From debbugs-submit-bounces@debbugs.gnu.org Fri Nov 29 03:00:04 2019
Received: (at submit) by debbugs.gnu.org; 29 Nov 2019 08:00:04 +0000
Received: from localhost ([127.0.0.1]:59331 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1iabC7-0000y8-U0
	for submit@debbugs.gnu.org; Fri, 29 Nov 2019 03:00:04 -0500
Received: from lists.gnu.org ([209.51.188.17]:43732)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <bokr@oz.net>) id 1iabC5-0000xF-Tx
 for submit@debbugs.gnu.org; Fri, 29 Nov 2019 03:00:03 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:43745)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <bokr@oz.net>) id 1iabC2-0002SA-IC
 for bug-guix@gnu.org; Fri, 29 Nov 2019 03:00:00 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=5.0 tests=BAYES_50,RCVD_IN_DNSWL_LOW
 autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <bokr@oz.net>) id 1iabBw-000272-4l
 for bug-guix@gnu.org; Fri, 29 Nov 2019 02:59:55 -0500
Received: from imta-38.everyone.net ([216.200.145.38]:58118)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <bokr@oz.net>) id 1iabBv-0001qt-Ry
 for bug-guix@gnu.org; Fri, 29 Nov 2019 02:59:52 -0500
Received: from pps.filterd (omta003.sj2.proofpoint.com [127.0.0.1])
 by imta-38.everyone.net (8.16.0.27/8.16.0.27) with SMTP id xAT7xHaf019699;
 Thu, 28 Nov 2019 23:59:47 -0800
X-Eon-Originating-Account: YAOVHFHREiSPe400ra6mogcACNu_LYSS-9rDrkL0a50
X-Eon-Dm: m0116293.ppops.net
Received: by m0116293.mta.everyone.net (EON-AUTHRELAY2 - 32d0d199)
 id m0116293.5dc217be.4c030e; Thu, 28 Nov 2019 23:59:46 -0800
X-Eon-Sig: AQMHrIJd4M/yF88RbgIAAAAC,ded51b802eb16bcfd03c18ae8269d7c5
X-Eip: SDCQkL3IZJ1eHnDaWiHLGNIyyrnKOYJzbGqUZTNa_JQ
Date: Thu, 28 Nov 2019 23:59:38 -0800
From: Bengt Richter <bokr@bokr.com>
To: New-Bug <bug-guix@gnu.org>
Subject: .png files in /gnu/store with executable permissions (555)
Message-ID: <20191129075938.GA55971@PhantoNv4ArchGx.localdomain>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
User-Agent: Mutt/1.12.2 (2019-09-21)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, ,
 definitions=2019-11-29_01:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0
 priorityscore=1501 malwarescore=0
 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1034
 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001
 definitions=main-1911290069
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy]
X-Received-From: 216.200.145.38
X-Spam-Score: -1.1 (-)
X-Debbugs-Envelope-To: submit
Cc: Mark H Weaver <mhw@netris.org>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Reply-To: Bengt Richter <bokr@bokr.com>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.1 (--)

Hi Guix,

I was wanting to check on some executable files in the store,
and happened to see some executable .png files ;-/

I suspect they came in when I was playing with icecat
and let it load  a "theme", but I am not sure some didn't
also happen trying to get firefox radio buttons to work ;-/

Anyway, does anyone else get 555 permissions on files like these?
These are all *.png files with 555 permissons, but I trimmed back to see common prefixes.
Obviously the moka-con-theme was most of it, but also faba and docbook look iffy.

Is this zero-day stuff with a nasty somewhere, waiting for referencing by another nasty, or am I being paranoid?
What is the safe way to detoxify this mess? I know I shouldn't directly chmod anything in store, right?

The icecat discussion got moved to mozilla, but in case someone else did whatever I did,
I thought I'd post a heads-up here.
I'll try to cc Mark :)

$ find /gnu -type f -perm /111 -iname '*png'|xargs stat -c '%a %A %N'|cut -d '-' -f5,6,7,8|less|uniq -c|less
--8<---------------cut here---------------start------------->8---
      1 x '/gnu/store/.links/1s94fymqj8xba55rg8xbdni9a215kxsxkddyh2qyb7y6fl7srpng'
      1 x '/gnu/store/.links/05dsk06ffdwgjdqgsy03zhnsrcd44yyi8ylk9qyb1a3n89aplpng'
     97 x '/gnu/store/jf7i57glqykwgm1k7zb5k8x6f1yd47l8-faba-icon-theme
      1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gdparttopng'
      1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gdtopng'
      1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/webpng'
      1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gd2topng'
      1 x '/gnu/store/x9c77i6r5fmarslij6ng81awgrxblplm-texlive-bin-20180414/bin/dvipng'
  34143 x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme
      1 x '/gnu/store/7mxkdn6cp7x8sac49p2g80qw5j1aavi3-texlive-20180414/bin/dvipng'
     62 x '/gnu/store/6d79d8za76pj5f2flhckpmdvdgqhqxaa-docbook-xsl-1.79.1/xml/xsl/docbook
      1 x '/gnu/store/azd3rg350gjkgzvzps3s4j3kpz5kxh57-texlive-bin-20180414/bin/dvipng'
      1 x '/gnu/store/9w1hi2hr4zczc5jd5r2xmff9zf4gwc1n-texlive-union-49435/bin/dvipng'
      1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gdparttopng'
      1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gdtopng'
      1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/webpng'
      1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gd2topng'
      1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gdparttopng'
      1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gdtopng'
      1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/webpng'
      1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gd2topng'

--8<---------------cut here---------------end--------------->8---

-- 
Regards,
Bengt Richter




From debbugs-submit-bounces@debbugs.gnu.org Fri Nov 29 04:49:15 2019
Received: (at 38422) by debbugs.gnu.org; 29 Nov 2019 09:49:15 +0000
Received: from localhost ([127.0.0.1]:59366 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1iactm-0003SB-V4
	for submit@debbugs.gnu.org; Fri, 29 Nov 2019 04:49:15 -0500
Received: from sender4-of-o54.zoho.com ([136.143.188.54]:21416)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rekado@elephly.net>) id 1iactl-0003S3-3Y
 for 38422@debbugs.gnu.org; Fri, 29 Nov 2019 04:49:14 -0500
ARC-Seal: i=1; a=rsa-sha256; t=1575020950; cv=none; 
 d=zohomail.com; s=zohoarc; 
 b=JpsYR/Au0lMjGLOfRTD1pU9uocZSYh37iof5XAYdxrDTtEsRJNyCORKGkGkbPnYLkR7MUxrz+v6OQd9ViXJyE94ImuBXCWsaF+obgwpOi5gNHK6HHgVe1ZXzh/nGamYKIaXSxmMafA3rKk7rFsVg4DcA02YMi8ezFx+OKXuaeGg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc; t=1575020950;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To;
 bh=W1sWKFTtBKAxVKtnIAd7P0xC7dpeO/dFGVW7uBkHlY4=; 
 b=WU4ajehkes8x4KpKJCnVth+DqZ9BnilBKQRAbOpMTx2R3jvRdzQ/HSxUmbi2+RK889WqTY4QBRmD49M90mPE5+IFZKXLeuD5E7XpZdq9aMKdJUk1esugSNbrYUfKxzHqYuFJFy30sH0SnN/SJ912HShsox7qpimLoMhICDHRvCw=
ARC-Authentication-Results: i=1; mx.zohomail.com;
 dkim=pass  header.i=elephly.net;
 spf=pass  smtp.mailfrom=rekado@elephly.net;
 dmarc=pass header.from=<rekado@elephly.net> header.from=<rekado@elephly.net>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1575020950; 
 s=zoho; d=elephly.net; i=rekado@elephly.net;
 h=References:From:To:Cc:Subject:In-reply-to:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding;
 bh=W1sWKFTtBKAxVKtnIAd7P0xC7dpeO/dFGVW7uBkHlY4=;
 b=cb7176EvKGeDxR9pNLltQHa+DOwlXOXcb1o4IdbWA2l/V2yBDU6zN9RJF0Wpvgu8
 9m/zOTQt5BFqXeXJzDoPw7xlBCn9tYk4BcngwgRpnMB55HTW26sB52sliH0VW9qhxPR
 /6bOtxFWJybbxWJTqb4xhQarq7iUGlHO0ZEQSlO4=
Received: from localhost (p54AD4E2A.dip0.t-ipconnect.de [84.173.78.42]) by
 mx.zohomail.com with SMTPS id 1575020950042370.6568247833118;
 Fri, 29 Nov 2019 01:49:10 -0800 (PST)
References: <20191129075938.GA55971@PhantoNv4ArchGx.localdomain>
User-agent: mu4e 1.2.0; emacs 26.3
From: Ricardo Wurmus <rekado@elephly.net>
To: Bengt Richter <bokr@bokr.com>
Subject: Re: bug#38422: .png files in /gnu/store with executable permissions
 (555)
In-reply-to: <20191129075938.GA55971@PhantoNv4ArchGx.localdomain>
X-URL: https://elephly.net
X-PGP-Key: https://elephly.net/rekado.pubkey
X-PGP-Fingerprint: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
Date: Fri, 29 Nov 2019 10:49:06 +0100
Message-ID: <87r21r9fn1.fsf@elephly.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-ZohoMailClient: External
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 38422
Cc: 38422@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


Bengt Richter <bokr@bokr.com> writes:

> $ find /gnu -type f -perm /111 -iname '*png'|xargs stat -c '%a %A %N'|cut=
 -d '-' -f5,6,7,8|less|uniq -c|less
> --8<---------------cut here---------------start------------->8---
>       1 x '/gnu/store/.links/1s94fymqj8xba55rg8xbdni9a215kxsxkddyh2qyb7y6=
fl7srpng'
>       1 x '/gnu/store/.links/05dsk06ffdwgjdqgsy03zhnsrcd44yyi8ylk9qyb1a3n=
89aplpng'
>      97 x '/gnu/store/jf7i57glqykwgm1k7zb5k8x6f1yd47l8-faba-icon-theme
>       1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gdpar=
ttopng'
>       1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gdtop=
ng'
>       1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/webpn=
g'
>       1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gd2to=
png'
>       1 x '/gnu/store/x9c77i6r5fmarslij6ng81awgrxblplm-texlive-bin-201804=
14/bin/dvipng'
>   34143 x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme
>       1 x '/gnu/store/7mxkdn6cp7x8sac49p2g80qw5j1aavi3-texlive-20180414/b=
in/dvipng'
>      62 x '/gnu/store/6d79d8za76pj5f2flhckpmdvdgqhqxaa-docbook-xsl-1.79.1=
/xml/xsl/docbook
>       1 x '/gnu/store/azd3rg350gjkgzvzps3s4j3kpz5kxh57-texlive-bin-201804=
14/bin/dvipng'
>       1 x '/gnu/store/9w1hi2hr4zczc5jd5r2xmff9zf4gwc1n-texlive-union-4943=
5/bin/dvipng'
>       1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gdpar=
ttopng'
>       1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gdtop=
ng'
>       1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/webpn=
g'
>       1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gd2to=
png'
>       1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gdpar=
ttopng'
>       1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gdtop=
ng'
>       1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/webpn=
g'
>       1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gd2to=
png'
>
> --8<---------------cut here---------------end--------------->8---

Maybe I=E2=80=99m missing something, but none of the above are PNGs.
Most of them are executables, others are directories, so having them
executable is expected.

Did I misunderstand?

