GNU bug report logs - #31444
'guix health': a tool to report vulnerable packages

Previous Next

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludo <at> gnu.org>
To: zimoun <zimon.toutoune <at> gmail.com>
Cc: Ricardo Wurmus <rekado <at> elephly.net>, Mathieu Othacehe <othacehe <at> gnu.org>, 31444 <at> debbugs.gnu.org, 31442 <at> debbugs.gnu.org
Subject: [bug#31444] 'guix health': a tool to report vulnerable packages
Date: Fri, 25 Sep 2020 18:34:00 +0200

Hi!

zimoun <zimon.toutoune <at> gmail.com> skribis:

> Well, instead to create another new command, I think it would be better
> to include the “leaf” packages to “guix graph” and then pipe to “guix
> lint”.  Other said, “guix graph” should help to manipulate the graph of
> packages.

I don’t think so.

One reason is that ‘guix lint’ is really a generic tool for package
developers that happens to include a ‘cve’ checker; apart from that,
it’s not designed for CVE handling.

More importantly, ‘guix health’ needs info not available in the output
of ‘guix lint’: it needs the CPE name of each package in the graph,
along with the list of known-fixed CVEs.

>> Fundamentally, that means we cannot reliably tell much about
>> dependencies: in cases where the CPE name differs from the Guix name, we
>> won’t have any match, and more generally, we cannot know what CVE are
>> patched in the package; we could infer part of this by looking at the
>> same-named package in the current Guix, but that’s hacky.
>>
>> I think that longer-term we probably need to attach this kind of
>> meta-data to packages themselves, by adding a bunch of files in each
>> package, say under PREFIX/guix.  We could do that for search paths as
>> well.
>
> What is the status of this idea?

The idea is still up in the air.  :-)

In the meantime, package metadata is added to manifest entries.

Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.