On 2025-07-11, Denis 'GNUtoo' Carikli wrote: > On Tue, 8 Jul 2025 21:01:58 +0200 > Denis 'GNUtoo' Carikli <gnu...@cyberdimension.org> wrote: > >> Given the current status I gave a quick and dirty try at "backporting" >> the patches and so far I have something that compiles and I will try >> to test it soon[4] > > I had to install slirp4netns and recompile Guix from scratch, but then > my quick and dirty "backport" seems to work:
At least slirp4netns is available in Debian, I was worried it was a vendored bit of code or something! >> substitute: updating substitutes from >> 'https://bordeaux.guix.gnu.org'... 100.0% substitute: updating >> substitutes from 'https://ci.guix.gnu.org'... 100.0% building path(s) >> `/gnu/store/q7zx2204nxc1m8vdq0w4p05y4bp8jra2-check-abstract-socket-hole' >> killing process 1754127 Abstract Unix-domain socket hole is CLOSED, >> build failed with "while setting up the child process: in phase >> waitForSlirpReady: unexpected end-of-file". I applied your patches, but nix/libutil/seccomp.cc was not able to compile on Debian: g++ -DHAVE_CONFIG_H -I. -I./nix -I./nix -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -std=c++11 -g -O2 -ffile-prefix-map=/build/reproducible-path/guix-1.4.0=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -c -o nix/boost/format/libformat_a-free_funcs.o `test -f 'nix/boost/format/free_funcs.cc' || echo './'`nix/boost/format/free_funcs.cc In file included from nix/libutil/seccomp.cc:3: ./nix/libutil/seccomp.hh:209:5: error: ‘uint32_t’ does not name a type 209 | uint32_t low; /* inclusive */ | ^~~~~~~~ ./nix/libutil/seccomp.hh:7:1: note: ‘uint32_t’ is defined in header ‘<cstdint>’; this is probably fixable by adding ‘#include <cstdint>’ 6 | #include <linux/filter.h> +++ |+#include <cstdint> Which appears to be fixed with patching seccomp.hh: --- guix-debian.orig/nix/libutil/seccomp.hh +++ guix-debian/nix/libutil/seccomp.hh @@ -1,6 +1,7 @@ #pragma once #include "util.hh" +#include <cstdint> #include <linux/audit.h> /* For AUDIT_ARCH_* */ #include <linux/seccomp.h> #include <linux/filter.h> Although I get a few test suite failures... But that is progress! > Now I guess the next step could be to try to reduce the amount of > patches and test the previous security vulnerabilities as well. That would be great, yes. > I've > code to do that automatically[1], but here too there is room for > improvements as this code that comes from the blog posts about security > issues probably needs to be integrated in Guix proper somehow. > > References: > ----------- > [1]https://git.sr.ht/~gnutoo/guix-security-tests Cool! live well, vagrant
signature.asc
Description: PGP signature
