[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#31442] bug#31444: 'guix health': a tool to report vulnerable packag
|
From: |
Maxim Cournoyer |
|
Subject: |
[bug#31442] bug#31444: 'guix health': a tool to report vulnerable packages |
|
Date: |
Sat, 09 Sep 2023 18:14:13 -0400 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) |
Hi Ludovic,
Ludovic Courtès <ludo@gnu.org> writes:
[...]
> Reporting only leaf packages was a limitation, not a goal. The
> limitation stemmed from the fact that, to determine whether a package is
> vulnerable, we need to (1) map its store file name to its package name,
> and (2) map its package name to its CPE name.
>
> We can do #1 via manifests, but only for leaf packages (because there’s
> no metadata available for other store items).
[...]
> There’s been progress since I posted this patch: manifests now include
> provenance info, which means we can map profiles back to package
> definitions! So we could make a proper ‘guix health’ at this stage.
>
> I’d like to say I’ll work on it soon but reality is that I’m a bit
> swamped. Anyhow, I think it remains a useful tool, and whether it’s me
> or someone else working on it, we should probably aim for it at some
> point.
Thanks for the update. It's OK to keep it here if all that is missing
is some extra work to push it to the finish line, so let's keep this one
open.
On a related note sometimes we have WIP kind of work that stays on our
tracker with deeper questions / problems to solve, and I don't think
it's fair for our reviewers to have these linger on for years on the
tracker (they take a lot of time to get familiar with, and would then
require quit more investment to be completed, sometimes with the
original submitter no longer active in the discussion) -- I think for
these situations it's fair to close it. An interested person can
hopefully find these in the archives and resume work on it if they are
so inclined.
--
Thanks,
Maxim