GNU bug report logs - #27943
tar complains about too-long names (guix release)

Previous Next

Package: guix;

Reported by: Danny Milosavljevic <dannym <at> scratchpost.org>

Date: Fri, 4 Aug 2017 07:23:01 UTC

Severity: important

Tags: fixed

Done: ludo <at> gnu.org (Ludovic Courtès)

Bug is archived. No further changes may be made.

Full log

Message #31 received at 27943 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Efraim Flashner <efraim <at> flashner.co.il>
Cc: Danny Milosavljevic <dannym <at> scratchpost.org>, 27943 <at> debbugs.gnu.org
Subject: Re: bug#27943: tar complains about too-long names (guix release)
Date: Sat, 02 Dec 2017 10:55:05 +0100

Efraim Flashner <efraim <at> flashner.co.il> skribis:

> From ad48d84c8659985d706cfe2f8e07314d6017611a Mon Sep 17 00:00:00 2001
> From: Efraim Flashner <efraim <at> flashner.co.il>
> Date: Thu, 30 Nov 2017 23:41:29 +0200
> Subject: [PATCH 1/2] lint: 'check-vulnerabilities' also checks package
>  properties.
>
> * guix/scripts/lint.scm (check-vulnerabilities): Also check for CVEs
> listed as mitigated in the package properties.
> ---
>  guix/scripts/lint.scm | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/guix/scripts/lint.scm b/guix/scripts/lint.scm
> index 1b43b0a63..8112595c8 100644
> --- a/guix/scripts/lint.scm
> +++ b/guix/scripts/lint.scm
> @@ -7,6 +7,7 @@
>  ;;; Copyright © 2016 Hartmut Goebel <h.goebel <at> crazy-compilers.com>
>  ;;; Copyright © 2017 Alex Kost <alezost <at> gmail.com>
>  ;;; Copyright © 2017 Tobias Geerinckx-Rice <me <at> tobias.gr>
> +;;; Copyright © 2017 Efraim Flashner <efraim <at> flashner.co.il>
>  ;;;
>  ;;; This file is part of GNU Guix.
>  ;;;
> @@ -881,10 +882,11 @@ the NIST server non-fatal."
>                                       (or (and=> (package-source package)
>                                                  origin-patches)
>                                           '())))
> +              (known-safe (assq-ref (package-properties package) 'fixed-vulnerabilities))

Can you change that to ‘lint-hidden-cve’ as Leo suggested?

>                (unpatched (remove (lambda (vuln)
>                                     (find (cute string-contains
>                                             <> (vulnerability-id vuln))
> -                                         patches))
> +                                         (append patches known-safe)))
>                                   vulnerabilities)))

To be accurate, we’d rather do:

  (remove (lambda (vuln)
            (let ((id (vulnerability-id vuln)))
              (or (find … patches)
                  (member id known-safe))))
          …)

Also could you add a simple test in tests/lint.scm?  You can start from
one of the existing CVE tests in there and just add a ‘properties’ field
to the test package.

Thank you!

Ludo’.
This bug report was last modified 7 years and 137 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.