, what about a= dding a > > special property to packages instead? You=E2=80=99d write: > >=20 > > (package > > ;; =E2=80=A6 > > (properties '((fixed-vulnerabilities "CVE-123-4567" "CVE-123-4568")= ))) > >=20 > > =E2=80=98guix lint=E2=80=99 would honor this property, and that would a= ddress both cases > > like this and situations where a CVE is known to no longer apply, as is > > the case with unversioned CVEs=C2=B9. > >=20 > > Thoughts? I'd rather the property's name more clearly reflect that it doesn't actually fix the vulnerability, but just prevents the linter from complaining about it. Someone who sees this property used in a package could reasonably assume that it's required to list all fixed CVEs in a 'fixed-vulnerabilities' list, and that it is the "single source of truth" for which bugs apply to a package. But, it would not actually have anything to do with that, just being a way to silence the linter. However, I can't think of a good idea for another name... On Thu, Nov 30, 2017 at 11:49:01PM +0200, Efraim Flashner wrote: > I like that idea. It also allows us to mitigate a CVE without needing to > specifically add a patch. I've attached my first attempt at implementing > it. I think of `guix lint -c cve` as one of many tools for discovering important problems in our packages, but I don't think that we must absolutely silence the linter. It's always going to be imprecise, with both false negative and positive results. --SLDf9lqlvOQaIe6s Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlogkFEACgkQJkb6MLrK fwgoSg/9GN8oCFfGMD0DVD61waePPphdeLs8gJWY9x17ctOKnMYPTjPOzdd9MHpL ZdEOJYzrfaIw8eqk8ew3Hv8xaa/EDrxYU4annXB1vrzS3DI3rCTNgbMSISb8XFWk hDxrLPoK+MN4jUWoTYmbGSgM7Sxn7optqa1ohMbl7xAnRuNwOHNgQoOT8ibuVP8H HaFLCXHg7hp7QqoKib9QGH+D3LfGZ0kRuAQj2KBugOf9CcXP1UjU7lP04igLaAWp c0pYHiRF1329b+P7Q1jQTrWK7rvT1nhRlmhX/rGMS7X0ag6g2Ue/6YefMgyI+uFV zsE4olKFRbAvNkoYSjKr9TMBxkLPlSgkYdAdDSjXxbKWvieSShXWN1X4+CWgDAtH 1Q5yxjFkRVww0e0jlah3fLM5O5F2In5n6Anbf5UHec3MpehisTu3jJOmZMuOxaMs xJ2XcwcL8/FL3omrPGLFCbq0ZQG1HYz2lKy7klUGwOLMeHNyeR6Mk1LK3NKPH2Ob FsCfQZM9i+2g+Y2H/daZGiCYuSrhQliicZQSBLOAMfFz7Y+C6z17gnbLA0vFTcsM rruuun+0xd4UApPT7mPLYGN/1kasg2Wbgj5i8vIGUdmnRyIEV6JPAk60ng/sVDUR 5r/cRzfNew/SvVBYUQQZs7f4+b0++Eo/XVW6J+NROeGQ5Yue3do= =Z612 -----END PGP SIGNATURE----- --SLDf9lqlvOQaIe6s-- From debbugs-submit-bounces@debbugs.gnu.org Fri Dec 01 11:50:09 2017 Received: (at 27943) by debbugs.gnu.org; 1 Dec 2017 16:50:09 +0000 Received: from localhost ([127.0.0.1]:40306 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eKoVr-0003K6-UM for submit@debbugs.gnu.org; Fri, 01 Dec 2017 11:50:08 -0500 Received: from [141.255.128.1] (port=35047 helo=hera.aquilenet.fr) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eKoVp-0003Jy-W8 for 27943@debbugs.gnu.org; Fri, 01 Dec 2017 11:50:06 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id D14F2F367; Fri, 1 Dec 2017 17:50:06 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PjdRczHtIfNZ; Fri, 1 Dec 2017 17:50:05 +0100 (CET) Received: from ribbon (unknown [193.50.110.211]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 1F9C4EE93; Fri, 1 Dec 2017 17:50:05 +0100 (CET) From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Leo Famulari Subject: Re: bug#27943: tar complains about too-long names (guix release) References: <20170804092212.77f65fef@scratchpost.org> <87shcyzdhg.fsf@gnu.org> <20171130130510.GT991@macbook41> <877eu750rb.fsf@gnu.org> <20171130214901.GA19582@macbook41> <20171130231220.GA908@jasmine.lan> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 11 Frimaire an 226 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Fri, 01 Dec 2017 17:50:01 +0100 In-Reply-To: <20171130231220.GA908@jasmine.lan> (Leo Famulari's message of "Thu, 30 Nov 2017 18:12:20 -0500") Message-ID: <87k1y6e6km.