OpenSSL “DROWN” vulnerability & grafts

[Ludovic Courtès]

Hello!

OpenSSL 1.0.2g was released today, fixing several serious security
vulnerabilities, several of which are referred to as “DROWN” (as has
become security-marketing tradition.)

This gave a good incentive to fix the “grafting” mechanism described at:

  https://www.gnu.org/software/guix/manual/html_node/Security-Updates.html

The problem was that until now, grafting was not recursive:
<http://bugs.gnu.org/22139>.  This is fixed in c22a132, so we “rushed”
to use it in ‘master’ for the OpenSSL upgrade, which is done in caeadfd.

So now is the time to find out how well the new implementation scales
and to address any limitations.  :-)

A potentially disturbing thing with the new code is that it starts
building/downloading things early, typically before it has written “The
following derivations will be built”; see
<http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22139#13>.

A limitation of the current implementation is that the replacement
package must have exactly the same name and version as the package being
replaced.  So OpenSSL 1.0.2g shows up as /gnu/store/…-openssl-1.0.2f.

The store file name of the old OpenSSL is given by:

  guix build openssl --no-grafts

… and the new one is given by:

  guix build openssl

For example, to verify which OpenSSL(s) your whole profile refers to,
you can run:

  guix gc -R $(readlink -f ~/.guix-profile) | grep openssl

and check the store file names that you get (make sure to turn off
guix-prettify-mode :-)).  Likewise for a GuixSD generation:

  guix gc -R $(guix system build config.scm) | grep openssl

And for running processes:

  lsof | grep /gnu/store/.*openssl

Seems like this tricks could go in the manual under “Security Updates”
no?

Feedback welcome!

Ludo’.

signature.asc
Description: PGP signature