GNU bug report logs - #31444
'guix health': a tool to report vulnerable packages

Previous Next

Package: guix-patches;

Reported by: ludo <at> gnu.org (Ludovic Courtès)

Date: Sun, 13 May 2018 22:43:02 UTC

Severity: normal

Tags: patch

Merged with 31442, 31443

Full log

View this message in rfc822 format

From: ludo <at> gnu.org (Ludovic Courtès)
To: Martin Castillo <castilma <at> uni-bremen.de>
Cc: 31444 <at> debbugs.gnu.org
Subject: [bug#31444] 'guix health': a tool to report vulnerable packages
Date: Mon, 14 May 2018 11:07:10 +0200

Hello,

Martin Castillo <castilma <at> uni-bremen.de> skribis:

> On 14.05.2018 00:15, Ludovic Courtès wrote:
>> [...] shadow <at> 4.6 is available and fixes CVE-2018-7169, consider ugprading
>                                                                   ^typo
>
>> Should we satisfy ourselves with the current approach in the meantime?
>
> Release early and often would say yes. But I'm not an experienced developer.

OK.

> I have the feeling that guix lint does not cache the CVEs it fetches. I
> think it should.

It does: it caches them in ~/.cache/guix/http and then uses
‘If-Modified-Since’ to avoid re-fetching the database if the cached copy
is up-to-date.

Now the 2018 database obviously keeps changing, so caching helps when
you’re running ‘guix lint’ several times in a row (say while reviewing
packages), but it doesn’t help much if you run it once a day or less.

Also, it fetches the whole database for a year.  I think they publish
diffs as well, but using them seems tricky.

Ludo’.
This bug report was last modified 1 year and 273 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.