Re: GNOME 3.34 in GNU Guix and security

[Guillaume Le Vaillant]

Danny Milosavljevic  skribis:

> Hello,
>
> core-updates is still in a pretty bad state.
>
> [...]
>
> A short summary of what is at least broken:
>
> [...]
> (2) Source files have been in-place replaced upstream with a lot of packages 
> (see my bug report about the topic).  fldigi has such a problem but can just 
> be updated.  This is easy to see by just building without substitutes--and it 
> doesn't do anyone any good for me to file individual bug reports for each and 
> every one of those
> [...]

Concerning the disappearing source tarballs of older fldigi versions on
the official website, it has been fixed on master
(65e9f13116edc58836cdbd1da60bfb81a3d58c82), but core-updates hasn't
merged that in yet.


signature.asc
Description: PGP signature

Re: GNOME 3.34 in GNU Guix and security

[Ricardo Wurmus]

Hi Danny,

> (3) libusb-for-axoloti build failure (guix build axoloti-patcher-next)

This has been fixed in 1daedaa8646696783c88553e03035d547fd001ca.

> (5) download failed
> "https://bioconductor.org/packages/release/bioc/src/contrib/DelayedArray_0.16.1.tar.gz;
> 404 "Not Found"

This was fixed in f10f2745eb1ec38eae5c41323f31980d2dd1f38c.

(These are on the “master” branch.)

-- 
Ricardo

Re: GNOME 3.34 in GNU Guix and security

[Danny Milosavljevic]

Hello,

core-updates is still in a pretty bad state.

I'd be glad to merge Raghav's patches (which he already reworked to be current 
for core-updates!) to core-updates--but right now, Guix packages don't build 
BEFORE or after applying these patches to core-updates.

Please, let's do something about that.

A short summary of what is at least broken:

[(1) FTP with IPv6--or with the new patch, some other FTP that don't support 
EPSV (the latter is a server problem, but the former had been bug in Guix).  So 
I guess that one is fixed.]
(2) Source files have been in-place replaced upstream with a lot of packages 
(see my bug report about the topic).  fldigi has such a problem but can just be 
updated.  This is easy to see by just building without substitutes--and it 
doesn't do anyone any good for me to file individual bug reports for each and 
every one of those
(3) libusb-for-axoloti build failure (guix build axoloti-patcher-next)
(4) bug applying patches in sources unpacked from zip files (I just posted 
patch 47203 to guix-patches)
(5) download failed 
"https://bioconductor.org/packages/release/bioc/src/contrib/DelayedArray_0.16.1.tar.gz;
 404 "Not Found"


That doesn't mean that those are the only problems.  It means I got frustrated 
and stopped trying, lest I find more problems (which would be easy).

My current rebuild command for build-testing the first of Raghav's patches is 
(from guix refresh -l with some editing--because it didn't work without 
editing.  Sigh):