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 2.2 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Leo Famulari skribis: >> On Thu, Nov 30, 2017 at 02:55:52PM +0100, Ludovic Courtès wrote: >> > I thought about it, but since it’s an unsual case, what about adding a >> > special property to packages instead? You’d write: >> > >> > (package >> > ;; … >> > (properties '((fixed-vulnerabilities "CVE-123-4567" "CVE-123-4568")))) >> > >> > ‘guix lint’ would honor this property, and that would address both cases >> > like this and situations where a CVE is known to no longer apply, as is >> > the case with unversioned CVEs¹. >> > >> > Thoughts? > > I'd rather the property's name more clearly reflect that it doesn't > actually fix the vulnerability, but just prevents the linter from > complaining about it. > > Someone who sees this property used in a package could reasonably assume > that it's required to list all fixed CVEs in a 'fixed-vulnerabilities' > list, and that it is the "single source of truth" for which bugs apply > to a package. But, it would not actually have anything to do with that, > just being a way to silence the linter. [...] Content analysis details: (2.2 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=helo;id=hera.aquilenet.fr;ip=141.255.128.1;r=debbugs.gnu.org] 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Debbugs-Envelope-To: 27943 Cc: 27943@debbugs.gnu.org, Efraim Flashner X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 2.2 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Leo Famulari skribis: >> On Thu, Nov 30, 2017 at 02:55:52PM +0100, Ludovic Courtès wrote: >> > I thought about it, but since it’s an unsual case, what about adding a >> > special property to packages instead? You’d write: >> > >> > (package >> > ;; … >> > (properties '((fixed-vulnerabilities "CVE-123-4567" "CVE-123-4568")))) >> > >> > ‘guix lint’ would honor this property, and that would address both cases >> > like this and situations where a CVE is known to no longer apply, as is >> > the case with unversioned CVEs¹. >> > >> > Thoughts? > > I'd rather the property's name more clearly reflect that it doesn't > actually fix the vulnerability, but just prevents the linter from > complaining about it. > > Someone who sees this property used in a package could reasonably assume > that it's required to list all fixed CVEs in a 'fixed-vulnerabilities' > list, and that it is the "single source of truth" for which bugs apply > to a package. But, it would not actually have anything to do with that, > just being a way to silence the linter. [...] Content analysis details: (2.2 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=helo;id=hera.aquilenet.fr;ip=141.255.128.1;r=debbugs.gnu.org] 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS Leo Famulari skribis: >> On Thu, Nov 30, 2017 at 02:55:52PM +0100, Ludovic Court=C3=A8s wrote: >> > I thought about it, but since it=E2=80=99s an unsual case, what about = adding a >> > special property to packages instead? You=E2=80=99d write: >> >=20 >> > (package >> > ;; =E2=80=A6 >> > (properties '((fixed-vulnerabilities "CVE-123-4567" "CVE-123-4568"= )))) >> >=20 >> > =E2=80=98guix lint=E2=80=99 would honor this property, and that would = address both cases >> > like this and situations where a CVE is known to no longer