GNU bug report logs -
#22831
OpenSSL should not depend on Perl
Previous Next
Reported by: ludo <at> gnu.org (Ludovic Courtès)
Date: Sat, 27 Feb 2016 17:06:02 UTC
Severity: normal
Done: ludo <at> gnu.org (Ludovic Courtès)
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 22831 in the body.
You can then email your comments to 22831 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#22831; Package
guix.
(Sat, 27 Feb 2016 17:06:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
ludo <at> gnu.org (Ludovic Courtès):
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Sat, 27 Feb 2016 17:06:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Commit 784d6e91 changed OpenSSL such that it does not depend on Perl,
but one of the subsequent upgrades broke it:
--8<---------------cut here---------------start------------->8---
$ guix build perl
/gnu/store/x2p2biyybcb2wac77qz9468asc5fm48i-perl-5.22.1
$ grep -r x2p2biyybcb2wac77qz9468asc5fm48i $(guix build openssl)
/gnu/store/qvx4q6lbwi4s3cwr8wqaa7kcva0a5c4b-openssl-1.0.2f/bin/c_rehash:#!/gnu/store/x2p2biyybcb2wac77qz9468asc5fm48i-perl-5.22.1/bin/perl
--8<---------------cut here---------------end--------------->8---
Somehow ‘openssl-c-rehash.patch’ seems to no longer have the desired
effect.
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#22831; Package
guix.
(Sun, 28 Feb 2016 01:11:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 22831 <at> debbugs.gnu.org (full text, mbox):
On Sat, Feb 27, 2016 at 06:05:29PM +0100, Ludovic Courtès wrote:
> Commit 784d6e91 changed OpenSSL such that it does not depend on Perl,
> but one of the subsequent upgrades broke it:
Bisecting, I narrowed it down to:
86c8f1daf8ed10f13f2b1e973a28845629b8ce47
(gnu: openssl: Update to 1.0.2e [fixes CVE-2015-{3193,3194,3195}].).
I'll get the openssl sources corresponding to the good and bad commmits
and try to figure out what changed that pulled perl back in.
>
> --8<---------------cut here---------------start------------->8---
> $ guix build perl
> /gnu/store/x2p2biyybcb2wac77qz9468asc5fm48i-perl-5.22.1
> $ grep -r x2p2biyybcb2wac77qz9468asc5fm48i $(guix build openssl)
> /gnu/store/qvx4q6lbwi4s3cwr8wqaa7kcva0a5c4b-openssl-1.0.2f/bin/c_rehash:#!/gnu/store/x2p2biyybcb2wac77qz9468asc5fm48i-perl-5.22.1/bin/perl
> --8<---------------cut here---------------end--------------->8---
>
> Somehow ‘openssl-c-rehash.patch’ seems to no longer have the desired
> effect.
>
> Ludo’.
>
>
>
Information forwarded
to
bug-guix <at> gnu.org:
bug#22831; Package
guix.
(Sun, 28 Feb 2016 13:36:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 22831 <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> skribis:
> On Sat, Feb 27, 2016 at 06:05:29PM +0100, Ludovic Courtès wrote:
>> Commit 784d6e91 changed OpenSSL such that it does not depend on Perl,
>> but one of the subsequent upgrades broke it:
>
> Bisecting, I narrowed it down to:
> 86c8f1daf8ed10f13f2b1e973a28845629b8ce47
> (gnu: openssl: Update to 1.0.2e [fixes CVE-2015-{3193,3194,3195}].).
>
> I'll get the openssl sources corresponding to the good and bad commmits
> and try to figure out what changed that pulled perl back in.
Awesome. Hopefully we can apply the fix when we upgrade OpenSSL this
Tuesday.
Thanks,
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#22831; Package
guix.
(Sun, 28 Feb 2016 13:39:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 22831 <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> skribis:
> On Sat, Feb 27, 2016 at 06:05:29PM +0100, Ludovic Courtès wrote:
>> Commit 784d6e91 changed OpenSSL such that it does not depend on Perl,
>> but one of the subsequent upgrades broke it:
>
> Bisecting, I narrowed it down to:
> 86c8f1daf8ed10f13f2b1e973a28845629b8ce47
> (gnu: openssl: Update to 1.0.2e [fixes CVE-2015-{3193,3194,3195}].).
>
> I'll get the openssl sources corresponding to the good and bad commmits
> and try to figure out what changed that pulled perl back in.
