bug#27437: Source downloader accepts X.509 certificate for incorrect domain

On Thu, Jun 22, 2017 at 11:45:26PM +0200, Ricardo Wurmus wrote: > > Mark H Weaver writes: > > > FWIW, I always check digital signatures when they're available, and I > > hope that others will as well, but in practice we are putting our faith > > in a large number of

bug#27450: guix pull failed updating guix

Am 22.06.2017 um 23:05 schrieb Ludovic Courtès: > Leo Famulari skribis: > >> On Thu, Jun 22, 2017 at 06:20:54PM +0200, Jonathan Brielmaier wrote: >>> copying and compiling to >>> '/gnu/store/ld6h1fc696q6iaxi9pax0khnm747hvgi-guix-latest' with Guile >>> 2.0.12... >>> loading...

bug#27437: Source downloader accepts X.509 certificate for incorrect domain

Leo Famulari transcribed 2.4K bytes: > On Thu, Jun 22, 2017 at 11:33:31AM -0400, Mark H Weaver wrote: > > l...@gnu.org (Ludovic Courtès) writes: > > > IOW, since we’re checking the integrity of the tarball anyway, and we > > > assume developers checked its authenticity when writing the recipe,

bug#27042: test-package.sh fails on aarch64

Efraim Flashner skribis: > On aarch64 the test 'test-package.sh' fails due to 'offload: command not > found' I think you mentioned on IRC that the problem vanished, right? Ludo’.

bug#27450: guix pull failed updating guix

Leo Famulari skribis: > On Thu, Jun 22, 2017 at 06:20:54PM +0200, Jonathan Brielmaier wrote: >> copying and compiling to >> '/gnu/store/ld6h1fc696q6iaxi9pax0khnm747hvgi-guix-latest' with Guile >> 2.0.12... >> loading...12.6% of 605 filesice-9/psyntax.scm:3084:32: In

bug#27437: Source downloader accepts X.509 certificate for incorrect domain

Leo Famulari skribis: > On Thu, Jun 22, 2017 at 11:33:31AM -0400, Mark H Weaver wrote: >> l...@gnu.org (Ludovic Courtès) writes: >> > IOW, since we’re checking the integrity of the tarball anyway, and we >> > assume developers checked its authenticity when writing the recipe,

bug#26752: Ansible & others' problems with wrapped '.ansible-real' scripts

Hi, Jelle Licht skribis: > The current ansible package is still brokenin the same way. > > Is there already an acceptable way of working around this problem? > Otherwise I could send my (extremely hacky) workaround that adds a specific > condition in the ansible source code to

bug#27429: Stack clash (CVE-2017-1000366 etc)

On Thu, Jun 22, 2017 at 12:17:37PM -0400, Leo Famulari wrote: > On Thu, Jun 22, 2017 at 02:44:11AM -0400, Mark H Weaver wrote: > > Leo Famulari writes: > > > Hm, I noticed the bootstrap binaries being downloaded, so I don't think > > > this patch applies the graft without

bug#27450: guix pull failed updating guix

On Thu, Jun 22, 2017 at 06:20:54PM +0200, Jonathan Brielmaier wrote: > copying and compiling to > '/gnu/store/ld6h1fc696q6iaxi9pax0khnm747hvgi-guix-latest' with Guile > 2.0.12... > loading... 12.6% of 605 filesice-9/psyntax.scm:3084:32: In procedure > #: > ice-9/psyntax.scm:3084:32: Syntax

bug#27450: guix pull failed updating guix

Hello, I tried to update my guix installation with `guix pull` but it failed. As shell I use fish, System is Linux Mint 17.3. $ guix pull [...] The following derivations will be built: /gnu/store/lh7ja8hk54rlx7q3hrch6726cgrsqr8j-guix-latest.drv

bug#27429: Stack clash (CVE-2017-1000366 etc)

On Thu, Jun 22, 2017 at 02:44:11AM -0400, Mark H Weaver wrote: > Leo Famulari writes: > > Hm, I noticed the bootstrap binaries being downloaded, so I don't think > > this patch applies the graft without causing a full rebuild. > > It's likely that this is because of the new

bug#27437: Source downloader accepts X.509 certificate for incorrect domain

On Thu, Jun 22, 2017 at 09:57:23AM +0200, Ludovic Courtès wrote: > > Perhaps a MITM could send a huge file and fill up the disk or something > > like that. > > I’m generally in favor of relying on X.509 certificates as little as > possible, and in this case, while I agree that it could protect us

bug#27437: Source downloader accepts X.509 certificate for incorrect domain

On Thu, Jun 22, 2017 at 11:33:31AM -0400, Mark H Weaver wrote: > l...@gnu.org (Ludovic Courtès) writes: > > IOW, since we’re checking the integrity of the tarball anyway, and we > > assume developers checked its authenticity when writing the recipe, then > > who cares whether downloads.xiph.org

bug#26752: Ansible & others' problems with wrapped '.ansible-real' scripts

The current ansible package is still brokenin the same way. Is there already an acceptable way of working around this problem? Otherwise I could send my (extremely hacky) workaround that adds a specific condition in the ansible source code to check for .ansible-real. Thanks, Jelle 2017-05-03

bug#27437: Source downloader accepts X.509 certificate for incorrect domain

l...@gnu.org (Ludovic Courtès) writes: > The behavior of the source download is on purpose as noted in (guix > download): > >;; No need to validate certificates since we know the >;; hash of the expected result. >

bug#27447: pelican-quickstart produces files with store path shebangs

In a pelican directory after running pelican-quickstart: egrep -nr "store" … pelicanconf.py:1:#!/gnu/store/bf54hnwd8mb63zmssc23fwslf5zvxpxs-python-wrapper-3.5.3/bin/python develop_server.sh:1:#!/gnu/store/k7029k5va68lkapbzcycdzj7m5bjb4b8-bash-4.4.12/bin/bash

bug#27437: Source downloader accepts X.509 certificate for incorrect domain

Leo Famulari skribis: > On Wed, Jun 21, 2017 at 12:50:15PM +0200, Ludovic Courtès wrote: >> Leo Famulari skribis: >> > While working on some package updates, I found that the source code >> > downloader will accept an X.509 certificate for an incorrect

bug#27429: Stack clash (CVE-2017-1000366 etc)

Leo Famulari writes: > On Wed, Jun 21, 2017 at 07:52:27PM -0400, Leo Famulari wrote: >> On Wed, Jun 21, 2017 at 12:50:45PM +0300, Efraim Flashner wrote: >> > Had to make a small change to the patch, it turns out it couldn't build >> > the source for glibc@2.21, so I changed