doc: Augment documentation about security updates.
* doc/guix.texi (Security Updates): Add paragraph on the big picture of security updates. Cross-reference 'guix lint'. (Invoking guix lint): Add CVE URLs.
This commit is contained in:
parent
c3cfb7e330
commit
09866b3962
|
@ -4913,11 +4913,26 @@ just a version number or ``git-checkout'', without a declared
|
||||||
@code{file-name} (@pxref{origin Reference}).
|
@code{file-name} (@pxref{origin Reference}).
|
||||||
|
|
||||||
@item cve
|
@item cve
|
||||||
|
@cindex security vulnerabilities
|
||||||
|
@cindex CVE, Common Vulnerabilities and Exposures
|
||||||
Report known vulnerabilities found in the Common Vulnerabilities and
|
Report known vulnerabilities found in the Common Vulnerabilities and
|
||||||
Exposures (CVE) database
|
Exposures (CVE) databases of the current and past year
|
||||||
@uref{https://nvd.nist.gov/download.cfm#CVE_FEED, published by the US
|
@uref{https://nvd.nist.gov/download.cfm#CVE_FEED, published by the US
|
||||||
NIST}.
|
NIST}.
|
||||||
|
|
||||||
|
To view information about a particular vulnerability, visit pages such as:
|
||||||
|
|
||||||
|
@itemize
|
||||||
|
@item
|
||||||
|
@indicateurl{https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-YYYY-ABCD}
|
||||||
|
@item
|
||||||
|
@indicateurl{https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-YYYY-ABCD}
|
||||||
|
@end itemize
|
||||||
|
|
||||||
|
@noindent
|
||||||
|
where @code{CVE-YYYY-ABCD} is the CVE identifier---e.g.,
|
||||||
|
@code{CVE-2015-7554}.
|
||||||
|
|
||||||
@item formatting
|
@item formatting
|
||||||
Warn about obvious source code formatting issues: trailing white space,
|
Warn about obvious source code formatting issues: trailing white space,
|
||||||
use of tabulations, etc.
|
use of tabulations, etc.
|
||||||
|
@ -10450,14 +10465,32 @@ the load. To check whether a package has a @code{debug} output, use
|
||||||
@node Security Updates
|
@node Security Updates
|
||||||
@section Security Updates
|
@section Security Updates
|
||||||
|
|
||||||
|
@cindex security updates
|
||||||
|
@cindex security vulnerabilities
|
||||||
|
Occasionally, important security vulnerabilities are discovered in software
|
||||||
|
packages and must be patched. Guix developers try hard to keep track of
|
||||||
|
known vulnerabilities and to apply fixes as soon as possible in the
|
||||||
|
@code{master} branch of Guix (we do not yet provide a ``stable'' branch
|
||||||
|
containing only security updates.) The @command{guix lint} tool helps
|
||||||
|
developers find out about vulnerable versions of software packages in the
|
||||||
|
distribution:
|
||||||
|
|
||||||
|
@smallexample
|
||||||
|
$ guix lint -c cve
|
||||||
|
gnu/packages/base.scm:652:2: glibc-2.21: probably vulnerable to CVE-2015-1781, CVE-2015-7547
|
||||||
|
gnu/packages/gcc.scm:334:2: gcc-4.9.3: probably vulnerable to CVE-2015-5276
|
||||||
|
gnu/packages/image.scm:312:2: openjpeg-2.1.0: probably vulnerable to CVE-2016-1923, CVE-2016-1924
|
||||||
|
@dots{}
|
||||||
|
@end smallexample
|
||||||
|
|
||||||
|
@xref{Invoking guix lint}, for more information.
|
||||||
|
|
||||||
@quotation Note
|
@quotation Note
|
||||||
As of version @value{VERSION}, the feature described in this section is
|
As of version @value{VERSION}, the feature described below is considered
|
||||||
experimental.
|
``beta''.
|
||||||
@end quotation
|
@end quotation
|
||||||
|
|
||||||
@cindex security updates
|
Guix follows a functional
|
||||||
Occasionally, important security vulnerabilities are discovered in core
|
|
||||||
software packages and must be patched. Guix follows a functional
|
|
||||||
package management discipline (@pxref{Introduction}), which implies
|
package management discipline (@pxref{Introduction}), which implies
|
||||||
that, when a package is changed, @emph{every package that depends on it}
|
that, when a package is changed, @emph{every package that depends on it}
|
||||||
must be rebuilt. This can significantly slow down the deployment of
|
must be rebuilt. This can significantly slow down the deployment of
|
||||||
|
|
Loading…
Reference in New Issue