GNU bug report logs - #31444
'guix health': a tool to report vulnerable packages

Previous Next

Package: guix-patches;

Reported by: ludo <at> gnu.org (Ludovic Courtès)

Date: Sun, 13 May 2018 22:43:02 UTC

Severity: normal

Tags: patch

Merged with 31442, 31443

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludo <at> gnu.org>
To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Cc: Ricardo Wurmus <rekado <at> elephly.net>, Mathieu Othacehe <othacehe <at> gnu.org>, 31444 <at> debbugs.gnu.org, 31442 <at> debbugs.gnu.org, zimoun <zimon.toutoune <at> gmail.com>
Subject: [bug#31444] 'guix health': a tool to report vulnerable packages
Date: Fri, 08 Sep 2023 18:25:53 +0200

Hello!

Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis:

> zimoun <zimon.toutoune <at> gmail.com> writes:

[...]

>>> This ‘guix health’ reports information about “leaf” packages in a
>>> profile, but not about their dependencies:
>>
>> Well, I do not know what was the idea at the time. :-)
>> (The search http://logs.guix.gnu.org/guix/search?query=nick%3Adavidl
>> does not list logs before 2019 for the nickname.  Do I miss something?)
>>
>> And I do not know if the idea is to report only “leaf” packages.

Reporting only leaf packages was a limitation, not a goal.  The
limitation stemmed from the fact that, to determine whether a package is
vulnerable, we need to (1) map its store file name to its package name,
and (2) map its package name to its CPE name.

We can do #1 via manifests, but only for leaf packages (because there’s
no metadata available for other store items).

>> Well, instead to create another new command, I think it would be better
>> to include the “leaf” packages to “guix graph” and then pipe to “guix
>> lint”.  Other said, “guix graph” should help to manipulate the graph of
>> packages.
>
> I like this idea to allow composing our already existing commands, the
> UNIX way.  It'd be useful not just for this use case, but to better
> exploit the Guix command line API in general.

I’m all for composition, who wouldn’t?  :-)

I think composition works best within a rich language; sending text over
pipes is often too limited.

[...]

> Ludo, if your proposition has gone stale and you don't plan to work on
> it anytime soon, feel free to close it.

There’s been progress since I posted this patch: manifests now include
provenance info, which means we can map profiles back to package
definitions!  So we could make a proper ‘guix health’ at this stage.

I’d like to say I’ll work on it soon but reality is that I’m a bit
swamped.  Anyhow, I think it remains a useful tool, and whether it’s me
or someone else working on it, we should probably aim for it at some
point.

Thanks,
Ludo’.
This bug report was last modified 1 year and 273 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.