Ghostscript / ImageMagick / GraphicsMagick vulnerability mitigation?

2018-08-23 Thread Leo Famulari
For the last couple years, people have been finding exploitable bugs in the image processing system based on Ghostscript and ImageMagick / GraphicsMagick: http://seclists.org/oss-sec/2018/q3/142 http://seclists.org/oss-sec/2016/q4/29 Despite these issues, these programs are still the best way to

Re: git-annex: problematic shebangs in .git/hooks/pre-commit?

2018-08-23 Thread Timothy Sample
Hi Kyle, Kyle Meyer writes: > Timothy Sample writes: > > [...] > >>> I'm wondering whether the shebang patching in .git/hooks/pre-commit >>> will >>> cause a problem. Using the patched shellPath_portable, 'git annex >>> init' >>> generates a hook like this: >>> >>> % cat .git/hooks/pre-com

Re: Guix on aarch64

2018-08-23 Thread Benjamin Slade
On 2018-08-22T22:58:10-0600, Mark H Weaver wrote: > Hi Ludovic and Efraim, > I think there may be a serious problem with substitutes on Aarch64. See > below, where Benjamin Slade reports that substitutes aren't working for > him on Aarch64, although he reports having authorized berlin's k

Re: git-annex: problematic shebangs in .git/hooks/pre-commit?

2018-08-23 Thread Kyle Meyer
Timothy Sample writes: [...] >> I'm wondering whether the shebang patching in .git/hooks/pre-commit will >> cause a problem. Using the patched shellPath_portable, 'git annex init' >> generates a hook like this: >> >> % cat .git/hooks/pre-commit >> #!/gnu/store/rbrandv7anzjxqkr40d7fkanzs

Re: git-annex: problematic shebangs in .git/hooks/pre-commit?

2018-08-23 Thread Timothy Sample
Hi Kyle, Kyle Meyer writes: > Hello, > > Thanks for packaging git-annex, Tim! I'm excited to see it in Guix. You’re welcome! > I'm wondering whether the shebang patching in .git/hooks/pre-commit will > cause a problem. Using the patched shellPath_portable, 'git annex init' > generates a hook

[Next browser] Common Lisp: mgl-pax: Package SWANK-BACKEND does not exist.

2018-08-23 Thread Pierre Neidhardt
In the long path of packaging Next browsing, I found myself packaging the mgl-pax dependency. http://quickdocs.org/mgl-pax/ This package depends on SWANK which is packaged in emacs-slime. emacs-slime contains two pieces of code: - SLIME (the Emacs package) - SWANK: the Common Lisp backend

git-annex: problematic shebangs in .git/hooks/pre-commit?

2018-08-23 Thread Kyle Meyer
Hello, Thanks for packaging git-annex, Tim! I'm excited to see it in Guix. I'm wondering whether the shebang patching in .git/hooks/pre-commit will cause a problem. Using the patched shellPath_portable, 'git annex init' generates a hook like this: % cat .git/hooks/pre-commit #!/gnu/sto

Re: Long term plan for GuixSD security: microkernels, ocap, RISC-V support

2018-08-23 Thread Christopher Lemmer Webber
First off, I should mention that rain1 reminded me about OpenBSD's Capsicum and the Capsicum for Linux project, which I had mostly forgotten about: http://www.capsicum-linux.org/ Capsicum brings file descriptor based capabilities, and this is a reasonable intermediate approach. Shill is an ocap

Re: Long term plan for GuixSD security: microkernels, ocap, RISC-V support

2018-08-23 Thread Ricardo Wurmus
Hey, > - In terms of software, currently we run on ACL-heavy systems, which >are well known to be insecure designs: > http://waterken.sourceforge.net/aclsdont/current.pdf >If a computer program behaves badly, it shouldn't be able to do any >more damage than the smallest amount

Long term plan for GuixSD security: microkernels, ocap, RISC-V support

2018-08-23 Thread Christopher Lemmer Webber
Hello... reading over a few articles this morning: - Researchers Blame ‘Monolithic’ Linux Code Base for Critical Vulnerabilities https://threatpost.com/researchers-blame-monolithic-linux-code-base-for-critical-vulnerabilities/136785/ - Its associated paper: "The Jury Is In: Monolithic

Re: Graft hooks

2018-08-23 Thread Gábor Boskovits
Mark H Weaver ezt írta (időpont: 2018. aug. 23., Cs, 9:18): > Hi Ludovic, > > l...@gnu.org (Ludovic Courtès) writes: > > > Since this is used when grafting Racket, I would suggest moving this > > graft to the “build side” entirely, similar to what I did in > >

Re: Bootstrap Tarballs for alpha-linux Targets

2018-08-23 Thread Nils Gillmann
I have conflicted opinions about this. Curiosity, which is a big motivation for many project I work on, wants to support alpha. The reality is though, that any operating system needs to be able to provide support. If it's not intrinsic support from enthusiasts about a certain platform, we need to

Re: Graft hooks

2018-08-23 Thread Mark H Weaver
Hi Ludovic, l...@gnu.org (Ludovic Courtès) writes: > Since this is used when grafting Racket, I would suggest moving this > graft to the “build side” entirely, similar to what I did in > . Probably > you’d just add a single procedure to (gu