Also we should add something like:
#:allowed-references (list (canonical-package glibc)
(list (canonical-package gcc) "lib")
"out")
to avoid regressions.
(A case where #:disallowed-references would be more convenient, but it’s
not yet implemented. :-))
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#22831; Package
guix.
(Mon, 29 Feb 2016 08:48:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 22831 <at> debbugs.gnu.org (full text, mbox):
On Sun, Feb 28, 2016 at 02:35:12PM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo <at> famulari.name> skribis:
>
> > On Sat, Feb 27, 2016 at 06:05:29PM +0100, Ludovic Courtès wrote:
> >> Commit 784d6e91 changed OpenSSL such that it does not depend on Perl,
> >> but one of the subsequent upgrades broke it:
> >
> > Bisecting, I narrowed it down to:
> > 86c8f1daf8ed10f13f2b1e973a28845629b8ce47
> > (gnu: openssl: Update to 1.0.2e [fixes CVE-2015-{3193,3194,3195}].).
> >
> > I'll get the openssl sources corresponding to the good and bad commmits
> > and try to figure out what changed that pulled perl back in.
>
> Awesome. Hopefully we can apply the fix when we upgrade OpenSSL this
> Tuesday.
'openssl-c-rehash.patch' is being applied, but at some point in the
build process the change is reverted.
I haven't figured out why yet. Ludo is right, it would be really good to
only change our OpenSSL package one day this week.
So, I'm asking for help with this problem!
I will spend some time on it tomorrow, but I really don't have any
promising leads. My plan is to step through the build process and learn
when the shebang is recreated. Hopefully then I will get some
inspiration.
I suppose a nasty short term fix would be to patch the file after
installing it. I will submit that patch if it seems there is no other
option in time for the security update.
Information forwarded
to
bug-guix <at> gnu.org:
bug#22831; Package
guix.
(Mon, 29 Feb 2016 08:49:01 GMT)
Full text and
rfc822 format available.
Message #20 received at 22831 <at> debbugs.gnu.org (full text, mbox):
On Sun, Feb 28, 2016 at 02:37:54PM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo <at> famulari.name> skribis:
>
> > On Sat, Feb 27, 2016 at 06:05:29PM +0100, Ludovic Courtès wrote:
> >> Commit 784d6e91 changed OpenSSL such that it does not depend on Perl,
> >> but one of the subsequent upgrades broke it:
> >
> > Bisecting, I narrowed it down to:
> > 86c8f1daf8ed10f13f2b1e973a28845629b8ce47
> > (gnu: openssl: Update to 1.0.2e [fixes CVE-2015-{3193,3194,3195}].).
> >
> > I'll get the openssl sources corresponding to the good and bad commmits
> > and try to figure out what changed that pulled perl back in.
>
> Also we should add something like:
>
> #:allowed-references (list (canonical-package glibc)
> (list (canonical-package gcc) "lib")
> "out")
>
> to avoid regressions.
Okay, good idea.
>
> (A case where #:disallowed-references would be more convenient, but it’s
> not yet implemented. :-))
>
> Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#22831; Package
guix.
(Tue, 01 Mar 2016 00:40:03 GMT)
Full text and
rfc822 format available.
Message #23 received at 22831 <at> debbugs.gnu.org (full text, mbox):
Patch 1/2 updates the patch we use to keep Perl from becoming a
registered run-time dependency of OpenSSL.
Patch 2/2 is an attempt to use #:allowed-references to prevent
Perl from sneaking back in again. Unfortunately, it fails when gcc is an
allowed reference. It "works" when gcc is not in the list. Here's the
backtrace:
Backtrace:
In ice-9/boot-9.scm:
157: 19 [catch system-error #<procedure 1fc8930 at ice-9/eval.scm:416:20 ()> ...]
In ice-9/eval.scm:
481: 18 [lp (#<fluid 1>) (absolute)]
411: 17 [eval # #]
481: 16 [lp (#<fluid 32>) (#t)]
In srfi/srfi-1.scm:
646: 15 [append-map #<procedure 1fca0c0 at ice-9/eval.scm:416:20 (a)> (#)]
578: 14 [map #<procedure 1fca0c0 at ice-9/eval.scm:416:20 (a)> (#)]
In ice-9/eval.scm:
387: 13 [eval # #]
411: 12 [eval # #]
In ice-9/r4rs.scm:
39: 11 [call-with-values #<procedure 5e8f960 at ice-9/eval.scm:416:20 ()> ...]