--=20
Ricardo





From debbugs-submit-bounces@debbugs.gnu.org Fri Nov 29 06:00:06 2019
Received: (at 38422) by debbugs.gnu.org; 29 Nov 2019 11:00:06 +0000
Received: from localhost ([127.0.0.1]:59403 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1iae0M-000573-E5
	for submit@debbugs.gnu.org; Fri, 29 Nov 2019 06:00:06 -0500
Received: from mail-qt1-f174.google.com ([209.85.160.174]:45809)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zimon.toutoune@gmail.com>) id 1iae0J-000560-JO
 for 38422@debbugs.gnu.org; Fri, 29 Nov 2019 06:00:05 -0500
Received: by mail-qt1-f174.google.com with SMTP id p5so1282871qtq.12
 for <38422@debbugs.gnu.org>; Fri, 29 Nov 2019 03:00:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc:content-transfer-encoding;
 bh=a0SRLHYEcmn0i9x4xx7bEV67I9fvfMKaoGKyW0+IUFs=;
 b=kMoUYVM8cXcDQWuDt4tpzHJ227S0Z/vtSBZ0C2x1eMy0veVst2qlj2bS72fe/RIwdW
 7RFg4ua7v7c6ZccvBLWpcnGYEsJ2JFs0rdGU3/8usw4FloYaiOOKZNbIld2YBVa/G1Tu
 FV+TnQKDKBMQ4BzgFqfQpqTPpUS2mMpL0XBERc0czJ6NMsw19GQ+agIrF9umjSfHlIsS
 7G77eMuXwdkGB0txLLsRn20+1wp0DrJG6dxV8FV6wtwuJQvrVvar6yXTPhFYl99OXCq3
 Jep+8HIPXsbyrXK/0y5zUulfkcLU9PfKdA3BMeEKj6kP7yoSzhledWlvTdbljjZ90Q2D
 tQMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc:content-transfer-encoding;
 bh=a0SRLHYEcmn0i9x4xx7bEV67I9fvfMKaoGKyW0+IUFs=;
 b=jKG3GRp+1EHIkDhf+COdC6CH+8UnK6EE3gcOQWRjJPraLFQCplyVbfsGUjxoHNdjWN
 LC1tmkSXz/J7y4HQ5jfu7F1D6OIgNwvOLwn1v+eqdVt6Ezv5Z+9joOWcs1CXbiHf/Ui/
 eleJj2EmK557wY2lDZQZ5++RDd8bklVzKz43a0QEs2i+lt6EbvCZ4Hv5EbuRGNMRYCZw
 AWL5QNRrUAe9zKWbibMfNpZM1LMxgLcbuvmg/HMscEP/rUZVNs0oyx2/+eNT118GD9h7
 6HvFXhZ34zggvlB2vzFIMo6TYRKK+ZDXvH42E2bgWQAA0SlW8JBsNhHL/e3HiR5wuFdt
 Pokg==
X-Gm-Message-State: APjAAAWqgb+CycPSZ1kJQHyLimA079PUUV7Gq9CtRdl54n+9hlhI7wKS
 eTyPqpmIJ8jKsnTWY4+7t0gBFwCkqxILqTtqbbeN1HTI
X-Google-Smtp-Source: APXvYqyEQYCdA7+VnnboaF1NcfqzjdJXM9KxK4abHnLKNJ458kBWxykh+vOvMAktsEfA9bEpzKcolt9NtkyfXdsKwRU=
X-Received: by 2002:ac8:7957:: with SMTP id r23mr49126150qtt.211.1575025198009; 
 Fri, 29 Nov 2019 02:59:58 -0800 (PST)
MIME-Version: 1.0
References: <20191129075938.GA55971@PhantoNv4ArchGx.localdomain>
 <87r21r9fn1.fsf@elephly.net>
In-Reply-To: <87r21r9fn1.fsf@elephly.net>
From: zimoun <zimon.toutoune@gmail.com>
Date: Fri, 29 Nov 2019 11:59:46 +0100
Message-ID: <CAJ3okZ21-vxmBFrHp=26Cz7VMa+Z-e=i5o1wB8oGsE+96-M3pg@mail.gmail.com>
Subject: Re: bug#38422: .png files in /gnu/store with executable permissions
 (555)
To: Ricardo Wurmus <rekado@elephly.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 38422
Cc: 38422@debbugs.gnu.org, Bengt Richter <bokr@bokr.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi,

On Fri, 29 Nov 2019 at 11:43, Ricardo Wurmus <rekado@elephly.net> wrote:

> Maybe I=E2=80=99m missing something, but none of the above are PNGs.
> Most of them are executables, others are directories, so having them
> executable is expected.

I am not sure to understand the issue but for example:

   find /gnu/store/ -type f -perm /111 -iname '*.png' -print

returns this file:

/gnu/store/xj7kn8vw1nkcg7qpl3491b831p88i9wn-python-coverage-4.5.3/lib/pytho=
n3.7/site-packages/coverage/htmlfiles/keybd_open.png


Hope that helps,
simon




From debbugs-submit-bounces@debbugs.gnu.org Fri Nov 29 06:28:34 2019
Received: (at 38422) by debbugs.gnu.org; 29 Nov 2019 11:28:35 +0000
Received: from localhost ([127.0.0.1]:59432 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1iaeRu-0005pN-Ic
	for submit@debbugs.gnu.org; Fri, 29 Nov 2019 06:28:34 -0500
Received: from tobias.gr ([80.241.217.52]:53814)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <me@tobias.gr>) id 1iaeRq-0005pC-UF
 for 38422@debbugs.gnu.org; Fri, 29 Nov 2019 06:28:33 -0500
Received: by tobias.gr (OpenSMTPD) with ESMTP id 3addb680;
 Fri, 29 Nov 2019 11:28:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=tobias.gr; h=from:to
 :subject:references:in-reply-to:date:message-id:mime-version
 :content-type; s=2018; i=me@tobias.gr; bh=eiIe0HUeFM6ugvSSvTmEMC
 eXW31/SwigZIR/6XLIHRo=; b=Z88yWK/oN42kLHeoU+ZtoJLhT4PJoVOi4lh5J9
 fINkt7G+eM/aI4PbOgacXyorR+bCO8Oss7ioErU78DVK8Fj+so9QCQpv6wXwfsj6
 1iW0O801QHP0eBQZVVitDHBcB2TIkwijeswKdqg7deoN7Oar83A1PxVk9YcrH5AF
 4edzn+4stsAG6LR8uD+bXXWzy6Kwpd7NgW8MnpzU8IpzI/fyx1rA4/uK2OplYcCs
 Fr0t3QMEFlMeMwMJtrihKah2CVIu4CvoZB10zqd1eQv+XaCWA43M7EC3cJJJyrAY
 o7JWdALQQcgPryLRTrvuFipRT+6YGTVXEloExpBWQAB9qJ7w==
Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id fd0a6cc7
 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); 
 Fri, 29 Nov 2019 11:28:27 +0000 (UTC)
From: Tobias Geerinckx-Rice <me@tobias.gr>
To: Bengt Richter <bokr@bokr.com>, 38422@debbugs.gnu.org
Subject: Re: bug#38422: .png files in /gnu/store with executable permissions
 (555)
References: <20191129075938.GA55971@PhantoNv4ArchGx.localdomain>
 <87r21r9fn1.fsf@elephly.net>
In-reply-to: <87r21r9fn1.fsf@elephly.net>
Date: Fri, 29 Nov 2019 12:28:26 +0100
Message-ID: <87r21q9b1h.fsf@nckx>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 38422
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

--=-=-=
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Bengt, Ricardo,

I see similar results here with =E2=80=98guix install moka-icon-theme=E2=80=
=99,=20
and I'm sure the rest of my (and everyone's) store is full of=20
misperm'd files too.  It's kind of generally known.

This seems to be particularly common in Meson packages: for some=20
reason, Meson installs everything as executable by default.

Bengt Richter =E5=86=99=E9=81=93=EF=BC=9A
> Is this zero-day stuff with a nasty somewhere, waiting for=20
> referencing
> by another nasty, or am I being paranoid?

What's the threat model there?  Respectfully, I think you might=20
be, but maybe I'm naive=E2=80=A6

Otherwise I consider this a merely cosmetic issue, but we still=20
welcome fixes for those!

Checking whether Meson behaves differently on other distributions=20
would be a good start.

Ricardo Wurmus =E5=86=99=E9=81=93=EF=BC=9A
> Bengt Richter <bokr@bokr.com> writes:
>
>> $ find /gnu -type f -perm /111 -iname '*png'|xargs stat -c '%a=20
>> %A %N'|cut -d '-' -f5,6,7,8|less|uniq -c|less
>> --8<---------------cut=20
>> here---------------start------------->8---
>>       1 x=20
>>       '/gnu/store/.links/1s94fymqj8xba55rg8xbdni9a215kxsxkddyh2qyb7y6fl7=
srpng'
>>       1 x=20
>>       '/gnu/store/.links/05dsk06ffdwgjdqgsy03zhnsrcd44yyi8ylk9qyb1a3n89a=
plpng'
>>      97 x=20
>>      '/gnu/store/jf7i57glqykwgm1k7zb5k8x6f1yd47l8-faba-icon-theme
>>       1 x=20
>>       '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gdpartto=
png'
>>       1 x=20
>>       '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gdtopng'
>>       1 x=20
>>       '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/webpng'
>>       1 x=20
>>       '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gd2topng'
>>       1 x=20
>>       '/gnu/store/x9c77i6r5fmarslij6ng81awgrxblplm-texlive-bin-20180414/=
bin/dvipng'
>>   34143 x=20
>>   '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme
>>       1 x=20
>>       '/gnu/store/7mxkdn6cp7x8sac49p2g80qw5j1aavi3-texlive-20180414/bin/=
dvipng'
>>      62 x=20
>>      '/gnu/store/6d79d8za76pj5f2flhckpmdvdgqhqxaa-docbook-xsl-1.79.1/xml=
/xsl/docbook
>>       1 x=20
>>       '/gnu/store/azd3rg350gjkgzvzps3s4j3kpz5kxh57-texlive-bin-20180414/=
bin/dvipng'
>>       1 x=20
>>       '/gnu/store/9w1hi2hr4zczc5jd5r2xmff9zf4gwc1n-texlive-union-49435/b=
in/dvipng'
>>       1 x=20
>>       '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gdpartto=
png'
>>       1 x=20
>>       '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gdtopng'
>>       1 x=20
>>       '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/webpng'
>>       1 x=20
>>       '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gd2topng'
>>       1 x=20
>>       '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gdpartto=
png'
>>       1 x=20
>>       '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gdtopng'
>>       1 x=20
>>       '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/webpng'
>>       1 x=20
>>       '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gd2topng'
>>
>> --8<---------------cut=20
>> here---------------end--------------->8---
>
> Maybe I=E2=80=99m missing something, but none of the above are PNGs.
> Most of them are executables, others are directories, so having=20
> them
> executable is expected.

Bengt's clever pipeline tallies the number of executable *png=20
files in each top-level store directory.  It does not include=20
directories.

It's true that the '*png' above should be replaced with '*.png',=20
but these /bin files are just the very noisy outliers.

The meat is in:

> 34143 x=20
> '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme

i.e. 34143 executable '*png' files in that directory alone.