apply, as is >> > the case with unversioned CVEs=C2=B9. >> >=20 >> > Thoughts? > > I'd rather the property's name more clearly reflect that it doesn't > actually fix the vulnerability, but just prevents the linter from > complaining about it. > > Someone who sees this property used in a package could reasonably assume > that it's required to list all fixed CVEs in a 'fixed-vulnerabilities' > list, and that it is the "single source of truth" for which bugs apply > to a package. But, it would not actually have anything to do with that, > just being a way to silence the linter. Yes, I see it as a last resort, and thus rarely used. When used, it should be accompanied by a comment clearly explaining what we=E2=80=99re do= ing. I think people are unlikely to see it as a =E2=80=9Csingle source of truth= =E2=80=9D because it=E2=80=99ll be used in a handful of packages only, and because comments there should make it clear that it=E2=80=99s really just to placat= e the linter. > However, I can't think of a good idea for another name... Maybe =E2=80=98lint-hidden-vulnerabilities=E2=80=99 or =E2=80=98hidden-vuln= erabilities=E2=80=99, or =E2=80=98ignored-vulnerabilities=E2=80=99, or=E2=80=A6? What=E2=80=99s you= preference? :-) > On Thu, Nov 30, 2017 at 11:49:01PM +0200, Efraim Flashner wrote: >> I like that idea. It also allows us to mitigate a CVE without needing to >> specifically add a patch. I've attached my first attempt at implementing >> it. > > I think of `guix lint -c cve` as one of many tools for discovering > important problems in our packages, but I don't think that we must > absolutely silence the linter. It's always going to be imprecise, with > both false negative and positive results. I agree. Like patch file names, I view this new property as a way to silence the reader when we have reliable info to do that. Would you be OK with a more appropriate name and the understanding that it=E2=80=99s there to address rare cases like this one? Thanks for your feedback! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Fri Dec 01 13:21:04 2017 Received: (at 27943) by debbugs.gnu.org; 1 Dec 2017 18:21:04 +0000 Received: from localhost ([127.0.0.1]:40387 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eKpvs-0005Sb-9X for submit@debbugs.gnu.org; Fri, 01 Dec 2017 13:21:04 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:34425) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eKpvp-0005Rj-Ts for 27943@debbugs.gnu.org; Fri, 01 Dec 2017 13:21:02 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 3BBDA20AF1; Fri, 1 Dec 2017 13:21:01 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Fri, 01 Dec 2017 13:21:01 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= mesmtp; bh=6jiQOyZbzcNCUOK+a+22KoAX0Qgi95Q4XvByWWGyfNI=; b=UnQ5D wQIAjr18m+Os+o91LN9rfkZPd0WJCz8ucdVXPeB/1vLxNIA++mBEZeC3eN4H/StS elZ6rII7lim3yIPKjJsUUqTFuZI0Fz10jOVpLdVz+yYPqUP42k7uxwKK3Hqk4PSM l8H9NuPwd6gLGs1M7XjZuonnWV/yhxZMWptG/M= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=6jiQOyZbzcNCUOK+a+22KoAX0Qgi9 5Q4XvByWWGyfNI=; b=Qr0rPHrg1QKTyK91SDhCy7Ada0wQP77P3CgwECGgAbwml m/yX39GPJdRKKcLj6JZ0gaMtI+5AX0MYG022nuwk3g6lbXKKu0dKfBnoDAGOlCz+ K3u1viJXbLuDzS3xeBnay+6K3tksuzAoKLGPqHaJ1m6/fkWUzjn/sLllQfC7hu4b HfnuG9IIDJWtXlRvY/F0CIChSQbFKAqaWpQfsTFBPibda/hTcqzuURjX5KaRcS4D fhhgFYz+4P1LVslxQvbgEk5bAQEp7rCebq1Q22Lxu4YIHa3wIUvwEf35ZDfrB3L0 XxSxDOqo9J0Oit0kGns9SkuoLrpM696Zw2EgHE8yg== X-ME-Sender: Received: from localhost (unknown [172.58.200.9]) by mail.messagingengine.com (Postfix) with ESMTPA id C3AEC24536; Fri, 1 Dec 2017 13:21:00 -0500 (EST) Date: Fri, 1 Dec 2017 13:20:59 -0500 From: Leo Famulari To: Ludovic =?iso-8859-1?Q?Court=E8s?