In ice-9/eval.scm:
411: 10 [eval # #]
481: 9 [lp (#<fluid 24> #<fluid 25>) ("x86_64-linux" #f)]
481: 8 [lp (#<fluid 25>) (#f)]
411: 7 [eval # #]
387: 6 [eval # #]
387: 5 [eval # #]
387: 4 [eval # #]
387: 3 [eval # #]
387: 2 [eval # #]
393: 1 [eval # #]
In unknown file:
?: 0 [memoize-variable-access! #<memoized gcc> #<directory # 41083f0>]
ERROR: In procedure memoize-variable-access!:
ERROR: Unbound variable: gcc
Leo Famulari (2):
gnu: openssl: Remove run-time dependency on Perl.
WIP: gnu: openssl: Restrict allowed references for openssl.
gnu/packages/patches/openssl-c-rehash.patch | 14 ++++++++++++++
gnu/packages/tls.scm | 7 +++++++
2 files changed, 21 insertions(+)
--
2.7.1
Information forwarded
to
bug-guix <at> gnu.org:
bug#22831; Package
guix.
(Tue, 01 Mar 2016 00:40:04 GMT)
Full text and
rfc822 format available.
Message #26 received at 22831 <at> debbugs.gnu.org (full text, mbox):
Fixes <http://bugs.gnu.org/22831>.
* gnu/packages/patches/openssl-c-rehash.patch: Update patch to also replace the
shebang of 'c_rehash.in'.
---
gnu/packages/patches/openssl-c-rehash.patch | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/gnu/packages/patches/openssl-c-rehash.patch b/gnu/packages/patches/openssl-c-rehash.patch
index f873a9a..62cf662 100644
--- a/gnu/packages/patches/openssl-c-rehash.patch
+++ b/gnu/packages/patches/openssl-c-rehash.patch
@@ -15,3 +15,17 @@ package.
# Perl c_rehash script, scan all files in a directory
# and add symbolic links to their hash values.
+
+diff --git a/tools/c_rehash.in b/tools/c_rehash.in
+index b086ff9..5908a97 100644
+--- a/tools/c_rehash.in
++++ b/tools/c_rehash.in
+@@ -1,4 +1,6 @@
+-#!/usr/local/bin/perl
++eval '(exit $?0)' && eval 'exec perl -wS "$0" ${1+"$@"}'
++ & eval 'exec perl -wS "$0" $argv:q'
++ if 0;
+
+ # Perl c_rehash script, scan all files in a directory
+ # and add symbolic links to their hash values.
+
--
2.7.1
Information forwarded
to
bug-guix <at> gnu.org:
bug#22831; Package
guix.
(Tue, 01 Mar 2016 00:40:05 GMT)
Full text and
rfc822 format available.
Message #29 received at 22831 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/tls.scm (openssl)[arguments]: Add #:allowed-references.
---
gnu/packages/tls.scm | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 57f0ca1..5990413 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -200,6 +200,13 @@ required structures.")
`(#:parallel-build? #f
#:parallel-tests? #f
#:test-target "test"
+
+ ;; Perl is required at build-time, but ideally not at run-time.
+ ;; OpenSSL updates tend to pull it back in. This prevents that.
+
+ #:allowed-references ,(list (canonical-package glibc)
+ (list (canonical-package gcc) "lib")
+ "out")
#:phases
(modify-phases %standard-phases
(add-before
--
2.7.1
Information forwarded
to
bug-guix <at> gnu.org:
bug#22831; Package
guix.
(Tue, 01 Mar 2016 07:19:02 GMT)
Full text and
rfc822 format available.
Message #32 received at 22831 <at> debbugs.gnu.org (full text, mbox):
On Mon, Feb 29, 2016 at 07:39:53PM -0500, Leo Famulari wrote:
> * gnu/packages/tls.scm (openssl)[arguments]: Add #:allowed-references.
I realized that it would work if I imported (gnu packages gcc) when
defining the tls module. I don't know if that's the right approach or
not, but the output now refers only to glibc, gcc:lib, and itself.
> ---
> gnu/packages/tls.scm | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
> index 57f0ca1..5990413 100644
> --- a/gnu/packages/tls.scm
> +++ b/gnu/packages/tls.scm
> @@ -200,6 +200,13 @@ required structures.")
> `(#:parallel-build? #f
> #:parallel-tests? #f
> #:test-target "test"
> +
> + ;; Perl is required at build-time, but ideally not at run-time.
