Leo Famulari <l...@famulari.name> skribis: >> On Thu, Nov 30, 2017 at 02:55:52PM +0100, Ludovic Courtès wrote: >> > I thought about it, but since it’s an unsual case, what about adding a >> > special property to packages instead? You’d write: >> > >> > (package >> > ;; … >> > (properties '((fixed-vulnerabilities "CVE-123-4567" "CVE-123-4568")))) >> > >> > ‘guix lint’ would honor this property, and that would address both cases >> > like this and situations where a CVE is known to no longer apply, as is >> > the case with unversioned CVEs¹. >> > >> > Thoughts? > > I'd rather the property's name more clearly reflect that it doesn't > actually fix the vulnerability, but just prevents the linter from > complaining about it. > > Someone who sees this property used in a package could reasonably assume > that it's required to list all fixed CVEs in a 'fixed-vulnerabilities' > list, and that it is the "single source of truth" for which bugs apply > to a package. But, it would not actually have anything to do with that, > just being a way to silence the linter.
Yes, I see it as a last resort, and thus rarely used. When used, it should be accompanied by a comment clearly explaining what we’re doing. I think people are unlikely to see it as a “single source of truth” because it’ll be used in a handful of packages only, and because comments there should make it clear that it’s really just to placate the linter. > However, I can't think of a good idea for another name... Maybe ‘lint-hidden-vulnerabilities’ or ‘hidden-vulnerabilities’, or ‘ignored-vulnerabilities’, or…? What’s you preference? :-) > On Thu, Nov 30, 2017 at 11:49:01PM +0200, Efraim Flashner wrote: >> I like that idea. It also allows us to mitigate a CVE without needing to >> specifically add a patch. I've attached my first attempt at implementing >> it. > > I think of `guix lint -c cve` as one of many tools for discovering > important problems in our packages, but I don't think that we must > absolutely silence the linter. It's always going to be imprecise, with > both false negative and positive results. I agree. Like patch file names, I view this new property as a way to silence the reader when we have reliable info to do that. Would you be OK with a more appropriate name and the understanding that it’s there to address rare cases like this one? Thanks for your feedback! Ludo’.