From 59a4dd509bdbaaf112e86d10cc43b45e68ddff0e Mon Sep 17 00:00:00 2001
From: Ludovic Courtès <ludo@gnu.org>
Date: Sat, 5 Mar 2016 22:34:46 +0100
Subject: doc: Explain how to check whether security updates are used.

Based on
<https://lists.gnu.org/archive/html/guix-devel/2016-03/msg00009.html>.

* doc/guix.texi (Security Updates): Explain how to check whether we're
using a grafted version.
---
 doc/guix.texi | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/doc/guix.texi b/doc/guix.texi
index e67782a2fa..0e8e5ad3a9 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -10269,6 +10269,47 @@ Other restrictions may apply: for instance, when adding a graft to a
 package providing a shared library, the original shared library and its
 replacement must have the same @code{SONAME} and be binary-compatible.
 
+The @option{--no-grafts} command-line option allows you to forcefully
+avoid grafting (@pxref{Common Build Options, @option{--no-grafts}}).
+Thus, the command:
+
+@example
+guix build bash --no-grafts
+@end example
+
+@noindent
+returns the store file name of the original Bash, whereas:
+
+@example
+guix build bash
+@end example
+
+@noindent
+returns the store file name of the ``fixed'', replacement Bash.  This
+allows you to distinguish between the two variants of Bash.
+
+To verify which Bash your whole profile refers to, you can run
+(@pxref{Invoking guix gc}):
+
+@example
+guix gc -R `readlink -f ~/.guix-profile` | grep bash
+@end example
+
+@noindent
+@dots{} and compare the store file names that you get with those above.
+Likewise for a complete GuixSD system generation:
+
+@example
+guix gc -R `guix system build my-config.scm` | grep bash
+@end example
+
+Lastly, to check which Bash running processes are using, you can use the
+@command{lsof} command:
+
+@example
+lsof | grep /gnu/store/.*bash
+@end example
+
 
 @node Package Modules
 @section Package Modules
-- 
cgit v1.2.3