Kind regards,

T G-R

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl3hANoACgkQ2Imw8BjF
STyoQw/8DY28FMGC7nexg4kH6CfHc7IQS3YoWG6EosQfagSQdKF0dZlWtQhuDLLH
l3e3yhXI03Aumu+mI/TkZcpNmUAWmkeuWUqlqb3ZRjQvbLUJaztRj23bb/ahVzQi
WGfHM9GejPLMDg70947V/SQPYcRo4MYf9lL5n2rEL2DvagSaTU6JfeOXbw3Xkchz
+AhyLvAPqt+8G8YIGSs7cyqYx/id+Gwal6rqs6zae0jD7dw/rIAOjqiDiCUPvGGD
U0saWXxkNi3YRpLsUExBj+RkCs8ZqATHq4/nB0a2aWbx4P3VjDlnZB+gAwLw4EB9
CidFl9QfiF6JzYtrYDuW7vN2mks/2hJjMNwrHXubeA8P4oMybOL20R43sGnBBy6J
WKi/S7toUAy2B4FV91d2GD2aqk62rScyMYN6tVFHmZaGA1s2hWAtrMns1xGz2ERq
XWsZd6DookQ9ezZlpw2M+WWLzKA4D8whZWE2WNIfVCEQw752liWScawQMJyJ3ahk
ZzOeNZs001esxdyoorYrZLRVHvAJ9SQrLXEnKNf7vQOR/WztKRM3UQlyyuQr4pFQ
agSRmHGwBKfKJ7+UzvOdRPXdkCzwI9TpS7sG6mtWgO2wF6AfUMfJhMnHmLw532U7
tQG9DltBQNx/CDt9zgp4JI9skaSTVlJs+S+hBiWVAebE6AqMvyw=
=aFZ0
-----END PGP SIGNATURE-----
--=-=-=--




From debbugs-submit-bounces@debbugs.gnu.org Fri Nov 29 07:21:43 2019
Received: (at 38422) by debbugs.gnu.org; 29 Nov 2019 12:21:43 +0000
Received: from localhost ([127.0.0.1]:59665 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1iafHL-0007Qw-0n
	for submit@debbugs.gnu.org; Fri, 29 Nov 2019 07:21:43 -0500
Received: from world.peace.net ([64.112.178.59]:53160)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mhw@netris.org>) id 1iafHI-0007Qp-L1
 for 38422@debbugs.gnu.org; Fri, 29 Nov 2019 07:21:41 -0500
Received: from mhw by world.peace.net with esmtpsa
 (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89)
 (envelope-from <mhw@netris.org>)
 id 1iafHH-0004CZ-NW; Fri, 29 Nov 2019 07:21:39 -0500
From: Mark H Weaver <mhw@netris.org>
To: Bengt Richter <bokr@bokr.com>
Subject: Re: .png files in /gnu/store with executable permissions (555)
In-Reply-To: <20191129075938.GA55971@PhantoNv4ArchGx.localdomain>
References: <20191129075938.GA55971@PhantoNv4ArchGx.localdomain>
Date: Fri, 29 Nov 2019 07:20:41 -0500
Message-ID: <878sny6fgr.fsf@netris.org>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 38422
Cc: 38422@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Bengt,

Bengt Richter <bokr@bokr.com> wrote:
> I was wanting to check on some executable files in the store,
> and happened to see some executable .png files ;-/
> 
> I suspect they came in when I was playing with icecat
> and let it load  a "theme", but I am not sure some didn't
> also happen trying to get firefox radio buttons to work ;-/

Certainly not.  Unless you ran icecat as root, it would not have
sufficient permissions to modify /gnu/store.  Installing a theme or
addon in IceCat, or changing its configuration, modifies files in your
~/.mozilla, not /gnu/store.

> Anyway, does anyone else get 555 permissions on files like these?
> These are all *.png files with 555 permissons, but I trimmed back to see common prefixes.
> Obviously the moka-con-theme was most of it, but also faba and docbook look iffy.

I looked at docbook-xsl-1.79.1, since I happen to have it installed on
my system.  Some of the *.png files are incorrectly given executable
permissions within the upstream source tarball itself.  I guess it's
probably the same issue with moka-icon-theme and faba-icon-theme, since
I don't see anything in our package code that would have done it.

Most of the entries in your list that end with "png" but not ".png" are
actually programs whose name ends with "png", so they *should* be
executable.  The files in /gnu/store/.links that end with "png" are just
random chance, because the file names themselves are hashes.

> Is this zero-day stuff with a nasty somewhere, waiting for referencing
> by another nasty, or am I being paranoid?

I think you're being paranoid in this case.  I don't see anything here
to be concerned about, just some minor sloppiness by 3 upstreams.

> What is the safe way to detoxify this mess?

The proper solution is to send bug reports to the upstream developers of
docbook-xsl, faba-icon-theme, and moka-icon-theme, asking them to fix
the permissions of the *.png files in their source tarballs.

> I know I shouldn't directly chmod anything in store, right?

Right, *never* modify files in /gnu/store directly.

> The icecat discussion got moved to mozilla,

Which discussion are you referring to?

     Thanks,
       Mark




From debbugs-submit-bounces@debbugs.gnu.org Fri Nov 29 07:22:51 2019
Received: (at 38422) by debbugs.gnu.org; 29 Nov 2019 12:22:52 +0000
Received: from localhost ([127.0.0.1]:59669 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1iafIR-0007Sl-CV
	for submit@debbugs.gnu.org; Fri, 29 Nov 2019 07:22:51 -0500
Received: from imta-37.everyone.net ([216.200.145.37]:51410
 helo=imta-38.everyone.net)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <bokr@oz.net>) id 1iafIP-0007Sb-Bp
 for 38422@debbugs.gnu.org; Fri, 29 Nov 2019 07:22:50 -0500
Received: from pps.filterd (m0004962.ppops.net [127.0.0.1])
 by imta-38.everyone.net (8.16.0.27/8.16.0.27) with SMTP id xATCB3vh023623;
 Fri, 29 Nov 2019 04:22:47 -0800
X-Eon-Originating-Account: 2FqbA40Ms6ZfKL-so9lBOWqkkLvyuXpURdt_i14vcyw
X-Eon-Dm: m0116787.ppops.net
Received: by m0116787.mta.everyone.net (EON-AUTHRELAY2 - 32d0d199)
 id m0116787.5dc217be.5c4a4e; Fri, 29 Nov 2019 04:22:46 -0800
X-Eon-Sig: AQMHrIJd4Q2W8c/n7gIAAAAC,6c1063df24dad3d9a0ffc771ecc55af6
X-Eip: f5BFQQHdr76i77yBP2OAMBoJR8WPf_ALW2ZBo-3DFBc
Date: Fri, 29 Nov 2019 04:22:36 -0800
From: Bengt Richter <bokr@bokr.com>
To: Ricardo Wurmus <rekado@elephly.net>
Subject: Re: bug#38422: .png files in /gnu/store with executable permissions
 (555)
Message-ID: <20191129122236.GA67682@PhantoNv4ArchGx.localdomain>
References: <20191129075938.GA55971@PhantoNv4ArchGx.localdomain>
 <87r21r9fn1.fsf@elephly.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <87r21r9fn1.fsf@elephly.net>
User-Agent: Mutt/1.12.2 (2019-09-21)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, ,
 definitions=2019-11-29_03:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0
 priorityscore=1501 malwarescore=0
 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1034
 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001
 definitions=main-1911290108
X-Spam-Score: -0.4 (/)
X-Debbugs-Envelope-To: 38422
Cc: 38422@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Reply-To: Bengt Richter <bokr@bokr.com>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.4 (-)

Hi Ricardo,

On +2019-11-29 10:49:06 +0100, Ricardo Wurmus wrote:
> 
> Bengt Richter <bokr@bokr.com> writes:
> 
> > $ find /gnu -type f -perm /111 -iname '*png'|xargs stat -c '%a %A %N'|cut -d '-' -f5,6,7,8|less|uniq -c|less
> > --8<---------------cut here---------------start------------->8---
> >       1 x '/gnu/store/.links/1s94fymqj8xba55rg8xbdni9a215kxsxkddyh2qyb7y6fl7srpng'
> >       1 x '/gnu/store/.links/05dsk06ffdwgjdqgsy03zhnsrcd44yyi8ylk9qyb1a3n89aplpng'
> >      97 x '/gnu/store/jf7i57glqykwgm1k7zb5k8x6f1yd47l8-faba-icon-theme
> >       1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gdparttopng'
> >       1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gdtopng'
> >       1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/webpng'
> >       1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gd2topng'
> >       1 x '/gnu/store/x9c77i6r5fmarslij6ng81awgrxblplm-texlive-bin-20180414/bin/dvipng'
> >   34143 x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme
> >       1 x '/gnu/store/7mxkdn6cp7x8sac49p2g80qw5j1aavi3-texlive-20180414/bin/dvipng'
> >      62 x '/gnu/store/6d79d8za76pj5f2flhckpmdvdgqhqxaa-docbook-xsl-1.79.1/xml/xsl/docbook
> >       1 x '/gnu/store/azd3rg350gjkgzvzps3s4j3kpz5kxh57-texlive-bin-20180414/bin/dvipng'
> >       1 x '/gnu/store/9w1hi2hr4zczc5jd5r2xmff9zf4gwc1n-texlive-union-49435/bin/dvipng'
> >       1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gdparttopng'
> >       1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gdtopng'
> >       1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/webpng'
> >       1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gd2topng'
> >       1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gdparttopng'
> >       1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gdtopng'
> >       1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/webpng'
> >       1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gd2topng'
> >
> > --8<---------------cut here---------------end--------------->8---
> 
> Maybe I’m missing something, but none of the above are PNGs.
> Most of them are executables, others are directories, so having them
> executable is expected.
> 
> Did I misunderstand?
>

No, you just didn't see it ;-)
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ Sorry I didn't highlight well enough that I had trimmed off the full paths that ended in .png │
│ in what you snipped out above the above (see box below):                                      │
└───────────────────────────────────────────────────────────────────────────────────────────────┘

--8<----(the part you snipped out)-----------cut here---------------start------------->8---
Hi Guix,

I was wanting to check on some executable files in the store,
and happened to see some executable .png files ;-/

I suspect they came in when I was playing with icecat
and let it load  a "theme", but I am not sure some didn't
also happen trying to get firefox radio buttons to work ;-/

Anyway, does anyone else get 555 permissions on files like these?
┌───────────────────────────────────────────────────────────────────────────────────────────┐
│ These are all *.png files with 555 permissons, but I trimmed back to see common prefixes. │
│ Obviously the moka-con-theme was most of it, but also faba and docbook look iffy.         │
└───────────────────────────────────────────────────────────────────────────────────────────┘

Is this zero-day stuff with a nasty somewhere, waiting for referencing by another nasty, or am I being paranoid?
What is the safe way to detoxify this mess? I know I shouldn't directly chmod anything in store, right?

The icecat discussion got moved to mozilla, but in case someone else did whatever I did,
I thought I'd post a heads-up here.
I'll try to cc Mark :)
--8<----(the part you snipped out)-----------cut here---------------end--------------->8---


Note the cut -d '-' etc from above
--8<---------------cut here---------------start------------->8---
> > $ find /gnu -type f -perm /111 -iname '*png'|xargs stat -c '%a %A %N'|cut -d '-' -f5,6,7,8|less|uniq -c|less
--8<---------------cut here---------------end--------------->8---

I thought the 34143 moka-icon-theme items looked especially iffy, being so many:
--8<---------------cut here---------------start------------->8---
> >   34143 x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme
--8<---------------cut here---------------end--------------->8---

So let's not cut that tail and just grab some of those moka-icon-theme items full length:
$ find /gnu -type f -perm /111 -iname '*png'|xargs stat -c '%a %A %N'|grep moka-icon-theme|head
--8<---------------cut here---------------start------------->8---
555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-insync-synced.png'
555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-synchronizing.png'
555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-insync-synced-callbacks-active.png'
555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-insync-syncing.png'
555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-dropbox-uptodate.png'
555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-readonly.png'
555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-important.png'
555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-danger.png'
555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-web.png'
555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-symbolic-link.png'
--8<---------------cut here---------------end--------------->8---

Some executables ending in png are legit, like conversion programs from something to .png format.