> + ;; OpenSSL updates tend to pull it back in. This prevents that.
> +
> + #:allowed-references ,(list (canonical-package glibc)
> + (list (canonical-package gcc) "lib")
> + "out")
> #:phases
> (modify-phases %standard-phases
> (add-before
> --
> 2.7.1
>
>
>
>
Information forwarded
to
bug-guix <at> gnu.org:
bug#22831; Package
guix.
(Tue, 01 Mar 2016 07:21:01 GMT)
Full text and
rfc822 format available.
Message #35 received at 22831 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Mon, Feb 29, 2016 at 07:39:53PM -0500, Leo Famulari wrote:
> * gnu/packages/tls.scm (openssl)[arguments]: Add #:allowed-references.
Working patch attached.
[0001-gnu-openssl-Restrict-allowed-references-for-openssl.patch (text/x-diff, attachment)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#22831; Package
guix.
(Tue, 01 Mar 2016 13:39:02 GMT)
Full text and
rfc822 format available.
Message #38 received at 22831 <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> skribis:
> On Sun, Feb 28, 2016 at 02:35:12PM +0100, Ludovic Courtès wrote:
>> Leo Famulari <leo <at> famulari.name> skribis:
>>
>> > On Sat, Feb 27, 2016 at 06:05:29PM +0100, Ludovic Courtès wrote:
>> >> Commit 784d6e91 changed OpenSSL such that it does not depend on Perl,
>> >> but one of the subsequent upgrades broke it:
>> >
>> > Bisecting, I narrowed it down to:
>> > 86c8f1daf8ed10f13f2b1e973a28845629b8ce47
>> > (gnu: openssl: Update to 1.0.2e [fixes CVE-2015-{3193,3194,3195}].).
>> >
>> > I'll get the openssl sources corresponding to the good and bad commmits
>> > and try to figure out what changed that pulled perl back in.
>>
>> Awesome. Hopefully we can apply the fix when we upgrade OpenSSL this
>> Tuesday.
>
> 'openssl-c-rehash.patch' is being applied, but at some point in the
> build process the change is reverted.
In the source, I see:
--8<---------------cut here---------------start------------->8---
$ find -name c_rehash\*
./tools/c_rehash
./tools/c_rehash.in
./doc/apps/c_rehash.pod
--8<---------------cut here---------------end--------------->8---
Could it be that the unpatched one ends up being installed or something?
Ludo’.
Reply sent
to
ludo <at> gnu.org (Ludovic Courtès):
You have taken responsibility.
(Tue, 01 Mar 2016 17:25:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
ludo <at> gnu.org (Ludovic Courtès):
bug acknowledged by developer.
(Tue, 01 Mar 2016 17:25:02 GMT)
Full text and
rfc822 format available.
Message #43 received at 22831-done <at> debbugs.gnu.org (full text, mbox):
ludo <at> gnu.org (Ludovic Courtès) skribis:
> Leo Famulari <leo <at> famulari.name> skribis:
>
>> On Sun, Feb 28, 2016 at 02:35:12PM +0100, Ludovic Courtès wrote:
>>> Leo Famulari <leo <at> famulari.name> skribis:
>>>
>>> > On Sat, Feb 27, 2016 at 06:05:29PM +0100, Ludovic Courtès wrote:
>>> >> Commit 784d6e91 changed OpenSSL such that it does not depend on Perl,
>>> >> but one of the subsequent upgrades broke it:
>>> >
>>> > Bisecting, I narrowed it down to:
>>> > 86c8f1daf8ed10f13f2b1e973a28845629b8ce47
>>> > (gnu: openssl: Update to 1.0.2e [fixes CVE-2015-{3193,3194,3195}].).
>>> >
>>> > I'll get the openssl sources corresponding to the good and bad commmits
>>> > and try to figure out what changed that pulled perl back in.
>>>
>>> Awesome. Hopefully we can apply the fix when we upgrade OpenSSL this
>>> Tuesday.
>>
>> 'openssl-c-rehash.patch' is being applied, but at some point in the
>> build process the change is reverted.
>
> In the source, I see:
>
> $ find -name c_rehash\*
> ./tools/c_rehash
> ./tools/c_rehash.in
> ./doc/apps/c_rehash.pod
>
> Could it be that the unpatched one ends up being installed or something?
Indeed. Fixed in caeadfd, though without #:allowed-references—it’ll be
more convenient to use #:disallowed-references when it’s implemented.
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#22831; Package
guix.
