[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: "Trojan Source" (CVE-2021-42574 and CVE-2021-42694): can 'guix lint'
|
From: |
zimoun |
|
Subject: |
Re: "Trojan Source" (CVE-2021-42574 and CVE-2021-42694): can 'guix lint' help someway? |
|
Date: |
Mon, 15 Nov 2021 18:20:51 +0100 |
Hi,
On Tue, 9 Nov 2021 at 18:10, Ludovic Courtès <ludo@gnu.org> wrote:
> Giovanni Biscuolo <g@xelera.eu> skribis:
> > Is there a way for "guix lint" to check for the listed (other?)
> > "dangerous" codepoints and warn code reviewers?
>
> That would be an expensive operation since that means unpacking the
> source and reading each and every file. ‘guix lint’ usually does
> inexpensive checks.
I agree. I miss what practical action could be done on the Guix side.
Somehow, we can clean and fix Guix code (and related source as Guile
or other strong direct dependencies) but the Guix project cannot fix
all the broken world of all source code of packages.
> > Is it possible for the Guix community to start a coordinated effort to
> > analyze all the source code (ever?!?) published in out git repo to check
> > for the presence of this attack?
>
> That sounds unreasonable to me.
It appears already unaffordable for only one Guix revision of 17k+
packages, so for all the source code (ever) published. ;-)
Cheers,
simon