> -- 
> Ricardo
> 

PS. Thinking about it, I'm pretty sure I used normal guix install ... yes:

--8<----(555s were in source tarball)-----------cut here---------------start------------->8---
$ guix package -I|grep -i moka
moka-icon-theme 5.4.0   out     /gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0
$ mkdir ~/my-roots
$ guix build -r ~/my-roots/moka -S moka-icon-theme
substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0%
67.4 MB will be downloaded:
   /gnu/store/vd3l2qbmdw0i9v9knqjm3q42sfwli2nl-moka-icon-theme-5.4.0.tar.gz
substituting /gnu/store/vd3l2qbmdw0i9v9knqjm3q42sfwli2nl-moka-icon-theme-5.4.0.tar.gz...
downloading from https://ci.guix.gnu.org/nar/vd3l2qbmdw0i9v9knqjm3q42sfwli2nl-moka-icon-theme-5.4.0.tar.gz...
 moka-icon-theme-5.4.0.tar.gz  64.3MiB                                                                                1.5MiB/s 00:44 [##################] 100.0%

/gnu/store/vd3l2qbmdw0i9v9knqjm3q42sfwli2nl-moka-icon-theme-5.4.0.tar.gz
$ lsc ~/my-roots/*
                 72 2019-11-29 03:53:27 [@] /home/bokr/my-roots/moka -> /gnu/store/vd3l2qbmdw0i9v9knqjm3q42sfwli2nl-moka-icon-theme-5.4.0.tar.gz
$ tar -tzvf ~/my-roots/moka|egrep -m5 'png$'
lrwxrwxrwx root/root         0 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/exit.png -> system-log-out.png
lrwxrwxrwx root/root         0 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/gnome-lockscreen.png -> system-lock-screen.png
lrwxrwxrwx root/root         0 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/gnome-logout.png -> system-log-out.png
lrwxrwxrwx root/root         0 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/gnome-run.png -> system-run.png
lrwxrwxrwx root/root         0 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/gnome-session-reboot.png -> system-restart.png

Oops, those were links, let's try again:

$ tar -tzvf ~/my-roots/moka|egrep -m5 '^[^l].*png$'
-rwxrwxr-x root/root       633 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/system-lock-screen.png
-rwxrwxr-x root/root       537 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/system-log-out.png
-rwxrwxr-x root/root       554 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/system-restart.png
-rwxrwxr-x root/root       549 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/system-run.png
-rwxrwxr-x root/root       544 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/system-shutdown.png
--8<----(555s were in source tarball)-----------cut here---------------end--------------->8---

-- 
Regards,
Bengt Richter




From debbugs-submit-bounces@debbugs.gnu.org Fri Nov 29 10:03:45 2019
Received: (at 38422) by debbugs.gnu.org; 29 Nov 2019 15:03:45 +0000
Received: from localhost ([127.0.0.1]:33407 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1iaho9-0002oK-Cu
	for submit@debbugs.gnu.org; Fri, 29 Nov 2019 10:03:45 -0500
Received: from imta-37.everyone.net ([216.200.145.37]:52570
 helo=imta-38.everyone.net)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <bokr@oz.net>) id 1iaho7-0002oB-QA
 for 38422@debbugs.gnu.org; Fri, 29 Nov 2019 10:03:44 -0500
Received: from pps.filterd (omta004.sj2.proofpoint.com [127.0.0.1])
 by imta-38.everyone.net (8.16.0.27/8.16.0.27) with SMTP id xATExU5S002991;
 Fri, 29 Nov 2019 07:03:41 -0800
X-Eon-Originating-Account: Fr_s_-5UazBAAWG97OLCOhjVe9nazTg_zVg2eVHK30g
X-Eon-Dm: m0116293.ppops.net
Received: by m0116293.mta.everyone.net (EON-AUTHRELAY2 - 32d0d199)
 id m0116293.5dc217be.4da796; Fri, 29 Nov 2019 07:03:38 -0800
X-Eon-Sig: AQMHrIJd4TNKJMyU7wIAAAAC,8dde41d02c9cf2e4b6d25834d1ef7602
X-Eip: 4gBe20iFfyI5qwv9GXWkNZg37m-vyPOann1GwaAJeCE
Date: Fri, 29 Nov 2019 07:03:29 -0800
From: Bengt Richter <bokr@bokr.com>
To: Mark H Weaver <mhw@netris.org>
Subject: Re: .png files in /gnu/store with executable permissions (555)
Message-ID: <20191129150329.GA80736@PhantoNv4ArchGx.localdomain>
References: <20191129075938.GA55971@PhantoNv4ArchGx.localdomain>
 <878sny6fgr.fsf@netris.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <878sny6fgr.fsf@netris.org>
User-Agent: Mutt/1.12.2 (2019-09-21)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, ,
 definitions=2019-11-29_04:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0
 priorityscore=1501 malwarescore=0
 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1034
 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001
 definitions=main-1911290130
X-Spam-Score: -0.4 (/)
X-Debbugs-Envelope-To: 38422
Cc: 38422@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Reply-To: Bengt Richter <bokr@bokr.com>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.4 (-)

Hi Mark.

On +2019-11-29 07:20:41 -0500, Mark H Weaver wrote:
> Hi Bengt,
> 
> Bengt Richter <bokr@bokr.com> wrote:
> > I was wanting to check on some executable files in the store,
> > and happened to see some executable .png files ;-/
> > 
> > I suspect they came in when I was playing with icecat
> > and let it load  a "theme", but I am not sure some didn't
> > also happen trying to get firefox radio buttons to work ;-/
> 
> Certainly not.  Unless you ran icecat as root, it would not have
> sufficient permissions to modify /gnu/store.  Installing a theme or
> addon in IceCat, or changing its configuration, modifies files in your
> ~/.mozilla, not /gnu/store.
>
Yes, d'oh ;-) I was writing the "PS." in my reply to Ricardo probably
while you were writing this :) There I extracted some
guix build -S tarball content and showed that that was the perm source.

> > Anyway, does anyone else get 555 permissions on files like these?
> > These are all *.png files with 555 permissons, but I trimmed back to see common prefixes.
> > Obviously the moka-con-theme was most of it, but also faba and docbook look iffy.
> 
> I looked at docbook-xsl-1.79.1, since I happen to have it installed on
> my system.  Some of the *.png files are incorrectly given executable
> permissions within the upstream source tarball itself.  I guess it's
> probably the same issue with moka-icon-theme and faba-icon-theme, since
> I don't see anything in our package code that would have done it.
Yes, I found the bad perms in the tarball likewise.

> 
> Most of the entries in your list that end with "png" but not ".png" are
> actually programs whose name ends with "png", so they *should* be
> executable.  The files in /gnu/store/.links that end with "png" are just
> random chance, because the file names themselves are hashes.
Yeah, I realized. Could have done a cleaner job, but I was also curious
how many legit executables ended in png.

> 
> > Is this zero-day stuff with a nasty somewhere, waiting for referencing
> > by another nasty, or am I being paranoid?
> 
> I think you're being paranoid in this case.  I don't see anything here
> to be concerned about, just some minor sloppiness by 3 upstreams.
>
IIRC I did read of jpeg images being used to obfuscate call-home info
in some tricky malware, so anomalies in the same kind of file triggered
the question of whether it could be accidentally on purpose ;-/

> > What is the safe way to detoxify this mess?
> 
> The proper solution is to send bug reports to the upstream developers of
> docbook-xsl, faba-icon-theme, and moka-icon-theme, asking them to fix
> the permissions of the *.png files in their source tarballs.
>
That I haven't done. Is there a standard way to do it?
"guix show moka-icon-theme" tells me homepage, but it would be nice
to have a guix show --verbose that would show bug reporting info :)

> > I know I shouldn't directly chmod anything in store, right?
> 
> Right, *never* modify files in /gnu/store directly.
> 
> > The icecat discussion got moved to mozilla,
> 
> Which discussion are you referring to?
> 

Sorry, wrong zilla ;-p

https://lists.gnu.org/archive/html/guix-devel/2019-10/msg00686.html

>      Thanks,
>        Mark

-- 
Regards,
Bengt Richter




From debbugs-submit-bounces@debbugs.gnu.org Fri Nov 29 23:10:11 2019
Received: (at 38422) by debbugs.gnu.org; 30 Nov 2019 04:10:11 +0000
Received: from localhost ([127.0.0.1]:33714 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1iau5C-0007ZS-Rd
	for submit@debbugs.gnu.org; Fri, 29 Nov 2019 23:10:11 -0500
Received: from world.peace.net ([64.112.178.59]:35298)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mhw@netris.org>) id 1iau5A-0007ZG-Bl
 for 38422@debbugs.gnu.org; Fri, 29 Nov 2019 23:10:09 -0500
Received: from mhw by world.peace.net with esmtpsa
 (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89)
 (envelope-from <mhw@netris.org>)
 id 1iau57-0004G2-HE; Fri, 29 Nov 2019 23:10:05 -0500
From: Mark H Weaver <mhw@netris.org>
To: Bengt Richter <bokr@bokr.com>
Subject: Re: bug#38422: .png files in /gnu/store with executable permissions
 (555)
In-Reply-To: <20191129150329.GA80736@PhantoNv4ArchGx.localdomain> (Bengt
 Richter's message of "Fri, 29 Nov 2019 07:03:29 -0800")
References: <20191129075938.GA55971@PhantoNv4ArchGx.localdomain>
 <878sny6fgr.fsf@netris.org>
 <20191129150329.GA80736@PhantoNv4ArchGx.localdomain>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
Date: Fri, 29 Nov 2019 23:08:55 -0500
Message-ID: <871rtq57kd.fsf@netris.org>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 38422
Cc: 38422@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Bengt,

Bengt Richter <bokr@bokr.com> writes:

> On +2019-11-29 07:20:41 -0500, Mark H Weaver wrote:
>> The proper solution is to send bug reports to the upstream developers of
>> docbook-xsl, faba-icon-theme, and moka-icon-theme, asking them to fix
>> the permissions of the *.png files in their source tarballs.
>>
> That I haven't done. Is there a standard way to do it?

No.

> "guix show moka-icon-theme" tells me homepage, but it would be nice
> to have a guix show --verbose that would show bug reporting info :)

It would be nice, but it would also be an enormous amount of work.
First we'd need to devise a way to represent that information, and then
we'd need to add it to each of our 10K+ packages.  It would also be an
additional job to do when adding new packages.  I'm not sure it's worth
all that work.  We already record the home page, and from there it's
usually not much work to find how to report bugs.  In cases where it
_is_ difficult to find out how to report bugs, that's arguably a problem
that should be fixed upstream.

What do you think?