(Tue, 01 Mar 2016 20:47:02 GMT)
Full text and
rfc822 format available.
Message #46 received at 22831 <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> skribis:
> From 00807e4421757f8d9204f1601de9a8286a408f91 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo <at> famulari.name>
> Date: Mon, 29 Feb 2016 19:24:20 -0500
> Subject: [PATCH] gnu: openssl: Restrict allowed references for openssl.
>
> * gnu/packages/tls.scm (openssl)[arguments]: Add #:allowed-references.
For some reason I hadn’t seen it in M-x debbugs-gnu for this report
today, but the patch looks good to me!
If we apply it now, it won’t trigger a rebuild (yay!), but will still
trigger a bunch of regrafting, which is slightly annoying. What about
applying it in the next ‘security-updates’ branch?
Thanks!
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#22831; Package
guix.
(Tue, 01 Mar 2016 21:05:02 GMT)
Full text and
rfc822 format available.
Message #49 received at 22831 <at> debbugs.gnu.org (full text, mbox):
On Tue, Mar 01, 2016 at 09:46:26PM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo <at> famulari.name> skribis:
>
> > From 00807e4421757f8d9204f1601de9a8286a408f91 Mon Sep 17 00:00:00 2001
> > From: Leo Famulari <leo <at> famulari.name>
> > Date: Mon, 29 Feb 2016 19:24:20 -0500
> > Subject: [PATCH] gnu: openssl: Restrict allowed references for openssl.
> >
> > * gnu/packages/tls.scm (openssl)[arguments]: Add #:allowed-references.
>
> For some reason I hadn’t seen it in M-x debbugs-gnu for this report
> today, but the patch looks good to me!
>
> If we apply it now, it won’t trigger a rebuild (yay!), but will still
> trigger a bunch of regrafting, which is slightly annoying. What about
> applying it in the next ‘security-updates’ branch?
Sure. Is it okay if I create that branch?
>
> Thanks!
>
> Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#22831; Package
guix.
(Wed, 02 Mar 2016 08:43:01 GMT)
Full text and
rfc822 format available.
Message #52 received at 22831 <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> skribis:
> On Tue, Mar 01, 2016 at 09:46:26PM +0100, Ludovic Courtès wrote:
>> Leo Famulari <leo <at> famulari.name> skribis:
>>
>> > From 00807e4421757f8d9204f1601de9a8286a408f91 Mon Sep 17 00:00:00 2001
>> > From: Leo Famulari <leo <at> famulari.name>
>> > Date: Mon, 29 Feb 2016 19:24:20 -0500
>> > Subject: [PATCH] gnu: openssl: Restrict allowed references for openssl.
>> >
>> > * gnu/packages/tls.scm (openssl)[arguments]: Add #:allowed-references.
>>
>> For some reason I hadn’t seen it in M-x debbugs-gnu for this report
>> today, but the patch looks good to me!
>>
>> If we apply it now, it won’t trigger a rebuild (yay!), but will still
>> trigger a bunch of regrafting, which is slightly annoying. What about
>> applying it in the next ‘security-updates’ branch?
>
> Sure. Is it okay if I create that branch?
Sure, no problem.
Thanks,
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#22831; Package
guix.
(Wed, 02 Mar 2016 19:21:02 GMT)
Full text and
rfc822 format available.
Message #55 received at 22831 <at> debbugs.gnu.org (full text, mbox):
On Wed, Mar 02, 2016 at 09:42:41AM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo <at> famulari.name> skribis:
>
> > On Tue, Mar 01, 2016 at 09:46:26PM +0100, Ludovic Courtès wrote:
> >> Leo Famulari <leo <at> famulari.name> skribis:
> >>
> >> > From 00807e4421757f8d9204f1601de9a8286a408f91 Mon Sep 17 00:00:00 2001
> >> > From: Leo Famulari <leo <at> famulari.name>
> >> > Date: Mon, 29 Feb 2016 19:24:20 -0500
> >> > Subject: [PATCH] gnu: openssl: Restrict allowed references for openssl.
> >> >
> >> > * gnu/packages/tls.scm (openssl)[arguments]: Add #:allowed-references.
> >>
> >> For some reason I hadn’t seen it in M-x debbugs-gnu for this report
> >> today, but the patch looks good to me!
> >>
> >> If we apply it now, it won’t trigger a rebuild (yay!), but will still
> >> trigger a bunch of regrafting, which is slightly annoying. What about
> >> applying it in the next ‘security-updates’ branch?
