Ludovic Courtès writes: > Hello! > > OpenSSL 1.0.2g was released today, fixing several serious security > vulnerabilities, several of which are referred to as “DROWN” (as has > become security-marketing tradition.) > > This gave a good incentive to fix the “grafting” mechanism described at: > > https://www.gnu.org/software/guix/manual/html_node/Security-Updates.html > > The problem was that until now, grafting was not recursive: > <http://bugs.gnu.org/22139>. This is fixed in c22a132, so we “rushed” > to use it in ‘master’ for the OpenSSL upgrade, which is done in caeadfd. > > So now is the time to find out how well the new implementation scales > and to address any limitations. :-) > > A potentially disturbing thing with the new code is that it starts > building/downloading things early, typically before it has written “The > following derivations will be built”; see > <http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22139#13>. > > A limitation of the current implementation is that the replacement > package must have exactly the same name and version as the package being > replaced. So OpenSSL 1.0.2g shows up as /gnu/store/…-openssl-1.0.2f. > > The store file name of the old OpenSSL is given by: > > guix build openssl --no-grafts > > … and the new one is given by: > > guix build openssl > > For example, to verify which OpenSSL(s) your whole profile refers to, > you can run: > > guix gc -R $(readlink -f ~/.guix-profile) | grep openssl > > and check the store file names that you get (make sure to turn off > guix-prettify-mode :-)). Likewise for a GuixSD generation: > > guix gc -R $(guix system build config.scm) | grep openssl > > And for running processes: > > lsof | grep /gnu/store/.*openssl > > Seems like this tricks could go in the manual under “Security Updates” > no? > > Feedback welcome! > > Ludo’.
Just wanted to repeat a *HUGE* congratulations and thank you on landing this feature! So necessary!