./pre-inst-env guix build -K --no-substitutes foo2zjs docker localed jnettop 
raul libinstpatch hdup rdup connman rust-gobject-sys rust-gio rust-glib 
rust-gio-sys rust-gobject-sys rust-gio-sys rust-glib-sys rust-glib 
rust-glib-sys rust-gio rust-glib rust-gio 4store mdbtools ncdc 
american-fuzzy-lop sdcv duperemove libticalcs2 ecl-enchant imposm3 
spatialite-tools poly2tri-c gnome-shell-extension-hide-app-icon 
gnome-shell-extension-topicons-redux tiramisu gnome-shell-extension-paperwm 
gnome-shell-extension-clipboard-indicator gnome-shell-extension-dash-to-dock 
gnome-shell-extension-dash-to-panel linkchecker fortune-mod rust-gdk-pixbuf-sys 
rust-gdk-pixbuf rust-gdk-pixbuf rust-gdk-pixbuf-sys rust-gdk-pixbuf rust-atk 
rust-atk-sys ddcutil irssi rspamd emacs-mu4e-jump-to-list 
emacs-mu4e-conversation emacs-helm-mu emacs-mu4e-patch mc bitlbee-discord fna 
mojoshader-cs glyr remid-lv2 nbd ocaml-lwt-log brlaser igt-gpu-tools pscircle 
ztoolkit rust-cairo-sys-rs rust-cairo-rs rust-cairo-rs rust-cairo-sys-rs 
rust-cairo-rs libratbag kaldi-gstreamer-server playerctl python2-pyatspi 
guile-charting xplanet rust-pango rust-pango-sys rust-pango rust-pango 
rust-pango-sys font-culmus font-fantasque-sans font-meera-inimai 
font-linuxlibertine fntsample plymouth python-pygraphviz python2-pygraphviz 
pynac makefile2graph sigrok-cli ibutils rust-andrew rust-smithay-clipboard 
mesa-opencl-icd picom rakarrack flamp flrig flwrap tigervnc-client dillo 
tuxpaint-config infamous-plugins sorcer non-sequencer non-timeline non-mixer 
alex4 virtualgl celestia tao slim chipmunk aseprite python2-mapnik 
perceptualdiff megacmd feh sxiv screenfetch ranger eureka git-open privoxy 
fluxbox xmenu idesk xnotify hsetroot python-django-sortedm2m 
python-django-simple-math-captcha python-django-override-storage 
python-django-contrib-comments python-easy-thumbnails python-django-assets 
python-django-auth-ldap python-django-url-filter python-django-netfields 
python-django-contact-form python-django-logging-json python-django-rq 
python-django-debug-toolbar-alchemy patchwork python-django-statici18n 
font-cozette freedoom mcomix conda visidata gajim-omemo python2-ledgerblue 
nototools python2-anaconda-client python2-reportlab python2-qrcode 
libfreenect-examples perl-opengl setbfree xfe gmsh extempore sherlock-lv2 
zynaddsubfx dragonfly-reverb ninjas2 helm zam-plugins wolf-shaper patchmatrix 
wolf-spectrum maim xdriinfo glmark2 insight-toolkit insight-toolkit egl-wayland 
beignet intel-vaapi-driver libvdpau-va-gl mediasdk libva-utils vulkan-tools 
swayidle kanshi wlr-randr wl-clipboard wev foot wterm pass-otp pass-git-helper 
python2-xdo clipmenu libstdc++-doc libstdc++-doc python2-pydot darcs pdf2djvu 
osm2pgsql postgis netcdf-fortran python-netcdf4 nmoldyn domainfinder mes 
mes-rb5 python-anytree python2-dulwich python2-graphql-core python-ws4py 
python-locust python-pykka python-gipc python-pykafka uriparser libxmlplusplus 
pangomm emacs-w3m emacs-blimp emacs-gif-screencast emacs-image+ 
tango-icon-theme catimg chafa perl-catalyst-plugin-captcha ecl-ltk 
emacs-theme-magic skribilo solaar wla-dx keepalived python-symengine alacritty 
python-pylibmc python2-pylibmc rmlint libabigail python-cffi-documentation 
emacs-helm-notmuch notmuch-addrlookup-c patches neomutt muchsync afew mpd-mpc 
ncmpc python-cantools bpython python-robotframework-sshlibrary 

Re: GNOME 3.34 in GNU Guix and security

[Raghav Gururajan]

Hi Ricardo!


Thanks for the update!


Also, then reason GNOME work got messed up is that, in wip-desktop, [1] 
I was not just working gnome packages, but also its dependencies [2] 
Work involved not just updates, but also improvements. This kinda 
complicated the "update stuff" norm.



I think that ci.guix.gnu.org should be capable of building your branch.


On a note, I have put more work on myself. When I was working on 
wip-desktop, I made larget commits instead of 'one change per commit'. 
So after a discussion, I was asked to split them into smaller chunks. So 
I need to get #42958 out of the way.



Excellent!  Let me know if there’s anything I can do to assist.


Thanks! I will be sending new patch-set to #42958. I will let you know, 
once I am done. It would be great if you could review and merge them to 
core-updates or master.