> >
> > Sure. Is it okay if I create that branch?
>
> Sure, no problem.
Since there was already a security-updates job started, how about
putting on core-updates?
>
> Thanks,
> Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#22831; Package
guix.
(Wed, 02 Mar 2016 21:00:02 GMT)
Full text and
rfc822 format available.
Message #58 received at 22831 <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> skribis:
> On Wed, Mar 02, 2016 at 09:42:41AM +0100, Ludovic Courtès wrote:
>> Leo Famulari <leo <at> famulari.name> skribis:
>>
>> > On Tue, Mar 01, 2016 at 09:46:26PM +0100, Ludovic Courtès wrote:
>> >> Leo Famulari <leo <at> famulari.name> skribis:
>> >>
>> >> > From 00807e4421757f8d9204f1601de9a8286a408f91 Mon Sep 17 00:00:00 2001
>> >> > From: Leo Famulari <leo <at> famulari.name>
>> >> > Date: Mon, 29 Feb 2016 19:24:20 -0500
>> >> > Subject: [PATCH] gnu: openssl: Restrict allowed references for openssl.
>> >> >
>> >> > * gnu/packages/tls.scm (openssl)[arguments]: Add #:allowed-references.
>> >>
>> >> For some reason I hadn’t seen it in M-x debbugs-gnu for this report
>> >> today, but the patch looks good to me!
>> >>
>> >> If we apply it now, it won’t trigger a rebuild (yay!), but will still
>> >> trigger a bunch of regrafting, which is slightly annoying. What about
>> >> applying it in the next ‘security-updates’ branch?
>> >
>> > Sure. Is it okay if I create that branch?
>>
>> Sure, no problem.
>
> Since there was already a security-updates job started, how about
> putting on core-updates?
Dunno, what does Mark think? Let’s check with Mark on IRC. :-)
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#22831; Package
guix.
(Mon, 21 Mar 2016 02:21:02 GMT)
Full text and
rfc822 format available.
Message #61 received at 22831 <at> debbugs.gnu.org (full text, mbox):
Now that #:disallowed-references has been implemented (thanks Ludo!),
here it is applied to OpenSSL.
To core-updates?
Leo Famulari (1):
gnu: openssl: Enforce non-reference to perl.
gnu/packages/tls.scm | 4 ++++
1 file changed, 4 insertions(+)
--
2.7.3
Information forwarded
to
bug-guix <at> gnu.org:
bug#22831; Package
guix.
(Mon, 21 Mar 2016 02:21:02 GMT)
Full text and
rfc822 format available.
Message #64 received at 22831 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/tls.scm (openssl)[arguments]: Add #:disallowed-references.
---
gnu/packages/tls.scm | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index b6bf257..28d7947 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -201,6 +201,10 @@ required structures.")
`(#:parallel-build? #f
#:parallel-tests? #f
#:test-target "test"
+
+ ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
+ ;; so we explicitly disallow it here.
+ #:disallowed-references ,(list (canonical-package perl))
#:phases
(modify-phases %standard-phases
(add-before
--
2.7.3
Information forwarded
to
bug-guix <at> gnu.org:
bug#22831; Package
guix.
(Mon, 21 Mar 2016 09:31:01 GMT)
Full text and
rfc822 format available.
Message #67 received at 22831 <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> skribis:
> * gnu/packages/tls.scm (openssl)[arguments]: Add #:disallowed-references.
Sounds good! (And thanks for following commits closely. ;-))
This should go to ‘core-updates’, but first, ‘master’ should be merged
in ‘core-updates’ so that #:disallowed-references is available.
Could you do that?
Thanks!
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#22831; Package
guix.
(Mon, 21 Mar 2016 16:24:02 GMT)
Full text and
rfc822 format available.
Message #70 received at 22831 <at> debbugs.gnu.org (full text, mbox):
On Mon, Mar 21, 2016 at 10:29:51AM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo <at> famulari.name> skribis:
>
> > * gnu/packages/tls.scm (openssl)[arguments]: Add #:disallowed-references.
>
> Sounds good! (And thanks for following commits closely. ;-))
>
> This should go to ‘core-updates’, but first, ‘master’ should be merged
> in ‘core-updates’ so that #:disallowed-references is available.
>
> Could you do that?
Done!
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 19 Apr 2016 11:24:03 GMT)
Full text and
rfc822 format available.
This bug report was last modified 8 years and 6 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.