= Subject: Re: bug#27943: tar complains about too-long names (guix release) Message-ID: <20171201182059.GA2324@jasmine.lan> References: <20170804092212.77f65fef@scratchpost.org> <87shcyzdhg.fsf@gnu.org> <20171130130510.GT991@macbook41> <877eu750rb.fsf@gnu.org> <20171130214901.GA19582@macbook41> <20171130231220.GA908@jasmine.lan> <87k1y6e6km.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="bg08WKrSYDhXBjb5" Content-Disposition: inline In-Reply-To: <87k1y6e6km.fsf@gnu.org> User-Agent: Mutt/1.9.1 (2017-09-22) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 27943 Cc: 27943@debbugs.gnu.org, Efraim Flashner X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --bg08WKrSYDhXBjb5 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Dec 01, 2017 at 05:50:01PM +0100, Ludovic Court=C3=A8s wrote: > Maybe =E2=80=98lint-hidden-vulnerabilities=E2=80=99 or =E2=80=98hidden-vu= lnerabilities=E2=80=99, or > =E2=80=98ignored-vulnerabilities=E2=80=99, or=E2=80=A6? What=E2=80=99s y= ou preference? :-) I like 'lint-hidden-vulnerabilities' because it communicates that we are "hiding" a vulnerability somehow and that it's related to the linter. Maybe even 'lint-hidden-cve', since it's really about the CVE system and not so much about vulnerabilities as vulnerabilities. > Would you be OK with a more appropriate name and the understanding that > it=E2=80=99s there to address rare cases like this one? Yes, definitely! --bg08WKrSYDhXBjb5 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlohnYsACgkQJkb6MLrK fwivJhAAmqe/GNiLu+MUezbP2wUv96wijcpR1lT5wP0RZatNYNWOoIlttZBm9ea8 j/bsJYaNve2owUBgRQrkGqqH9jevDjIUlKSCYSYR7oim78iFIaxVzyb4vt/3E6Jm L11+fr/kTyGtecW4/c0Xq8JSmfGyeGc5cSpgwCu15Qy8KySjRUZMJo5PS0MHqZ/w IK9Gex2gmtPOfhXj2fknTA3HMsuZ2GQiOB4O18pJ/kJl8WHgamEmy8q42h8NX0n0 4rD4yex5ODm9UCXMKRzo+4cAGdbE4dApDyxhm7FGR/Zz4s3pB9SWn2udOsd/mBJq gK2tnIpou9gXFqqoXP64HSgIsNI5vc8Z3VyZKGz+pbgj/b9+QmIJpQq6Acpd+d7i uZNwFVf2v28PeeLtHeWvpT9BVLYjS7cTZ8kTPBMr0pT5/3ZfAOZuB3aAuXJi6NQl 3Hfb1IY2yMnN53KYcNanW/GxkYBPv3Az+W69d9UyfKtK4cNuu/A3g7YtSt8BXlYz oLuXL0L/zd4PoSNclxGrlRWO0P61ajO0IFPfvCccdIFHPB91JKKYtvamSsBAKjX+ PrSfD3SbckEEKr3W8f09td09EAbbuFt9l6XGWcsYj448dC6CXVY5iXhLwFhOGpQt eH7+kC1TfWMGLmeGddviMe3Mo+F2mhfHTMq3V0Ea0w9b/4D/ZHw= =Axiu -----END PGP SIGNATURE----- --bg08WKrSYDhXBjb5-- From debbugs-submit-bounces@debbugs.gnu.org Sat Dec 02 04:55:15 2017 Received: (at 27943) by debbugs.gnu.org; 2 Dec 2017 09:55:15 +0000 Received: from localhost ([127.0.0.1]:40986 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eL4Vu-0000t8-Qj for submit@debbugs.gnu.org; Sat, 02 Dec 2017 04:55:15 -0500 Received: from [141.255.128.1] (port=36486 helo=hera.aquilenet.fr) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eL4Vq-0000sx-Qt for 27943@debbugs.gnu.org; Sat, 02 Dec 2017 04:55:13 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 267E1F096; Sat, 2 Dec 2017 10:55:12 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nIoTjxlvxRph; Sat, 2 Dec 2017 10:55:09 +0100 (CET) Received: from ribbon (unknown [IPv6:2a01:e0a:1d:7270:af76:b9b:ca24:c465]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 73F75EEA6; Sat, 2 Dec 2017 10:55:09 +0100 (CET) From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Efraim Flashner Subject: Re: bug#27943: tar complains about too-long names (guix release) References: <20170804092212.77f65fef@scratchpost.org> <87shcyzdhg.fsf@gnu.org> <20171130130510.GT991@macbook41> <877eu750rb.fsf@gnu.org> <20171130214901.GA19582@macbook41> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 12 Frimaire an 226 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Sat, 02 Dec 2017 10:55:05 +0100 In-Reply-To: <20171130214901.GA19582@macbook41> (Efraim Flashner's message of "Thu, 30 Nov 2017 23:49:01 +0200") Message-ID: <87po7x3152.