Regards,
RG.



OpenPGP_signature
Description: OpenPGP digital signature

Re: GNOME 3.34 in GNU Guix and security

[Ricardo Wurmus]

Raghav Gururajan  writes:

> Hi Ricardo!
>
>> I don’t know if anyone is working on it right now, though.  I was told
>> months ago that Raghav Gururajan was working on GNOME upgrades as part
>> of the wip-desktop branch, but my occasional questions for a status
>> upgrade have gone unanswered.  Raghav, please correct me if I’m
>> mistaken.  It would be good to clarify what is and isn’t the scope of
>> wip-desktop.
>
> wip-desktop consists of some upgrades, plus, lot of improvements to
> gnome packages and it's immediate dependencies. About 50% of them not 
> merged directly in master. When Danny and I, were merging other 50% to
> core-updates, core-updates were broken. So we tried to merge few
> commits in master, which got reverted due to high re-builds. I was
> told by Danny that we can only merge stuff when c-u is back to normal.

Thanks for the update!

> Since huge time has passed, we need to re-work some commits with
> rebasing from master. This gonna require testing via huge re-builds. 
> Danny is working on setting-up a powerful system to do this work.

I think that ci.guix.gnu.org should be capable of building your branch.

> Let me speak to Danny and get back to you here. Due to the security
> nature of this issue, I am willing to spend this month focusing on 
> GNOME/wip-desktop.

Excellent!  Let me know if there’s anything I can do to assist.

-- 
Ricardo

Re: GNOME 3.34 in GNU Guix and security

[Léo Le Bouter]

On Thu, 2021-03-11 at 03:18 -0500, Mark H Weaver wrote:
> Hi Léo,

Hello!

> I appreciate your recent work on Guix security.  Thank you for that.

Very happy to catch up there as well for my own usage of GNU Guix as
well!

> Can you please substantiate this?  What vulnerabilities do you know
> of,
> and what makes you think that we can't address them adequately in the
> usual ways, without "upgrading GNOME to [the] latest"?

I have not yet fully investigated each CVE but there is uncertainty
around gnome-shell, gvfs, librsvg, gdk-pixbuf, pango, cairo, if not
more. You can use 'guix lint -c cve ' to find out, also look up in
NVD individually in case GNU Guix doesnt find it.

I am always uneasy relying on CVE only for security patches since I
know how much lots of security issues are fixed by developers without
issuing any CVE, so to me the best way of keeping up is to always be on
latest.

> I saw your bug report about our Glib being vulnerable to CVE-2021-
> 27218
> and CVE-2021-27219.  Thanks very much for bringing that our
> attention.
> 
> I'll backport the fixes to our version of Glib.  It will actually be
> quite easy, given that Ubuntu has already published backports of
> the
> fixes for Glib 2.56.4 and 2.64.4, which brackets the version in Guix
> (2.62.6).  I just looked at the diffs between those two patch sets,
> and
> the differences are quite slight, apart from line number differences.

I am really happy you are willing to help! I will have to admit that I
am a bit overwhelmed by the amount of work that I have left still.

Léo


signature.asc
Description: This is a digitally signed message part

Re: GNOME 3.34 in GNU Guix and security

[Jonathan Brielmaier]

Am 11.03.21 um 09:08 schrieb Ricardo Wurmus:


Léo Le Bouter  writes:


I must come to the conclusion that using GNOME 3.34 in GNU Guix right
now is just straight out insecure. I would advise we either, get rid of
GNOME, backport all individual security patches (they can be
numerous..), or upgrade GNOME to latest and keep up over time.

I don't think we can afford to spend time backporting security fixes to
the numerous GNOME packages with CVEs, not with current resources, it
is time-consuming.


No, GNOME should be upgraded.  I upgraded it twice in the past, and it’s
a lot of work, but certainly not impossible.

I don’t know if anyone is working on it right now, though.  I was told
months ago that Raghav Gururajan was working on GNOME upgrades as part
of the wip-desktop branch, but my occasional questions for a status
upgrade have gone unanswered.  Raghav, please correct me if I’m
mistaken.  It would be good to clarify what is and isn’t the scope of
wip-desktop.


