doc: Explain how to check whether security updates are used.

Based on <https://lists.gnu.org/archive/html/guix-devel/2016-03/msg00009.html>. * doc/guix.texi (Security Updates): Explain how to check whether we're using a grafted version.
2016-03-05 22:34:46 +01:00 · 2016-03-05 22:34:46 +01:00 · 59a4dd509b
parent dd78e90a4d
commit 59a4dd509b
1 changed files with 41 additions and 0 deletions
--- a/doc/guix.texi
+++ b/doc/guix.texi
@ -10269,6 +10269,47 @@ Other restrictions may apply: for instance, when adding a graft to a
 package providing a shared library, the original shared library and its
 replacement must have the same @code{SONAME} and be binary-compatible.

+The @option{--no-grafts} command-line option allows you to forcefully
+avoid grafting (@pxref{Common Build Options, @option{--no-grafts}}).
+Thus, the command:
+
+@example
+guix build bash --no-grafts
+@end example
+
+@noindent
+returns the store file name of the original Bash, whereas:
+
+@example
+guix build bash
+@end example
+
+@noindent
+returns the store file name of the ``fixed'', replacement Bash.  This
+allows you to distinguish between the two variants of Bash.
+
+To verify which Bash your whole profile refers to, you can run
+(@pxref{Invoking guix gc}):
+
+@example
+guix gc -R `readlink -f ~/.guix-profile` | grep bash
+@end example
+
+@noindent
+@dots{} and compare the store file names that you get with those above.
+Likewise for a complete GuixSD system generation:
+
+@example
+guix gc -R `guix system build my-config.scm` | grep bash
+@end example
+
+Lastly, to check which Bash running processes are using, you can use the
+@command{lsof} command:
+
+@example
+lsof | grep /gnu/store/.*bash
+@end example
+

@node Package Modules
@section Package Modules