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 2.2 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Efraim Flashner skribis: > From ad48d84c8659985d706cfe2f8e07314d6017611a Mon Sep 17 00:00:00 2001 > From: Efraim Flashner > Date: Thu, 30 Nov 2017 23:41:29 +0200 > Subject: [PATCH 1/2] lint: 'check-vulnerabilities' also checks package > properties. > > * guix/scripts/lint.scm (check-vulnerabilities): Also check for CVEs > listed as mitigated in the package properties. > --- > guix/scripts/lint.scm | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/guix/scripts/lint.scm b/guix/scripts/lint.scm > index 1b43b0a63..8112595c8 100644 > --- a/guix/scripts/lint.scm > +++ b/guix/scripts/lint.scm > @@ -7,6 +7,7 @@ > ;;; Copyright © 2016 Hartmut Goebel > ;;; Copyright © 2017 Alex Kost > ;;; Copyright © 2017 Tobias Geerinckx-Rice > +;;; Copyright © 2017 Efraim Flashner > ;;; > ;;; This file is part of GNU Guix. > ;;; > @@ -881,10 +882,11 @@ the NIST server non-fatal." > (or (and=> (package-source package) > origin-patches) > '()))) > + (known-safe (assq-ref (package-properties package) 'fixed-vulnerabilities)) [...] Content analysis details: (2.2 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=helo;id=hera.aquilenet.fr;ip=141.255.128.1;r=debbugs.gnu.org] 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Debbugs-Envelope-To: 27943 Cc: Danny Milosavljevic , 27943@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 2.2 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Efraim Flashner skribis: > From ad48d84c8659985d706cfe2f8e07314d6017611a Mon Sep 17 00:00:00 2001 > From: Efraim Flashner > Date: Thu, 30 Nov 2017 23:41:29 +0200 > Subject: [PATCH 1/2] lint: 'check-vulnerabilities' also checks package > properties. > > * guix/scripts/lint.scm (check-vulnerabilities): Also check for CVEs > listed as mitigated in the package properties. > --- > guix/scripts/lint.scm | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/guix/scripts/lint.scm b/guix/scripts/lint.scm > index 1b43b0a63..8112595c8 100644 > --- a/guix/scripts/lint.scm > +++ b/guix/scripts/lint.scm > @@ -7,6 +7,7 @@ > ;;; Copyright © 2016 Hartmut Goebel > ;;; Copyright © 2017 Alex Kost > ;;; Copyright © 2017 Tobias Geerinckx-Rice > +;;; Copyright © 2017 Efraim Flashner > ;;; > ;;; This file is part of GNU Guix. > ;;; > @@ -881,10 +882,11 @@ the NIST server non-fatal." > (or (and=> (package-source package) > origin-patches) > '()))) > + (known-safe (assq-ref (package-properties package) 'fixed-vulnerabilities)) [...] Content analysis details: (2.2 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=helo;id=hera.aquilenet.fr;ip=141.255.128.1;r=debbugs.gnu.org] 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS Efraim Flashner skribis: > From ad48d84c8659985d706cfe2f8e07314d6017611a Mon Sep 17 00:00:00 2001 > From: Efraim Flashner > Date: Thu, 30 Nov 2017 23:41:29 +0200 > Subject: [PATCH 1/2] lint: 'check-vulnerabilities' also checks package > properties. > > * guix/scripts/lint.scm (check-vulnerabilities): Also check for CVEs > listed as mitigated in the package properties. > --- > guix/scripts/lint.scm | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/guix/scripts/lint.scm b/guix/scripts/lint.scm > index 1b43b0a63..8112595c8 100644 > --- a/guix/scripts/lint.scm > +++ b/guix/scripts/lint.scm > @@ -7,6 +7,7 @@ > ;;; Copyright =C2=A9 2016 Hartmut Goebel > ;;; Copyright =C2=A9 2017 Alex Kost > ;;; Copyright =C2=A9 2017 Tobias Geerinckx-Rice > +;;; Copyright =C2=A9 2017 Efraim Flashner > ;;; > ;;; This file is part of GNU Guix. > ;;; > @@ -881,10 +882,11 @@ the NIST server non-fatal." > (or (and=3D> (package-source packag= e) > origin-patches) > '()))) > + (known-safe (assq-ref (package-properties package) 'fixed-= vulnerabilities)) Can you change that to =E2=80=98lint-hidden-cve=E2=80=99 as Leo suggested? > (unpatched (remove (lambda (vuln) > (find (cute string-contains > <> (vulnerability-id vuln)) > - patches)) > + (append patches known-safe))) > vulnerabilities))) To be accurate, we=E2=80=99d rather do: (remove (lambda (vuln) (let ((id (vulnerability-id vuln))) (or (find =E2=80=A6 patches) (member id known-safe)))) =E2=80=A6) Also could you add a simple test in tests/lint.scm? You can start from one of the existing CVE tests in there and just add a =E2=80=98properties= =E2=80=99 field to the test package. Thank you! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Sat Dec 02 04:57:29 2017 Received: (at 27943) by debbugs.gnu.org; 2 Dec 2017 09:57:29 +0000 Received: from localhost ([127.0.0.1]:40990 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eL4Y3-0000wA-9d for submit@debbugs.gnu.org; Sat, 02 Dec 2017 04:57:29 -0500 Received: from [141.255.128.1] (port=36494 helo=hera.aquilenet.fr) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eL4Xy-0000vy-8D for 27943@debbugs.gnu.org; Sat, 02 Dec 2017 04:57:25 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 6E27CF096; Sat, 2 Dec 2017 10:57:24 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YcGAxZDShQi1; Sat, 2 Dec 2017 10:57:23 +0100 (CET) Received: from ribbon (unknown [IPv6:2a01:e0a:1d:7270:af76:b9b:ca24:c465]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 2D51BEEA6; Sat, 2 Dec 2017 10:57:23 +0100 (CET) From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Efraim Flashner Subject: Re: bug#27943: tar complains about too-long names (guix release) References: <20170804092212.77f65fef@scratchpost.org> <87shcyzdhg.fsf@gnu.org> <20171130130510.GT991@macbook41> <877eu750rb.fsf@gnu.org> <20171130214901.GA19582@macbook41> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 12 Frimaire an 226 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Sat, 02 Dec 2017 10:57:19 +0100 In-Reply-To: <20171130214901.GA19582@macbook41> (Efraim Flashner's message of "Thu, 30 Nov 2017 23:49:01 +0200") Message-ID: <87lgil311c.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 2.2 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Efraim Flashner skribis: > From 3ae1af75fe7304a05ca8ac0edd8582d581108d05 Mon Sep 17 00:00:00 2001 > From: Efraim Flashner > Date: Thu, 30 Nov 2017 23:46:55 +0200 > Subject: [PATCH 2/2] gnu: t1lib: Change how patched CVEs are listed. > > * gnu/packages/fontutils.scm (t1lib)[source]: Change patch name. > [properties]: New field, register patched CVEs. > * gnu/packages/patches/CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch: > Rename to CVE-2011-1552+.patch. > * gnu/local.mk (dist_patch_DATA): Change patch name. [...] Content analysis details: (2.2 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=helo; id=hera.aquilenet.fr; ip=141.255.128.1; r=debbugs.gnu.org] 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Debbugs-Envelope-To: 27943 Cc: Danny Milosavljevic , 27943@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 2.2 