[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: "Trojan Source" (CVE-2021-42574 and CVE-2021-42694): can 'guix lint'
From: |
Giovanni Biscuolo |
Subject: |
Re: "Trojan Source" (CVE-2021-42574 and CVE-2021-42694): can 'guix lint' help someway? |
Date: |
Tue, 16 Nov 2021 11:06:55 +0100 |
Hi!
Ludovic Courtès <ludo@gnu.org> writes:
> Giovanni Biscuolo <g@xelera.eu> skribis:
>
>> The details are published here: https://www.trojansource.codes/
>
> [...]
>
>> Is there a way for "guix lint" to check for the listed (other?)
>> "dangerous" codepoints and warn code reviewers?
>
> That would be an expensive operation since that means unpacking the
> source and reading each and every file. ‘guix lint’ usually does
> inexpensive checks.
[...]
>> Is it possible for the Guix community to start a coordinated effort to
>> analyze all the source code (ever?!?) published in out git repo to check
>> for the presence of this attack?
>
> That sounds unreasonable to me.
OK, thanks all for your replies!
[...]
Ciao, Gio'
--
Giovanni Biscuolo
Xelera IT Infrastructures
signature.asc
Description: PGP signature