doc: Augment documentation about security updates.

* doc/guix.texi (Security Updates): Add paragraph on the big picture of
security updates.  Cross-reference 'guix lint'.
(Invoking guix lint): Add CVE URLs.
This commit is contained in:
Ludovic Courtès 2016-03-28 17:56:05 +02:00
parent c3cfb7e330
commit 09866b3962
1 changed files with 39 additions and 6 deletions

View File

@ -4913,11 +4913,26 @@ just a version number or ``git-checkout'', without a declared
@code{file-name} (@pxref{origin Reference}). @code{file-name} (@pxref{origin Reference}).
@item cve @item cve
@cindex security vulnerabilities
@cindex CVE, Common Vulnerabilities and Exposures
Report known vulnerabilities found in the Common Vulnerabilities and Report known vulnerabilities found in the Common Vulnerabilities and
Exposures (CVE) database Exposures (CVE) databases of the current and past year
@uref{https://nvd.nist.gov/download.cfm#CVE_FEED, published by the US @uref{https://nvd.nist.gov/download.cfm#CVE_FEED, published by the US
NIST}. NIST}.
To view information about a particular vulnerability, visit pages such as:
@itemize
@item
@indicateurl{https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-YYYY-ABCD}
@item
@indicateurl{https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-YYYY-ABCD}
@end itemize
@noindent
where @code{CVE-YYYY-ABCD} is the CVE identifier---e.g.,
@code{CVE-2015-7554}.
@item formatting @item formatting
Warn about obvious source code formatting issues: trailing white space, Warn about obvious source code formatting issues: trailing white space,
use of tabulations, etc. use of tabulations, etc.
@ -10450,14 +10465,32 @@ the load. To check whether a package has a @code{debug} output, use
@node Security Updates @node Security Updates
@section Security Updates @section Security Updates
@cindex security updates
@cindex security vulnerabilities
Occasionally, important security vulnerabilities are discovered in software
packages and must be patched. Guix developers try hard to keep track of
known vulnerabilities and to apply fixes as soon as possible in the
@code{master} branch of Guix (we do not yet provide a ``stable'' branch
containing only security updates.) The @command{guix lint} tool helps
developers find out about vulnerable versions of software packages in the
distribution:
@smallexample
$ guix lint -c cve
gnu/packages/base.scm:652:2: glibc-2.21: probably vulnerable to CVE-2015-1781, CVE-2015-7547
gnu/packages/gcc.scm:334:2: gcc-4.9.3: probably vulnerable to CVE-2015-5276
gnu/packages/image.scm:312:2: openjpeg-2.1.0: probably vulnerable to CVE-2016-1923, CVE-2016-1924
@dots{}
@end smallexample
@xref{Invoking guix lint}, for more information.
@quotation Note @quotation Note
As of version @value{VERSION}, the feature described in this section is As of version @value{VERSION}, the feature described below is considered
experimental. ``beta''.
@end quotation @end quotation
@cindex security updates Guix follows a functional
Occasionally, important security vulnerabilities are discovered in core
software packages and must be patched. Guix follows a functional
package management discipline (@pxref{Introduction}), which implies package management discipline (@pxref{Introduction}), which implies
that, when a package is changed, @emph{every package that depends on it} that, when a package is changed, @emph{every package that depends on it}
must be rebuilt. This can significantly slow down the deployment of must be rebuilt. This can significantly slow down the deployment of