      Regards,
        Mark




From debbugs-submit-bounces@debbugs.gnu.org Fri Nov 29 23:24:50 2019
Received: (at 38422) by debbugs.gnu.org; 30 Nov 2019 04:24:50 +0000
Received: from localhost ([127.0.0.1]:33720 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1iauJO-0008BA-5r
	for submit@debbugs.gnu.org; Fri, 29 Nov 2019 23:24:50 -0500
Received: from mout02.posteo.de ([185.67.36.66]:38881)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <brettg@posteo.net>) id 1iauJL-0008Ac-Km
 for 38422@debbugs.gnu.org; Fri, 29 Nov 2019 23:24:49 -0500
Received: from submission (posteo.de [89.146.220.130]) 
 by mout02.posteo.de (Postfix) with ESMTPS id 2EF2D2400FC
 for <38422@debbugs.gnu.org>; Sat, 30 Nov 2019 05:24:41 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
 t=1575087881; bh=3YSka2d3s505+5JSyPArb5FdL2NZoqnnkhiH0WsxcoY=;
 h=From:To:Cc:Subject:Date:From;
 b=qfr93mkC5X4bwfyKzntnk8MS1z1ZocDozTcGpHUhxQEFs1oO0Gqu+4wxT60AC53ex
 1BRkEUzAkxStVzYvQ6cX0MTzBvGZH7JGZNbvEcjL24eA2XHPE1vRronsewYhhnqh/A
 StrFf4rGoGPkTorEZdOun4omcrXeJnVXEgSc6aXWcF8CyvO6y3PLwMjmEA7ENoGWak
 Ff5Xq+Swflq8vg7sM606XjtiXfWzpybcJytEnN/vzbbF1Ie9ZqKLAKoIEDK8KYgAGI
 0JHvLKqWuxxAhoyk2BAaiQKmqY4HONEw4/MTc2W58G86C+2PAGlFXPOOU292qZMUfv
 sHElyNF6xjZ6w==
Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 47PyvW4Pdlz9rxK;
 Sat, 30 Nov 2019 05:24:39 +0100 (CET)
From: Brett Gilio <brettg@posteo.net>
To: Mark H Weaver <mhw@netris.org>
Subject: Re: bug#38422: .png files in /gnu/store with executable permissions
 (555)
References: <20191129075938.GA55971@PhantoNv4ArchGx.localdomain>
 <878sny6fgr.fsf@netris.org>
 <20191129150329.GA80736@PhantoNv4ArchGx.localdomain>
 <871rtq57kd.fsf@netris.org>
Date: Fri, 29 Nov 2019 22:24:49 -0600
In-Reply-To: <871rtq57kd.fsf@netris.org> (Mark H. Weaver's message of "Fri, 29
 Nov 2019 23:08:55 -0500")
Message-ID: <87sgm6t2i6.fsf@posteo.net>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 38422
Cc: 38422@debbugs.gnu.org, Bengt Richter <bokr@bokr.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Mark H Weaver <mhw@netris.org> writes:

> [...] In cases where it
> _is_ difficult to find out how to report bugs, that's arguably a problem
> that should be fixed upstream.
>
> What do you think?
>
>       Regards,
>         Mark
>
>
>

Agreed 100% with Mark.

-- 
Brett M. Gilio
https://git.sr.ht/~brettgilio/




From debbugs-submit-bounces@debbugs.gnu.org Sat Nov 30 02:45:20 2019
Received: (at submit) by debbugs.gnu.org; 30 Nov 2019 07:45:20 +0000
Received: from localhost ([127.0.0.1]:33757 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1iaxRQ-0005gg-A5
	for submit@debbugs.gnu.org; Sat, 30 Nov 2019 02:45:20 -0500
Received: from lists.gnu.org ([209.51.188.17]:50773)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <julien@lepiller.eu>) id 1iaxRN-0005gY-Ka
 for submit@debbugs.gnu.org; Sat, 30 Nov 2019 02:45:17 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:49021)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <julien@lepiller.eu>) id 1iaxRM-0006bH-Et
 for bug-guix@gnu.org; Sat, 30 Nov 2019 02:45:17 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,URIBL_BLOCKED
 autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <julien@lepiller.eu>) id 1iaxRL-0003Rs-E0
 for bug-guix@gnu.org; Sat, 30 Nov 2019 02:45:16 -0500
Received: from lepiller.eu ([2a00:5884:8208::1]:38204)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <julien@lepiller.eu>) id 1iaxRL-0003Q3-5V
 for bug-guix@gnu.org; Sat, 30 Nov 2019 02:45:15 -0500
Received: from lepiller.eu (localhost [127.0.0.1])
 by lepiller.eu (OpenSMTPD) with ESMTP id 303c8bc7;
 Sat, 30 Nov 2019 07:45:13 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=lepiller.eu; h=date
 :in-reply-to:references:mime-version:content-type
 :content-transfer-encoding:subject:to:cc:from:message-id; s=
 dkim; bh=Vfjq8y+cSLBlIRi9YLMT2wE0JgQ=; b=e0xrSQThYArSiWEaX0EWD5X
 kuXJjIaqHpLZTRnzb9nA1jtFv4W6F3P37vqemQzQayPYTJWYXj+AnXkTc/hAaQQR
 CNWt5J5D4SFCCvhm6ZySpCbri34FW4fz+2jUZnQf5N4ZiwlnUYVTqTTH8bqHLLS9
 +g7Lnc6SUhfEgtd7wPCXMW3ErpPoORRYuFiMT1v24z8cOa8sdw2BsqwaXrN0YOAu
 seLwFJsV6Xmad1PM1kNRaCptV7w7ICU+LKJzLIDgMMS51Y/u/rd3Bo9mBUOzcUsQ
 qK8otTvu1mbnQsY7n7nXD4dec1QV6YwmXw9za/O9UXJRv67IMZn0XO/BKBlHHmw=
 =
Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id 1be59d91
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); 
 Sat, 30 Nov 2019 07:45:13 +0000 (UTC)
Date: Sat, 30 Nov 2019 08:45:09 +0100
User-Agent: K-9 Mail for Android
In-Reply-To: <871rtq57kd.fsf@netris.org>
References: <20191129075938.GA55971@PhantoNv4ArchGx.localdomain>
 <878sny6fgr.fsf@netris.org>
 <20191129150329.GA80736@PhantoNv4ArchGx.localdomain>
 <871rtq57kd.fsf@netris.org>
MIME-Version: 1.0
Content-Type: text/plain;
 charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: bug#38422: .png files in /gnu/store with executable permissions
 (555)
To: bug-guix@gnu.org, Mark H Weaver <mhw@netris.org>,
 Bengt Richter <bokr@bokr.com>
From: Julien Lepiller <julien@lepiller.eu>
Message-ID: <FCCE8805-6725-425D-99DE-4CCD2E00DCF4@lepiller.eu>
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
 recognized.
X-Received-From: 2a00:5884:8208::1
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: submit
Cc: 38422@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Le 30 novembre 2019 05:08:55 GMT+01:00, Mark H Weaver <mhw@netris=2Eorg> a =
=C3=A9crit :
>Hi Bengt,
>
>Bengt Richter <bokr@bokr=2Ecom> writes:
>
>> On +2019-11-29 07:20:41 -0500, Mark H Weaver wrote:
>>> The proper solution is to send bug reports to the upstream
>developers of
>>> docbook-xsl, faba-icon-theme, and moka-icon-theme, asking them to
>fix
>>> the permissions of the *=2Epng files in their source tarballs=2E
>>>
>> That I haven't done=2E Is there a standard way to do it?
>
>No=2E
>
>> "guix show moka-icon-theme" tells me homepage, but it would be nice
>> to have a guix show --verbose that would show bug reporting info :)
>
>It would be nice, but it would also be an enormous amount of work=2E
>First we'd need to devise a way to represent that information, and then
>we'd need to add it to each of our 10K+ packages=2E  It would also be an
>additional job to do when adding new packages=2E  I'm not sure it's worth
>all that work=2E  We already record the home page, and from there it's
>usually not much work to find how to report bugs=2E  In cases where it
>_is_ difficult to find out how to report bugs, that's arguably a
>problem
>that should be fixed upstream=2E
>
>What do you think?
>
>      Regards,
>        Mark

Also, we should not encourage people to report bugs upstream directly=2E W=
e have to evaluate whether the bug is on our side or theirs first to not dr=
own them in useless bug reports :)




From debbugs-submit-bounces@debbugs.gnu.org Sat Nov 30 15:08:08 2019
Received: (at submit) by debbugs.gnu.org; 30 Nov 2019 20:08:08 +0000
Received: from localhost ([127.0.0.1]:35177 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1ib92F-0002ie-ML
	for submit@debbugs.gnu.org; Sat, 30 Nov 2019 15:08:08 -0500
Received: from lists.gnu.org ([209.51.188.17]:40958)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <bokr@oz.net>) id 1ib92D-0002iW-Ae
 for submit@debbugs.gnu.org; Sat, 30 Nov 2019 15:08:06 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:57407)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <bokr@oz.net>) id 1ib92B-0006k1-Um
 for bug-guix@gnu.org; Sat, 30 Nov 2019 15:08:05 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=5.0 tests=BAYES_50,RCVD_IN_DNSWL_LOW,
 URIBL_BLOCKED autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <bokr@oz.net>) id 1ib92A-00087H-Fx
 for bug-guix@gnu.org; Sat, 30 Nov 2019 15:08:03 -0500
Received: from imta-37.everyone.net ([216.200.145.37]:58034
 helo=imta-38.everyone.net)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <bokr@oz.net>) id 1ib92A-00082i-7J
 for bug-guix@gnu.org; Sat, 30 Nov 2019 15:08:02 -0500
Received: from pps.filterd (omta004.sj2.proofpoint.com [127.0.0.1])
 by imta-38.everyone.net (8.16.0.27/8.16.0.27) with SMTP id xAUK3Gxu011719;
 Sat, 30 Nov 2019 12:07:57 -0800
X-Eon-Originating-Account: 6adfD-JhGlqUsuQM0ehh_5Ld_kO_5ZpW3iv_kdAn_Gs
X-Eon-Dm: m0116293.ppops.net
Received: by m0116293.mta.everyone.net (EON-AUTHRELAY2 - 32d0d199)
 id m0116293.5dc217be.50fc3b; Sat, 30 Nov 2019 12:07:56 -0800
X-Eon-Sig: AQMHrIJd4swcpDBGbgIAAAAE,97ea3e28c59e22e92b16eec0930707a0
X-Eip: fo4egNcZQ4_xDExLTFA5x6RuI8fXeR562ZMD9mm97KI
Date: Sat, 30 Nov 2019 12:07:48 -0800
From: Bengt Richter <bokr@bokr.com>
To: Julien Lepiller <julien@lepiller.eu>
Subject: Re: bug#38422: .png files in /gnu/store with executable permissions
 (555)
Message-ID: <20191130200748.GA2661@PhantoNv4ArchGx.localdomain>
References: <20191129075938.GA55971@PhantoNv4ArchGx.localdomain>
 <878sny6fgr.fsf@netris.org>
 <20191129150329.GA80736@PhantoNv4ArchGx.localdomain>
 <871rtq57kd.fsf@netris.org>
 <FCCE8805-6725-425D-99DE-4CCD2E00DCF4@lepiller.eu>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <FCCE8805-6725-425D-99DE-4CCD2E00DCF4@lepiller.eu>
User-Agent: Mutt/1.12.2 (2019-09-21)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, ,
 definitions=2019-11-30_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0
 priorityscore=1501 malwarescore=0
 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1034
 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001
 definitions=main-1911300178
Content-Transfer-Encoding: base64
X-MIME-Autoconverted: from 8bit to base64 by imta-38.everyone.net id
 xAUK3Gxu011719
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy]
X-Received-From: 216.200.145.37
X-Spam-Score: -1.1 (-)
X-Debbugs-Envelope-To: submit
Cc: 38422@debbugs.gnu.org, Mark H Weaver <mhw@netris.org>, bug-guix@gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Reply-To: Bengt Richter <bokr@bokr.com>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.1 (--)

