[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#31442] [bug#31444] 'guix health': a tool to report vulnerable packa
|
From: |
Ludovic Courtès |
|
Subject: |
[bug#31442] [bug#31444] 'guix health': a tool to report vulnerable packages |
|
Date: |
Fri, 25 Sep 2020 18:34:00 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) |
Hi!
zimoun <zimon.toutoune@gmail.com> skribis:
> Well, instead to create another new command, I think it would be better
> to include the “leaf” packages to “guix graph” and then pipe to “guix
> lint”. Other said, “guix graph” should help to manipulate the graph of
> packages.
I don’t think so.
One reason is that ‘guix lint’ is really a generic tool for package
developers that happens to include a ‘cve’ checker; apart from that,
it’s not designed for CVE handling.
More importantly, ‘guix health’ needs info not available in the output
of ‘guix lint’: it needs the CPE name of each package in the graph,
along with the list of known-fixed CVEs.
>> Fundamentally, that means we cannot reliably tell much about
>> dependencies: in cases where the CPE name differs from the Guix name, we
>> won’t have any match, and more generally, we cannot know what CVE are
>> patched in the package; we could infer part of this by looking at the
>> same-named package in the current Guix, but that’s hacky.
>>
>> I think that longer-term we probably need to attach this kind of
>> meta-data to packages themselves, by adding a bunch of files in each
>> package, say under PREFIX/guix. We could do that for search paths as
>> well.
>
> What is the status of this idea?
The idea is still up in the air. :-)
In the meantime, package metadata is added to manifest entries.
Ludo’.