I tried rebasing wip-gnome3.36 to master. I'm not done yet... But I
thinks its easier then merging the wip-desktop branch, because that one
is huge and a bit dirty...

Re: GNOME 3.34 in GNU Guix and security

[Raghav Gururajan]

Hi Ricardo!


I don’t know if anyone is working on it right now, though.  I was told
months ago that Raghav Gururajan was working on GNOME upgrades as part
of the wip-desktop branch, but my occasional questions for a status
upgrade have gone unanswered.  Raghav, please correct me if I’m
mistaken.  It would be good to clarify what is and isn’t the scope of
wip-desktop.


wip-desktop consists of some upgrades, plus, lot of improvements to 
gnome packages and it's immediate dependencies. About 50% of them not 
merged directly in master. When Danny and I, were merging other 50% to 
core-updates, core-updates were broken. So we tried to merge few commits 
in master, which got reverted due to high re-builds. I was told by Danny 
that we can only merge stuff when c-u is back to normal.


Since huge time has passed, we need to re-work some commits with 
rebasing from master. This gonna require testing via huge re-builds. 
Danny is working on setting-up a powerful system to do this work.


Let me speak to Danny and get back to you here. Due to the security 
nature of this issue, I am willing to spend this month focusing on 
GNOME/wip-desktop.


Regards,
RG.



OpenPGP_signature
Description: OpenPGP digital signature

Re: GNOME 3.34 in GNU Guix and security

[Mark H Weaver]

Hi Léo,

I appreciate your recent work on Guix security.  Thank you for that.

Léo Le Bouter  writes:
> I must come to the conclusion that using GNOME 3.34 in GNU Guix right
> now is just straight out insecure. I would advise we either, get rid of
> GNOME, backport all individual security patches (they can be
> numerous..), or upgrade GNOME to latest and keep up over time.

Can you please substantiate this?  What vulnerabilities do you know of,
and what makes you think that we can't address them adequately in the
usual ways, without "upgrading GNOME to [the] latest"?

I saw your bug report about our Glib being vulnerable to CVE-2021-27218
and CVE-2021-27219.  Thanks very much for bringing that our attention.

> I don't think we can afford to spend time backporting security fixes to
> the numerous GNOME packages with CVEs, not with current resources, it
> is time-consuming.

I'll backport the fixes to our version of Glib.  It will actually be
quite easy, given that Ubuntu has already published backports of the
fixes for Glib 2.56.4 and 2.64.4, which brackets the version in Guix
(2.62.6).  I just looked at the diffs between those two patch sets, and
the differences are quite slight, apart from line number differences.

Besides CVE-2021-{27218,27219}, do you know of other known security
issues that would justify your claim that "using GNOME 3.34 in GNU Guix
right now is just straight out insecure"?

 Thanks,
   Mark

Re: GNOME 3.34 in GNU Guix and security

[Ricardo Wurmus]

Léo Le Bouter  writes:

> I must come to the conclusion that using GNOME 3.34 in GNU Guix right
> now is just straight out insecure. I would advise we either, get rid of
> GNOME, backport all individual security patches (they can be
> numerous..), or upgrade GNOME to latest and keep up over time.
>
> I don't think we can afford to spend time backporting security fixes to
> the numerous GNOME packages with CVEs, not with current resources, it
> is time-consuming.

No, GNOME should be upgraded.  I upgraded it twice in the past, and it’s
a lot of work, but certainly not impossible.

I don’t know if anyone is working on it right now, though.  I was told
months ago that Raghav Gururajan was working on GNOME upgrades as part
of the wip-desktop branch, but my occasional questions for a status
upgrade have gone unanswered.  Raghav, please correct me if I’m
mistaken.  It would be good to clarify what is and isn’t the scope of
wip-desktop.

We™ should upgrade GNOME as soon as possible.  It’s been stuck on 3.34
for much too long.

-- 
Ricardo