T24gKzIwMTktMTEtMzAgMDg6NDU6MDkgKzAxMDAsIEp1bGllbiBMZXBpbGxlciB3cm90ZToN
Cj4gTGUgMzAgbm92ZW1icmUgMjAxOSAwNTowODo1NSBHTVQrMDE6MDAsIE1hcmsgSCBXZWF2
ZXIgPG1od0BuZXRyaXMub3JnPiBhIMOpY3JpdCA6DQo+ID5IaSBCZW5ndCwNCj4gPg0KPiA+
QmVuZ3QgUmljaHRlciA8Ym9rckBib2tyLmNvbT4gd3JpdGVzOg0KPiA+DQo+ID4+IE9uICsy
MDE5LTExLTI5IDA3OjIwOjQxIC0wNTAwLCBNYXJrIEggV2VhdmVyIHdyb3RlOg0KPiA+Pj4g
VGhlIHByb3BlciBzb2x1dGlvbiBpcyB0byBzZW5kIGJ1ZyByZXBvcnRzIHRvIHRoZSB1cHN0
cmVhbQ0KPiA+ZGV2ZWxvcGVycyBvZg0KPiA+Pj4gZG9jYm9vay14c2wsIGZhYmEtaWNvbi10
aGVtZSwgYW5kIG1va2EtaWNvbi10aGVtZSwgYXNraW5nIHRoZW0gdG8NCj4gPmZpeA0KPiA+
Pj4gdGhlIHBlcm1pc3Npb25zIG9mIHRoZSAqLnBuZyBmaWxlcyBpbiB0aGVpciBzb3VyY2Ug
dGFyYmFsbHMuDQo+ID4+Pg0KPiA+PiBUaGF0IEkgaGF2ZW4ndCBkb25lLiBJcyB0aGVyZSBh
IHN0YW5kYXJkIHdheSB0byBkbyBpdD8NCj4gPg0KPiA+Tm8uDQo+ID4NCj4gPj4gImd1aXgg
c2hvdyBtb2thLWljb24tdGhlbWUiIHRlbGxzIG1lIGhvbWVwYWdlLCBidXQgaXQgd291bGQg
YmUgbmljZQ0KPiA+PiB0byBoYXZlIGEgZ3VpeCBzaG93IC0tdmVyYm9zZSB0aGF0IHdvdWxk
IHNob3cgYnVnIHJlcG9ydGluZyBpbmZvIDopDQo+ID4NCuKUjOKUgOKUgOKUgOKUgOKUgOKU
gOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKU
gOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKU
gOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKU
gOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUkA0K4pSCID4gPkl0IHdvdWxk
IGJlIG5pY2UsIGJ1dCBpdCB3b3VsZCBhbHNvIGJlIGFuIGVub3Jtb3VzIGFtb3VudCBvZiB3
b3JrLiDilIINCuKUlOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKU
gOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKU
gOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKU
gOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKU
gOKUgOKUgOKUgOKUmA0KPiA+Rmlyc3Qgd2UnZCBuZWVkIHRvIGRldmlzZSBhIHdheSB0byBy
ZXByZXNlbnQgdGhhdCBpbmZvcm1hdGlvbiwgYW5kIHRoZW4NCj4gPndlJ2QgbmVlZCB0byBh
ZGQgaXQgdG8gZWFjaCBvZiBvdXIgMTBLKyBwYWNrYWdlcy4gIEl0IHdvdWxkIGFsc28gYmUg
YW4NCj4gPmFkZGl0aW9uYWwgam9iIHRvIGRvIHdoZW4gYWRkaW5nIG5ldyBwYWNrYWdlcy4g
IEknbSBub3Qgc3VyZSBpdCdzIHdvcnRoDQo+ID5hbGwgdGhhdCB3b3JrLiAgV2UgYWxyZWFk
eSByZWNvcmQgdGhlIGhvbWUgcGFnZSwgYW5kIGZyb20gdGhlcmUgaXQncw0KPiA+dXN1YWxs
eSBub3QgbXVjaCB3b3JrIHRvIGZpbmQgaG93IHRvIHJlcG9ydCBidWdzLiAgSW4gY2FzZXMg
d2hlcmUgaXQNCj4gPl9pc18gZGlmZmljdWx0IHRvIGZpbmQgb3V0IGhvdyB0byByZXBvcnQg
YnVncywgdGhhdCdzIGFyZ3VhYmx5IGENCj4gPnByb2JsZW0NCj4gPnRoYXQgc2hvdWxkIGJl
IGZpeGVkIHVwc3RyZWFtLg0KPiA+DQrilIzilIDilIDilIDilIDilIDilIDilIDilIDilIDi
lIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilJAN
CuKUgiBJIHRoaW5rIHlvdSBhcmUgcmlnaHQgOikg4pSCDQrilJzilIDilIDilIDilIDilIDi
lIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDi
lIDilIDilIDilKQNCuKUgiA+ID5XaGF0IGRvIHlvdSB0aGluaz8gICAg4pSCDQrilIIgPiA+
ICAgICAgICAgICAgICAgICAgICAgIOKUgg0K4pSCID4gPiAgICAgIFJlZ2FyZHMsICAgICAg
ICDilIINCuKUgiA+ID4gICAgICAgIE1hcmsgICAgICAgICAg4pSCDQrilJTilIDilIDilIDi
lIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDi
lIDilIDilIDilIDilIDilJgNCj4gDQrilIzilIDilIDilIDilIDilIDilIDilIDilIDilIDi
lIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDi
lIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDi
lIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilJAN
CuKUgiAgSSB0aGluayB5b3UgYXJlIGFsc28gcmlnaHQgLS0gSSB3aXRoZHJhdyBteSBzdWdn
ZXN0aW9uIDopICAg4pSCDQrilJzilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDi
lIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDi
lIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDi
lIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilKQNCuKUgiA+
IEFsc28sIHdlIHNob3VsZCBub3QgZW5jb3VyYWdlIHBlb3BsZSB0byByZXBvcnQgYnVncyAg
ICAgICAg4pSCDQrilIIgdXBzdHJlYW0gZGlyZWN0bHkuIFdlIGhhdmUgdG8gZXZhbHVhdGUg
d2hldGhlciB0aGUgYnVnIGlzIG9uIOKUgg0K4pSCIG91ciBzaWRlIG9yIHRoZWlycyBmaXJz
dCB0byBub3QgZHJvd24gdGhlbSBpbiB1c2VsZXNzIGJ1ZyAgICDilIINCuKUgiByZXBvcnRz
IDopICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
4pSCDQrilJTilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDi
lIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDi
lIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDi
lIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilJgNCg0KSG0sIHRoaXMgc2VlbXMg
bGlrZSBpdCBjb3VsZCBiZSBpbXBvcnRhbnQgZm9yIGdvb2QgcmVsYXRpb25zIHdpdGggdXBz
dHJlYW0/DQoNClNob3VsZCB0aGVyZSBiZSBhbiBvZmZpY2lhbCBfZGlzdGlsbGVkIGFuZCBm
aWx0ZXJlZC1mb3ItdXBzdHJlYW1fDQpnaXQgYnVnIHJlcG8gdGhhdCBndWl4IGRldmVsb3Bl
cnMgcG9wdWxhdGUgYW5kIHVwc3RyZWFtIGRldnMNCihhbmQgYW55b25lKSBjYW4gcHVsbCBh
bmQgZ3JlcCB0aGUgbG9nIG9mIGZvciB0aGVpciBwcm9qZWN0cz8NCg0KSSBjb3VsZCBpbWFn
aW5lIChoYWxsdWNpbmF0ZSA/IDopIHNvbWUgYmVuZml0czoNCg0KMS4gRmlyc3Qgb2YgYWxs
LCB3ZSBjYW4gYWxsIGRldGVybWluZSBlYXNpbHkgaWYgdGhlcmUgaGFzIGJlZW4NCiAgIGFu
ICJvZmZpY2lhbCIgcmVwb3J0IGZyb20gZ3VpeCB0byB1cHN0cmVhbSwgdG8gYXZvaWQgZXZl
biBib3RoZXJpbmcNCiAgIGd1aXggZGV2ZWxvcGVycy4NCjIuIElmIHVwc3RyZWFtIGRldnMg
a25vdyByZXBvcnRzIGhhdmUgYmVlbiBjb25zaWRlcmVkIGltcG9ydGFudCBlbm91Z2gNCiAg
IGJ5IGd1aXggZGV2ZWxvcGVycyB0byBiZSBwdXQgaW4gdGhlIHJlcG8sIHRoZXkgbWlnaHQg
cGF5IG1vcmUgYXR0ZW50aW9uIDopDQogICBUaGVyZSBpcyBhIGxvdCBvZiB0bDtkciBkaXNj
dXNzaW9uIGluIG1hbnkgYnVnLXJlcG9ydGluZyBsb2dzLCBzbyB1cHN0cmVhbQ0KICAgd291
bGQgcHJvYmFibHkgYXBwcmVjaWF0ZSBoYXZpbmcgY3VyYXRlZCByZXBvcnRzLg0KMy4gVGhl
IGxvZyB3b3VsZCBiZSBhIHJlY29yZC4gQ29tbWl0IGhhc2hlcyB3b3VsZCBiZWNvbWUgcHJl
Y2lzZSByZWZlcmVuY2VzLg0KNC4gVG8ga2VlcCB0aGUgbWFpbiBidWcgaW5mbyBzdHJlYW0g
Y2xlYXIgb2Ygc3BlY3VsYXRpdmUgY2hhdHR5IHN0dWZmDQogICAodGhvdWdoIHRoaXMgc29t
ZXRpbWVzIGNvbnRhaW5zIGNyaXRpY2FsIGNsdWVzLCBhbmQgYmVsb25ncyBzb21ld2hlcmUp
DQogICB0aGUgcmVwbyBjb3VsZCBjb250YWluIChwZXIgbWFqb3IgdXBzdHJlYW0/KSBmaWxl
cyBmb3IgY29tbWVudGFyeSBvcg0KICAgbWlzY2VsbGFuZW91cyB0aGF0IGd1aXggZGV2cyBt
aWdodCB3YW50IHRvIHBhc3Mgb24sIGJ1dCBub3QgY2x1dHRlcg0KICAgdGhlIG1haW4gcmVw
b3J0IHdpdGguIE9mIGNvdXJzZSB1cmxzIGludG8gYnVnemlsbGEgZXRjIGNhbiBiZSB1c2Vm
dWwNCiAgIGFzIGNvbmNpc2Ugc2VlLWZ1cnRoZXIgcmVmcy4gQWxsIG1pc2Mgc3R1ZmYgb3B0
aW9uYWwuDQo0LiBUaGUgd29yayBmbG93IGZvciBkZXZlbG9wZXJzIGFscmVhZHkgZXhpc3Rz
IGZvciBhY2NlcHRpbmcgdGhpbmdzDQogICBpbnRvIHRoZSBndWl4IHBhY2thZ2UgcmVwbywg
c28gbm8gbWFqb3IgbmV3IHBhdHRlcm5zIGZvciBldmVyeW9uZSB0byBsZWFybi4NCjUuIEFu
eW9uZSBpbnRlcmVzdGVkIGNvdWxkIGNsb25lIHRoZSByZXBvIGFuZCBwdWxsIHRvIGl0IGZv
ciAiZ3VpeC1vZmZpY2lhbCINCiAgIGJ1ZyByZXBvcnRpbmcgc3RhdHVzLiAgIA0KDQpXRFlU
Pw0KLS0gDQpSZWdhcmRzLA0KQmVuZ3QgUmljaHRlcg0K




