[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: OpenSSL “DROWN” vulnerability & grafts
|
From: |
Efraim Flashner |
|
Subject: |
Re: OpenSSL “DROWN” vulnerability & grafts |
|
Date: |
Wed, 2 Mar 2016 20:43:08 +0200 |
|
User-agent: |
Mutt/1.5.24 (2015-08-30) |
On Tue, Mar 01, 2016 at 10:16:47PM +0100, Ludovic Courtès wrote:
> Hello!
>
> OpenSSL 1.0.2g was released today, fixing several serious security
> vulnerabilities, several of which are referred to as “DROWN” (as has
> become security-marketing tradition.)
>
> This gave a good incentive to fix the “grafting” mechanism described at:
>
> https://www.gnu.org/software/guix/manual/html_node/Security-Updates.html
>
> The problem was that until now, grafting was not recursive:
> <http://bugs.gnu.org/22139>. This is fixed in c22a132, so we “rushed”
> to use it in ‘master’ for the OpenSSL upgrade, which is done in caeadfd.
>
> So now is the time to find out how well the new implementation scales
> and to address any limitations. :-)
>
> A potentially disturbing thing with the new code is that it starts
> building/downloading things early, typically before it has written “The
> following derivations will be built”; see
> <http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22139#13>.
>
> A limitation of the current implementation is that the replacement
> package must have exactly the same name and version as the package being
> replaced. So OpenSSL 1.0.2g shows up as /gnu/store/…-openssl-1.0.2f.
>
> The store file name of the old OpenSSL is given by:
>
> guix build openssl --no-grafts
>
> … and the new one is given by:
>
> guix build openssl
>
> For example, to verify which OpenSSL(s) your whole profile refers to,
> you can run:
>
> guix gc -R $(readlink -f ~/.guix-profile) | grep openssl
>
> and check the store file names that you get (make sure to turn off
> guix-prettify-mode :-)). Likewise for a GuixSD generation:
>
> guix gc -R $(guix system build config.scm) | grep openssl
>
> And for running processes:
>
> lsof | grep /gnu/store/.*openssl
>
> Seems like this tricks could go in the manual under “Security Updates”
> no?
>
> Feedback welcome!
>
> Ludo’.
BIG thanks for getting this working, its a great way to keep our systems
up and running while taking care of the security issues.
One issue that I noticed on my slow netbook is that `guix package -u`,
with no updates, now takes ~15 minutes, while before it was ~30 seconds.
--
Efraim Flashner <address@hidden> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
signature.asc
Description: PGP signature