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Efraim Flashner skribis: > From 3ae1af75fe7304a05ca8ac0edd8582d581108d05 Mon Sep 17 00:00:00 2001 > From: Efraim Flashner > Date: Thu, 30 Nov 2017 23:46:55 +0200 > Subject: [PATCH 2/2] gnu: t1lib: Change how patched CVEs are listed. > > * gnu/packages/fontutils.scm (t1lib)[source]: Change patch name. > [properties]: New field, register patched CVEs. > * gnu/packages/patches/CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch: > Rename to CVE-2011-1552+.patch. > * gnu/local.mk (dist_patch_DATA): Change patch name. [...] Content analysis details: (2.2 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=helo;id=hera.aquilenet.fr;ip=141.255.128.1;r=debbugs.gnu.org] 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS Efraim Flashner skribis: > From 3ae1af75fe7304a05ca8ac0edd8582d581108d05 Mon Sep 17 00:00:00 2001 > From: Efraim Flashner > Date: Thu, 30 Nov 2017 23:46:55 +0200 > Subject: [PATCH 2/2] gnu: t1lib: Change how patched CVEs are listed. > > * gnu/packages/fontutils.scm (t1lib)[source]: Change patch name. > [properties]: New field, register patched CVEs. > * gnu/packages/patches/CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch: > Rename to CVE-2011-1552+.patch. > * gnu/local.mk (dist_patch_DATA): Change patch name. [...] > (patches (search-patches > - "t1lib-CVE-2010-2642.patch" > + "t1lib-CVE-2010-2642.patch" ; 2011-0443, 2011-5244 > "t1lib-CVE-2011-0764.patch" > - "t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.= patch")))) > + "t1lib-CVE-2011-1552+.patch")))) ; 2011-1553, 201= 1-1554 > (build-system gnu-build-system) > (arguments > ;; Making the documentation requires latex, but t1lib is also an inp= ut > @@ -323,6 +323,10 @@ describe character bitmaps. It contains the bitmap = data as well as some > metric information. But t1lib is in itself entirely independent of the > X11-system or any other graphical user interface.") > (license license:gpl2) > + (properties `((fixed-vulnerabilities . ("CVE-2011-0433" > + "CVE-2011-1553" > + "CVE-2011-1554" > + "CVE-2011-5244")))) Perhaps move =E2=80=98properties=E2=80=99 right below =E2=80=98patches=E2= =80=99 for clarity. And s/fixed-vulnerabilities/lint-hidden-cve/. :-) OK with these changes, thank you! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Mon Jan 08 09:27:59 2018 Received: (at control) by debbugs.gnu.org; 8 Jan 2018 14:27:59 +0000 Received: from localhost ([127.0.0.1]:40375 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eYYP8-0007WP-Qc for submit@debbugs.gnu.org; Mon, 08 Jan 2018 09:27:58 -0500 Received: from hera.aquilenet.fr ([185.233.100.1]:35916) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eYYP6-0007WH-RQ for control@debbugs.gnu.org; Mon, 08 Jan 2018 09:27:57 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 6259F10812 for ; Mon, 8 Jan 2018 15:27:56 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UTP2GovHjSp0 for ; Mon, 8 Jan 2018 15:27:56 +0100 (CET) Received: from ribbon (unknown [193.50.110.243]) by hera.aquilenet.fr (Postfix) with ESMTPSA id D17D4107F6 for ; Mon, 8 Jan 2018 15:27:55 +0100 (CET) Date: Mon, 08 Jan 2018 15:27:55 +0100 Message-Id: <87efn0fms4.fsf@gnu.org> To: control@debbugs.gnu.org From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: control message for bug #27943 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) tags 27943 fixed close 27943 From unknown Sun Jun 22 03:57:35 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Tue, 06 Feb 2018 12:24:07 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator