Mark H Weaver <m...@netris.org> writes:
> Earlier, I wrote: >> One thing to be very careful about is to only use 'gtk-doc/stable', >> 'dblatex/stable', and 'imagemagick/stable' in native-inputs, and >> moreover to make sure that no references to these */stable packages >> remain in any package outputs. >> >> Of course, if any package retains references to its 'native-inputs', >> that's always a bug, but I wouldn't be surprised if such bugs exist in >> Guix. Such bugs might be relatively harmless now (except when >> cross-compiling), but they could become a security bug if a package >> retains a reference to 'imagemagick/stable'. > > It occurs to me that we will need some tooling to ensure that no > references to these buggy "*/stable" packages end up in package outputs > that users actually use. Otherwise, it is likely that sooner or later, > a runtime reference to one of these buggy packages will sneak in to our > systems. The gnu-build-system takes a keyword #:disallowed-references that could be used here. -- Ricardo