From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 02 10:20:28 2019
Received: (at 38422) by debbugs.gnu.org; 2 Dec 2019 15:20:28 +0000
Received: from localhost ([127.0.0.1]:38786 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1ibnUy-0007QM-EB
	for submit@debbugs.gnu.org; Mon, 02 Dec 2019 10:20:28 -0500
Received: from mail-qk1-f193.google.com ([209.85.222.193]:43275)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zimon.toutoune@gmail.com>) id 1ibnUw-0007Py-6D
 for 38422@debbugs.gnu.org; Mon, 02 Dec 2019 10:20:26 -0500
Received: by mail-qk1-f193.google.com with SMTP id q28so13937008qkn.10
 for <38422@debbugs.gnu.org>; Mon, 02 Dec 2019 07:20:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=grzzuhptHUap9uht++qLqC1PIcVSn7uB0cKzdW+uQBU=;
 b=Y3G/GS02oiaKXr978oSLXCwL+Ou7stZBMmzySOL4GRwmzOLgq4aAxHHRYC252IcriG
 +B4ZQgBILE+7jqnYgji6L1pcR91F4fZcmVTN1ZBBDWbNuDGUPrqaAsvns+xeqx++EGbk
 5kQNS5gG+mZQdpTmaK2dohV/s4G3NHoAdDieLxOBHc10d5dvJeiXThgn6cyn27RkAIU+
 To5QyguCKx5HpVXNj7inD7kBAbaCTLNhIOwgh0q9XukHPw3BgXe+vBhBFzaLaySFDi6Q
 qwi1eOtC/JAFSsdyjCaBuW8sDbGRoBUL6b+NJikMoiDdtODaATlUIh+kbLAC4kpnR+S4
 ISZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=grzzuhptHUap9uht++qLqC1PIcVSn7uB0cKzdW+uQBU=;
 b=W5W5aScXj3ogu3+sXsWu8jL2SxxEgacMTp6PU448VQ8lbCfB6bMzQaxRk1HD3FGnrF
 j3DlwYylGHgPTxgY5mIGsvDhD6bdovqu2keAqUeRTPtR9QOX/ClwO7OEkPvKtht6sY98
 qUXaLyF/Lf9oRfBc1YyTF6x8HYmtgQBGnbv6fyzXv3zarIUkrarKOUTa6GR50v6q6wwh
 onXfNfp8rUyS6zO5fo+7xH2TD+OO8VhAeFtZ6MEC8OE9om69ETLCQ0ti/vEDQeJHOoc4
 OlBGZTsg3rCWc94Ai/LFblcwK8T+HhNBEpsmHuvqNyBACDfQdyk5MlDWfrG/B5LFZk6B
 Bz7A==
X-Gm-Message-State: APjAAAUEdM27WYj0VWzSNzwTgy0bNGhB/Oil602wVoPd99A3i4K29iwh
 HQ6f84CwTFvbytMYwQgH4I5JO1qHbxV/4FE7VRRgBlBi
X-Google-Smtp-Source: APXvYqzaIx1EOua/PSG1yKUyIx0WMks8KrCzezQGgbFp1zDHb/Bqu8cyjY3iy3Ii+OKJeguoc1WicmaL1459YO+WBsM=
X-Received: by 2002:a37:4146:: with SMTP id o67mr32590349qka.232.1575300020528; 
 Mon, 02 Dec 2019 07:20:20 -0800 (PST)
MIME-Version: 1.0
References: <20191129075938.GA55971@PhantoNv4ArchGx.localdomain>
 <878sny6fgr.fsf@netris.org>
 <20191129150329.GA80736@PhantoNv4ArchGx.localdomain>
 <871rtq57kd.fsf@netris.org> <FCCE8805-6725-425D-99DE-4CCD2E00DCF4@lepiller.eu>
 <20191130200748.GA2661@PhantoNv4ArchGx.localdomain>
In-Reply-To: <20191130200748.GA2661@PhantoNv4ArchGx.localdomain>
From: zimoun <zimon.toutoune@gmail.com>
Date: Mon, 2 Dec 2019 16:20:08 +0100
Message-ID: <CAJ3okZ0ze6xgLKF8Ss6s4nxSn4Xh39KO7ooF7qO=juq6yakNQw@mail.gmail.com>
Subject: Re: bug#38422: .png files in /gnu/store with executable permissions
 (555)
To: Bengt Richter <bokr@bokr.com>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: -0.1 (/)
X-Debbugs-Envelope-To: 38422
Cc: 38422@debbugs.gnu.org, Julien Lepiller <julien@lepiller.eu>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.1 (-)

On Sat, 30 Nov 2019 at 21:09, Bengt Richter <bokr@bokr.com> wrote:

> Should there be an official _distilled and filtered-for-upstream_
> git bug repo that guix developers populate and upstream devs
> (and anyone) can pull and grep the log of for their projects?

The Guix bug database is public and can be browsed for example here
[1] or [2]. Yes, it is not friendly for upstream developer and one
needs some Guix knowledge to correctly find what one is looking for.
Debian has more friendly entry point: the package Tracker [3]. And the
webpage [4] should be improved to report our bug etc. (as Debian is
doing).

(Note that the Guix-HPC search interface is better but currently down.)

[1] http://issues.guix.gnu.org/
[2] https://debbugs.gnu.org/cgi/pkgreport.cgi?package=guix;max-bugs=100;base-order=1;bug-rev=1
[3] https://tracker.debian.org/pkg/gmsh
[4] http://guix.gnu.org/packages/gmsh-2.16.0/



All the best,
simon




From debbugs-submit-bounces@debbugs.gnu.org Tue Jan 21 19:23:07 2020
Received: (at 38422) by debbugs.gnu.org; 22 Jan 2020 00:23:07 +0000
Received: from localhost ([127.0.0.1]:48692 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1iu3nW-00078h-Os
	for submit@debbugs.gnu.org; Tue, 21 Jan 2020 19:23:06 -0500
Received: from mail-qv1-f43.google.com ([209.85.219.43]:39986)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zimon.toutoune@gmail.com>) id 1iu3nS-00077x-VV
 for 38422@debbugs.gnu.org; Tue, 21 Jan 2020 19:23:05 -0500
Received: by mail-qv1-f43.google.com with SMTP id dp13so2419790qvb.7
 for <38422@debbugs.gnu.org>; Tue, 21 Jan 2020 16:23:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:from:date:message-id:subject:to;
 bh=R8JJE29AGAcqzZs/u0cAT1euKcrQ0El8DO3RI/txzAg=;
 b=Q7qcCzNphnoUiahsYLABxUOI6SQ2MZ+XHHYE01cTTR1bxSmszcdoFyXbyY8CqM2kmf
 /sRTKEarcWqtNI6W9S7dGT9K8XBPhkHQc/4RV00FX51Cn30RFmWReC4pWFXBFdxUprr7
 HnORVMOpC3e8FP6swZ5yFmCbPHf5Ork7z/QOkySFbYWsoUKxEwCipaHWD9YJVb3Lexps
 lEsxZA8qPrxmkiDDx4i4wyx43yFBKhJwxQmeE5usNOyQYw4guSQqAkc5Eoi9ERQ+TFBs
 HhrPDzFOxrlkkO5FJA5ETFopUkWNSBm8k16ExVCHXX3HO2S7LHo73vFKYo5RsfDbH/G7
 JIQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=R8JJE29AGAcqzZs/u0cAT1euKcrQ0El8DO3RI/txzAg=;
 b=Ph0vOKuFNgfqOzvJbJjFcTX3yKA7Rq35NMSnh8gjNUSQGVWzHxTVPZgdDOPvt/dBDT
 jqAv4Rar9hrx4HUBvQ0TqmwHssXPjgkINA5iK1WVyFNtn93/w3i5Aw0XCnsIP2siQqmG
 991KSmu2Cs0Cqjt3mq81RxRzEeBSBn2CUn8fB2CllVcFdijkO6+blLe3CzL5Ra1Il5tf
 8f9YZyYvlmlZYdE7ATbkUk++gXFlMRTQhv9i2Wd2pu0H0Y6beuKyb25VXRrAkcfvEwFq
 HxVSHB1vJY0ROWqn9ZxM2Af4vyf8/18VLVUvNytDkGpFNl+4neO677Np4rq8Tm3kVSFy
 5UTw==
X-Gm-Message-State: APjAAAXU9Yg29zzcoYKXETF5M2qu+E9B98wN5E7CFcZUi2bpDlMt/uFO
 iaqshDsZQtI9QUjnIqhLPHGr1OKLvx+dijI6uXztrpn3
X-Google-Smtp-Source: APXvYqy5wQ9M5dPRYchq4FoWxUEMgFATDvGlTMiGJBumNTCdwbFSFCzC6LxRRK2PHAtiqGLkONh+/BpskWWinSuAaJI=
X-Received: by 2002:a05:6214:108a:: with SMTP id
 o10mr7538958qvr.246.1579652577259; 
 Tue, 21 Jan 2020 16:22:57 -0800 (PST)
MIME-Version: 1.0
From: zimoun <zimon.toutoune@gmail.com>
Date: Wed, 22 Jan 2020 01:22:45 +0100
Message-ID: <CAJ3okZ2ZAs+Cf0k29Aafk-LUG4FTU=wtzEJmk8pqVJ==SQ7eNQ@mail.gmail.com>
Subject: Bug status? '.png' files with executable permissions
To: 38422@debbugs.gnu.org, Bengt Richter <bokr@bokr.com>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 38422
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Dear Bengt,

The bug report [1] points out files with unexpected permission; based
on extension filename.

[1] https://debbugs.gnu.org/cgi/bugreport.cgi?bug=38422


It is not an security issue or the Guix packager did not carefully
check the validity of these files.

If you are security paranoid, you *have to* check by yourself all the
files using "guix build -S" because in paranoid mode you cannot trust
Guix packagers (and Guix committers neither).


In normal mode, 2 options:

 a- propose a patch to change the permission for each offending package
 b- report upstream

Well, at least  these 3 packages docbook-xsl, faba-icon-theme, and
moka-icon-theme comes with unexpected .png file permission.


On the long term, I am not convinced that adding automatic check and
permission change based on filename extension would really add Quality
Assurance. Because we are speaking about quality, not security.


I am inclined to close this bug. What do you think?

