Someone noted that you can run a compromised glibc for a long time on Guix without realizing.
How expensive would it be that every time you run Guix it would check for compromised versions and issue a warning like this: WARNING: version x.x of package name installed on your system has security concerns, please see URL and update the package to y.y or later. In the URL we give a fuller description and a list of packages that may need to be updated. Very long in the case of glibc. Pj. On Wed, Feb 17, 2016 at 01:27:22PM -0500, Leo Famulari wrote: > No, it doesn't graft. And it produces the same "version" of glibc, but with a > patch applied for CVE-2015-7547. > > Well, you would make sure you cherry-pick the right hash. I can't confirm > that from my phone. > > > -------- Original Message -------- > From: Jookia <166...@gmail.com> > Sent: February 17, 2016 11:28:33 AM EST > To: Leo Famulari <l...@famulari.name> > Cc: guix-devel@gnu.org > Subject: Re: glibc update > > On Wed, Feb 17, 2016 at 11:14:19AM -0500, Leo Famulari wrote: > > I tried this. The resulting process downloaded the bootstrap binaries > > and appeared to rebuild *everything*. I haven't had time to figure out > > what actually got rebuilt and if anything is still using the vulnerable > > glibc. > > This doesn't graft does it? It'd just bump glibc's version. > > --
