Re: store reference detection (was Re: JARs and reference scanning)

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: store reference detection (was Re: JARs and reference scanning)

From:	Mark H Weaver
Subject:	Re: store reference detection (was Re: JARs and reference scanning)
Date:	Fri, 12 May 2017 17:51:36 -0400
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)

Hartmut Goebel <address@hidden> writes:

> Am 12.05.2017 um 19:39 schrieb Mark H Weaver:
>
>  It would not interfere, but it could have the effect of *hiding*
> security problems due to a failure to graft properly.
> [...]
> If we create a redundant set of references in another file, then
> problems like this could go undetected for a long time.
>
> Reading you comments (and words like "hidden"), I assume you are
> referring to some compressed or otherwise unreadable data.
>
> Please don't confuse this: We are *not* talking about compressed
> files, but about plain text (or stored uncomressed within e.g. a
> zip-file).

Apologies if I've misunderstood.  Earlier, you wrote:

>  So I propose to add a small text file ".guix-dependencies' to all
> language's packages which do not add some kind of references
> themselves: Python, Perl, Java, etc.

What's the motivation for this proposal, if not to allow the scanner to
see references that would otherwise be obfuscated?

      Mark

[Prev in Thread]

Current Thread

[Next in Thread]

Re: store reference detection (was Re: JARs and reference scanning), (continued)

Prev by Date: Re: Unprivileged /gnu/store with PRoot
Next by Date: Re: bug#26887: [PATCH 01/11] gnu: libdrm: Update to 2.4.80.
Previous by thread: Re: store reference detection (was Re: JARs and reference scanning)
Next by thread: Re: store reference detection (was Re: JARs and reference scanning)
Index(es):
- Date
- Thread