All the best,
simon




From debbugs-submit-bounces@debbugs.gnu.org Tue Jan 21 19:31:40 2020
Received: (at 38422) by debbugs.gnu.org; 22 Jan 2020 00:31:40 +0000
Received: from localhost ([127.0.0.1]:48707 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1iu3vo-0007Mf-3Q
	for submit@debbugs.gnu.org; Tue, 21 Jan 2020 19:31:40 -0500
Received: from mail-qt1-f169.google.com ([209.85.160.169]:44275)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zimon.toutoune@gmail.com>)
 id 1iu3vm-0007MP-71; Tue, 21 Jan 2020 19:31:38 -0500
Received: by mail-qt1-f169.google.com with SMTP id w8so4265088qts.11;
 Tue, 21 Jan 2020 16:31:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:from:date:message-id:subject:to;
 bh=5cORHpqJDjID5W63txXyK9GYEJmhT57EFRX0K/XjMnw=;
 b=V4RfzMTW+iXTLNpWQctEIDBiVLaqlUKyDY61hm+Fv2Pwq0zJqJLe3rzXJEABOG3Ak2
 Egxhb6Xa/6fP6xiFPb/EQqqoLkKeiNIKfhO8RU0H3JUF1MhFdmg7t4o1H8ChKX66mXMC
 hzbU38XPe4vuiDu9jjEPVhaCtS/s9hl5kGSWwtwUgZTrUHgNzBMKVhnlhMJPrgjuG5ae
 0+D/Szyburrhyqnam6IHeYc/m6vp4u7ZhFl+U0H+Od0Sbifj4ExzLnT9lPlenowcO8Ij
 okZUPuInITm/S7ys15iKkk1Ky/GdU4CcPJjlmWNESKzpBcFZf6QfO+KDu7EctNOiwB45
 5wxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=5cORHpqJDjID5W63txXyK9GYEJmhT57EFRX0K/XjMnw=;
 b=tBzcyfrLahqGQCUAgpeY3EImfXH9MRayJbhVIPDc869z75gSk6qUONooYsjPtnroya
 Zb+czl1PBN3gK/RlEe93z2j52rZKq80mvOsmtNJv+6z+VBi1PUbJs0jkmczIfhKMXLJz
 SDPSMmtpTakDzChRsUZQvXc6pZOBtnALEYBldSBP67upNckFqB+VSMzubd3NVwIlvbI6
 qWymhbDn1dhO7ULBEZIa8GT5M0+Od5Yy2CTJlWtAGk3VOK3HWCa6jSojblfa+vyn48CQ
 Tek3JOOT/OlFaMB+8WDY+R6CHZ2ftdcKh69RJzDw7smZAGdy5B0WrNPmM2NClTnYLqu2
 nq5Q==
X-Gm-Message-State: APjAAAWPMhmqzcJStJ6LlNC7MV78IZ0rxTYXuo3gFfxdjsueNeTGAZvR
 l6P+PfdVW5LaXPqmOHQzein+3Y8rrgDOtMVXqmVYJQ==
X-Google-Smtp-Source: APXvYqx1Py3IX1IICOMv+sGsbuV25lt5R9OAKie2zIn4G9teSihyl3ja14XF5l4OFl03ism2ceqUPNYeaNhII8YssYQ=
X-Received: by 2002:ac8:5353:: with SMTP id d19mr7387267qto.313.1579653092583; 
 Tue, 21 Jan 2020 16:31:32 -0800 (PST)
MIME-Version: 1.0
From: zimoun <zimon.toutoune@gmail.com>
Date: Wed, 22 Jan 2020 01:31:20 +0100
Message-ID: <CAJ3okZ3fOHk-SHHq8xpKrDbNY-EfRLRKG5iPMORu60z5sQK1xw@mail.gmail.com>
Subject: 
To: 38422@debbugs.gnu.org, control@debbugs.gnu.org
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 2.0 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  tags 38422 notabug quit 
 Content analysis details:   (2.0 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
 provider (zimon.toutoune[at]gmail.com)
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [209.85.160.169 listed in list.dnswl.org]
 0.0 RCVD_IN_MSPIKE_H3      RBL: Good reputation (+3)
 [209.85.160.169 listed in wl.mailspike.net]
 2.0 BLANK_SUBJECT          Subject is present but empty
 0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
X-Debbugs-Envelope-To: 38422
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 1.0 (+)

tags 38422 notabug
quit




From debbugs-submit-bounces@debbugs.gnu.org Tue Jan 21 21:28:43 2020
Received: (at 38422) by debbugs.gnu.org; 22 Jan 2020 02:28:43 +0000
Received: from localhost ([127.0.0.1]:48814 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1iu5l5-0005ke-CG
	for submit@debbugs.gnu.org; Tue, 21 Jan 2020 21:28:43 -0500
Received: from imta-37.everyone.net ([216.200.145.37]:58834
 helo=imta-38.everyone.net)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <bokr@oz.net>) id 1iu5l3-0005kV-OY
 for 38422@debbugs.gnu.org; Tue, 21 Jan 2020 21:28:42 -0500
Received: from pps.filterd (omta004.sj2.proofpoint.com [127.0.0.1])
 by imta-38.everyone.net (8.16.0.27/8.16.0.27) with SMTP id 00M2LVZs001907;
 Tue, 21 Jan 2020 18:28:40 -0800
X-Eon-Originating-Account: jYi2U8624xkM3XHGKGlg_RnJq25G1T-CJm5Lg-laAvQ
X-Eon-Dm: m0116787.ppops.net
Received: by m0116787.mta.everyone.net (EON-AUTHRELAY2 - 32d0d199)
 id m0116787.5e0ea4a1.1ef4b4; Tue, 21 Jan 2020 18:28:39 -0800
X-Eon-Sig: AQMHrIJeJ7NXMGDb8gIAAAAC,18b79a37d622e2c198dc3b29b53a81c2
X-Eip: Rftg89KksSEx4i01bQS9NEarXpt1p4myODKgkTcnYYo
Date: Tue, 21 Jan 2020 18:28:30 -0800
From: Bengt Richter <bokr@bokr.com>
To: zimoun <zimon.toutoune@gmail.com>
Subject: Re: Bug status? '.png' files with executable permissions
Message-ID: <20200122022830.GA22138@LionPure>
References: <CAJ3okZ2ZAs+Cf0k29Aafk-LUG4FTU=wtzEJmk8pqVJ==SQ7eNQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <CAJ3okZ2ZAs+Cf0k29Aafk-LUG4FTU=wtzEJmk8pqVJ==SQ7eNQ@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, ,
 definitions=2020-01-17_05:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0
 priorityscore=1501 malwarescore=0
 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1034
 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=899 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001
 definitions=main-2001220016
X-Spam-Score: -0.5 (/)
X-Debbugs-Envelope-To: 38422
Cc: 38422@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Reply-To: Bengt Richter <bokr@bokr.com>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.4 (-)

Hi zimoun,

On +2020-01-22 01:22:45 +0100, zimoun wrote:
> Dear Bengt,
> 
> The bug report [1] points out files with unexpected permission; based
> on extension filename.
> 
> [1] https://debbugs.gnu.org/cgi/bugreport.cgi?bug=38422
> 
> 
> It is not an security issue or the Guix packager did not carefully
> check the validity of these files.
> 
> If you are security paranoid, you *have to* check by yourself all the
> files using "guix build -S" because in paranoid mode you cannot trust
> Guix packagers (and Guix committers neither).
> 
> 
> In normal mode, 2 options:
> 
>  a- propose a patch to change the permission for each offending package
>  b- report upstream
> 
> Well, at least  these 3 packages docbook-xsl, faba-icon-theme, and
> moka-icon-theme comes with unexpected .png file permission.
> 
> 
> On the long term, I am not convinced that adding automatic check and
> permission change based on filename extension would really add Quality
> Assurance. Because we are speaking about quality, not security.
> 
> 
> I am inclined to close this bug. What do you think?
> 
> All the best,
> simon

Ok with me to close, thanks.

-- 
Regards,
Bengt Richter




From debbugs-submit-bounces@debbugs.gnu.org Mon Jan 27 14:56:06 2020
Received: (at 38422-done) by debbugs.gnu.org; 27 Jan 2020 19:56:06 +0000
Received: from localhost ([127.0.0.1]:59028 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1iwAUP-0003xN-QV
	for submit@debbugs.gnu.org; Mon, 27 Jan 2020 14:56:06 -0500
Received: from mail-qt1-f181.google.com ([209.85.160.181]:39197)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zimon.toutoune@gmail.com>) id 1iwAUN-0003ws-6p
 for 38422-done@debbugs.gnu.org; Mon, 27 Jan 2020 14:56:05 -0500
Received: by mail-qt1-f181.google.com with SMTP id e5so8384317qtm.6
 for <38422-done@debbugs.gnu.org>; Mon, 27 Jan 2020 11:56:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:cc;
 bh=T5tDEo9tDWRNUmhkyyFARg6Vl6UMeWWpW7pGTLuaEDM=;
 b=DfDmwsK12WUacFtPjkXTeJxscwEff6W2oeMHva1p3lZx3N30M412deUWty+0jLouG6
 S8+pgpGGSgHoqLNewOEscb1b2EQqj6zP5tSzZoYxa6CiEVNIGHaIC+ZVGIDw8Eh45W0l
 nmYe6RKsi2u6udpYMSrnnul5N9z7dFUrDsUsGq0u85m0b/EYxmhc9oPHgySqjozqWo2j
 jWeQhXVHmyFcxKHyin4pFB9uCuoFQ7ZSQuDZMtOKhvJ/zbmdh7sIIsyD3CIayAk/SlNS
 dhh4FfyEg7LtzTvVgVggBkB/d3yKdW+gm4V2Y30LgbDW5cR37KZZycYs1z9Oct+DaF2z
 NYng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:cc;
 bh=T5tDEo9tDWRNUmhkyyFARg6Vl6UMeWWpW7pGTLuaEDM=;
 b=FU3eEJ6L9ATDIRRGsoYshqWap5vI5ihRn5qLETaZmPU2ItXiCYd14hEeXkAYTIF3W6
 O5lQme1V7kwyKqcdebZBAMuJBywK7D4w3LoZYPMe86y2mMPeRcUFMvXDbhyyGJmPPeOt
 JfXr7r1f/bxOLztDF0A/2bPD/XuD71+b7fS2Og/fhYNScdteYVdLh7844zUlwC7uOzTP
 96vmFeHp28QfrS1OZ18GZ69EYE9YFgWRvIiFvkfCzH9G2vFb1xG7a5HiEywBc+N8F5BG
 4IDqJY6RK190WHtwnDysOdlJ0Wvrc/sbrl09PoFVZVFjNCHyWrWVp/Avk2YHzfBUmQB/
 qv6g==
X-Gm-Message-State: APjAAAVvHsZRnGto/4Z4V4QUY2XZ7+unLU7Hs5NeULp60CWFH2L3Tbk0
 AFXGDa5yIYp7eaXHN9L/u6bSkxuRnXHnJdIR4oPPdw==
X-Google-Smtp-Source: APXvYqxe2Lt4cpZ4zZvZaI5qqdUGoFlQe6VoKRpDIiKs3zhfmUdZLCTihWZUkkRaTNHeWxyG+7h0LyCtpAN6ttOMMEI=
X-Received: by 2002:ac8:319c:: with SMTP id h28mr17806173qte.186.1580154957500; 
 Mon, 27 Jan 2020 11:55:57 -0800 (PST)
MIME-Version: 1.0
References: <CAJ3okZ2ZAs+Cf0k29Aafk-LUG4FTU=wtzEJmk8pqVJ==SQ7eNQ@mail.gmail.com>
 <20200122022830.GA22138@LionPure>
In-Reply-To: <20200122022830.GA22138@LionPure>
From: zimoun <zimon.toutoune@gmail.com>
Date: Mon, 27 Jan 2020 20:55:46 +0100
Message-ID: <CAJ3okZ2WMr5Ha0wz9S=v2MY3oqCu9h+i3G2r8n77zCh_iyMxsg@mail.gmail.com>
Subject: Re: Bug status? '.png' files with executable permissions
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 2.0 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  close 38422 stop 
 Content analysis details:   (2.0 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 1.2 MISSING_HEADERS        Missing To: header
 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
 provider (zimon.toutoune[at]gmail.com)
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [209.85.160.181 listed in list.dnswl.org]
 -0.0 RCVD_IN_MSPIKE_H3      RBL: Good reputation (+3)
 [209.85.160.181 listed in wl.mailspike.net]
 0.9 MALFORMED_FREEMAIL     Bad headers on message from free email
 service -0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
X-Debbugs-Envelope-To: 38422-done
Cc: 38422-done@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 1.0 (+)

close 38422
stop




From unknown Sat Jun 14 14:27:52 2025
Received: (at fakecontrol) by fakecontrolmessage;
To: internal_control@debbugs.gnu.org
From: Debbugs Internal Request <help-debbugs@gnu.org>
Subject: Internal Control
Message-Id: bug archived.
Date: Tue, 25 Feb 2020 12:24:05 +0000
User-Agent: Fakemail v42.6.9

# This is a fake control message.
#
# The action:
# bug archived.
thanks
# This fakemail brought to you by your local debbugs
# administrator