Hi Maxime, Maxime Devos <maximede...@telenet.be> writes:
> On Sun, 2021-03-28 at 17:37 -0400, Mark H Weaver wrote: >> One thing to be very careful about is to only use 'gtk-doc/stable', >> 'dblatex/stable', and 'imagemagick/stable' in native-inputs, and >> moreover to make sure that no references to these */stable packages >> remain in any package outputs. >> >> Of course, if any package retains references to its 'native-inputs', >> that's always a bug, but I wouldn't be surprised if such bugs exist in >> Guix. Such bugs might be relatively harmless now (except when >> cross-compiling), but they could become a security bug if a package >> retains a reference to 'imagemagick/stable'. > > I'll be careful! > >> On my own system and user profile, which includes GNOME, I'm glad to >> report that I have *no* references to 'imagemagick' at all, not even to >> its newest release, and that's my strong preference. > > Note to self, before I forget how to test this: > > guix build $PACKAGES > # maybe guix build $PACKAGES --no-grafts? > guix graph --type=references $PACKAGES > # ^ look in output for "imagemagick". For the record, it seems that this command gives false positives. As pointed out in <https://bugs.gnu.org/47479>, the output of that command suggests that 'inkscape' retains references to 'imagemagick', but that turns out to be false, at least on my system. I suppose the behavior of "guix graph" here makes sense, and is likely _not_ a bug, because IIUC "guix graph" does its work without requiring 'imagemagick' to be built, and therefore it cannot know whether imagemagick's build system would retain a reference to a native-input during its build process. IMO, it would be inappropriate for "guix graph" to *assume* that references to native-inputs will not retained. The tool I expect to be reliable here is "guix gc -R". For example, I check for references to 'imagemagick' in my system and user profiles with the following commands: --8<---------------cut here---------------start------------->8--- mhw@jojen ~$ guix gc -R $(readlink /run/current-system) | grep -i imagemagick mhw@jojen ~$ guix gc -R $(readlink -f ~/.guix-profile) | grep -i imagemagick --8<---------------cut here---------------end--------------->8--- Thanks, Mark
