Message ID | 20240518035037.190183-1-vagrant@reproducible-builds.org |
---|---|
State | New |
Headers | show |
Series | [bug#71024,1/2] gnu: Add xz-5.4 variant. | expand |
Hi, vagrant@reproducible-builds.org writes: > From: Vagrant Cascadian <vagrant@reproducible-builds.org> > > * gnu/packages/compression.scm (xz-5.4): New variable. > --- > gnu/packages/compression.scm | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > > diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm > index dd88fce9ca..d89d72c9b7 100644 > --- a/gnu/packages/compression.scm > +++ b/gnu/packages/compression.scm > @@ -573,6 +573,21 @@ (define-public xz > (license (list license:gpl2+ license:lgpl2.1+)) ; bits of both > (home-page "https://tukaani.org/xz/"))) > > +(define-public xz-5.4 > + (package > + (inherit xz) > + (name "xz-5.4") > + (version "5.4.5") > + (source (origin > + (method url-fetch) > + (uri (list (string-append "http://tukaani.org/xz/xz-" version > + ".tar.gz") > + (string-append "http://multiprecision.org/guix/xz-" > + version ".tar.gz"))) > + (sha256 > + (base32 > + "1mmpwl4kg1vs6n653gkaldyn43dpbjh8gpk7sk0gps5f6jwr0p0k")))))) > + Any reason not to use the latest, which is v5.6.1 (fetched from git, to avoid the xz backdoor issue)?
On 2024-05-20, Maxim Cournoyer wrote: > vagrant@reproducible-builds.org writes: > >> From: Vagrant Cascadian <vagrant@reproducible-builds.org> >> >> * gnu/packages/compression.scm (xz-5.4): New variable. >> --- >> gnu/packages/compression.scm | 15 +++++++++++++++ >> 1 file changed, 15 insertions(+) >> >> diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm >> index dd88fce9ca..d89d72c9b7 100644 >> --- a/gnu/packages/compression.scm >> +++ b/gnu/packages/compression.scm >> @@ -573,6 +573,21 @@ (define-public xz >> (license (list license:gpl2+ license:lgpl2.1+)) ; bits of both >> (home-page "https://tukaani.org/xz/"))) >> >> +(define-public xz-5.4 >> + (package >> + (inherit xz) >> + (name "xz-5.4") >> + (version "5.4.5") >> + (source (origin >> + (method url-fetch) >> + (uri (list (string-append "http://tukaani.org/xz/xz-" version >> + ".tar.gz") >> + (string-append "http://multiprecision.org/guix/xz-" >> + version ".tar.gz"))) >> + (sha256 >> + (base32 >> + "1mmpwl4kg1vs6n653gkaldyn43dpbjh8gpk7sk0gps5f6jwr0p0k")))))) >> + > > Any reason not to use the latest, which is v5.6.1 (fetched from git, to > avoid the xz backdoor issue)? For one, 5.6.1 was also released by "Jia Tan" according to: https://tukaani.org/xz-backdoor/ To fix bugs in the backdoor partly introduced in 5.6.0... e.g. not to remove the backdoor, but to make it a working backdoor. In other words, DO NOT USE 5.6.1. :) There are some concerns about questionable code by "Jia Tan" in earlier versions too: https://bugs.debian.org/1068024 ... although even the 5.4.x version I proposed was, admittedly, being a bit lazy and just picking a version already present in core-updates as the easiest path forward that was reasonably close to the version present in Debian which diffoscope was tested against... Reverting to 5.3.1 might be a more conservative approach, although I have not tested it with diffoscope. Or fixing diffoscope to work with the older xz version in master (5.2.x?) that guix is already using, which, now that I have spelled out all of the above, seems possibly a much better idea! live well, vagrant
On 2024-05-20, Vagrant Cascadian wrote: > On 2024-05-20, Maxim Cournoyer wrote: >> vagrant@reproducible-builds.org writes: >> >>> From: Vagrant Cascadian <vagrant@reproducible-builds.org> >>> >>> * gnu/packages/compression.scm (xz-5.4): New variable. ... > Or fixing diffoscope to work with the older xz version in master > (5.2.x?) that guix is already using, which, now that I have spelled out > all of the above, seems possibly a much better idea! This was "fixed" in upstream diffoscope git by setting a version requirement on the test, and I think this was a new test, so not exactly a regression in test coverage. https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/17c061e767e612540dd0227c3fd1f9cab460a78f So we could build diffoscope from that commit instead, or manually apply the patch, or just wait till the next diffoscope version. live well, vagrant
Hi Vagrant, Vagrant Cascadian <vagrant@reproducible-builds.org> writes: > On 2024-05-20, Vagrant Cascadian wrote: >> On 2024-05-20, Maxim Cournoyer wrote: >>> vagrant@reproducible-builds.org writes: >>> >>>> From: Vagrant Cascadian <vagrant@reproducible-builds.org> >>>> >>>> * gnu/packages/compression.scm (xz-5.4): New variable. > ... >> Or fixing diffoscope to work with the older xz version in master >> (5.2.x?) that guix is already using, which, now that I have spelled out >> all of the above, seems possibly a much better idea! > > This was "fixed" in upstream diffoscope git by setting a version > requirement on the test, and I think this was a new test, so not exactly > a regression in test coverage. > > https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/17c061e767e612540dd0227c3fd1f9cab460a78f > > So we could build diffoscope from that commit instead, or manually apply > the patch, or just wait till the next diffoscope version. Given the xz horror story, waiting a bit more seems a good option to me. Thanks for explaining it in more details; it seems upstream is working on a cleaned up 5.8.0 version, which isn't ready yet.
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index dd88fce9ca..d89d72c9b7 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -573,6 +573,21 @@ (define-public xz (license (list license:gpl2+ license:lgpl2.1+)) ; bits of both (home-page "https://tukaani.org/xz/"))) +(define-public xz-5.4 + (package + (inherit xz) + (name "xz-5.4") + (version "5.4.5") + (source (origin + (method url-fetch) + (uri (list (string-append "http://tukaani.org/xz/xz-" version + ".tar.gz") + (string-append "http://multiprecision.org/guix/xz-" + version ".tar.gz"))) + (sha256 + (base32 + "1mmpwl4kg1vs6n653gkaldyn43dpbjh8gpk7sk0gps5f6jwr0p0k")))))) + (define-public lhasa (package (name "lhasa")
From: Vagrant Cascadian <vagrant@reproducible-builds.org> * gnu/packages/compression.scm (xz-5.4): New variable. --- gnu/packages/compression.scm | 15 +++++++++++++++ 1 file changed, 15 insertions(+) base-commit: e9b25a6c6c626a560d28a1f732e6e5d362d584a4