Mark! Ludovic! Mark H Weaver wrote on 06/12/17 at 01:52: > l...@gnu.org (Ludovic Courtès) writes: >> Long story short: we were flagging native inputs as potential >> sources of grafts even though, by definition, native inputs are >> not referred to at run time. > > I agree that this *should* never happen, but I see little reason for > confidence that it never happens in actual fact.
Hold on. I thought this happened *all the actual time*. To me, the output of ‘guix graph’ implies that ghc[*] refers directly to perl, and ghc-haddock-library to hspec-discover, and that both of those are native inputs. These are just the first two examples of packages with native inputs that I happened to pull out of my haskell.scm. While Haskell does seem particularly naughty, I've no reason to believe it's unique. Are these not ‘run-time references’? Is your use of the term narrower than mine? > One solution would be to explicitly check build outputs for > references to native-inputs, and to force a build failure in that > case. I was surprised to learn this was not already the case (before I started slowly dragging hissing Haskell packages into the present). I suggest we don't make any security assumptions about it until it is. Kind regards, T G-R
