[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#47228: Check binary consistency after grafting with e.g. ldd
|
From: |
Ludovic Courtès |
|
Subject: |
bug#47228: Check binary consistency after grafting with e.g. ldd |
|
Date: |
Fri, 19 Mar 2021 11:39:44 +0100 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) |
Hi,
Léo Le Bouter <lle-bout@zaclys.net> skribis:
> On Thu, 2021-03-18 at 14:38 +0100, Ludovic Courtès wrote:
>> I don’t think all the testing that needs to be done when grafting can
>> be
>> automated.
>
> Not all but part of it?
Not even sure; at least I don’t have any ideas.
>> In particular, packagers who want to introduce a replacement for a
>> library should use libabigail’s ‘abi-diff’ tool to check that the
>> package and its replacement are ABI-compatible. It’s also a good
>> idea
>> to make some quick manual tests.
>
> That's great! Maybe we can have some quick tooling to in GNU Guix to
> aid that?
Again it’s on a case-by-case basis, it depends on what you’re grafting,
so I wouldn’t know how to do that.
Perhaps a first step would be consolidate this “insider knowledge” about
security updates and grafts into a check list.
>> The .so file symlinks in
>> <
>> https://git.savannah.gnu.org/cgit/guix.git/commit/?id=2e0ff59f0cd836b156f1ef2e78791d864ce3cfcd
>> >
>> look very scary to me. To me, it’s likely to hide the ABI
>> incompatibility issue rather than “fix” it.
>
> :-/ Yes it is scary, we were having an user with an Inkscape issue on
> IRC and this commit fixed it for them and they could work without an
> issue though, we were discussing with rekado and rekado suggested we
> cheat like this and I've done it, the only alternative we have is
> porting/applying all patches to our version by digging commit history
> (with always the doubt of adding an incomplete fix which is likely if
> we have to dig commit history manually).
It’s the kind of patch that should be reviewed before it gets in.
In this case, review will have to happen after the fact, but it still
has to happen IMO. I’d prefer not to do it myself; perhaps Leo F. can
take a look?
> If nobody can put time to dig patches for all individuals CVEs until we
> ungraft then I'd rather have this scary commit in.
Security is a spectrum; we’ll never close all CVEs. :-)
Security issues often call for quick reaction, but to me that doesn’t
mean we should dismiss our practices and workflow, in particular peer
review.
Thanks,
Ludo’.