[bug#71024,1/2] gnu: Add xz-5.4 variant.

From: Vagrant Cascadian <vagrant@reproducible-builds.org>

* gnu/packages/compression.scm (xz-5.4): New variable.
---
 gnu/packages/compression.scm | 15 +++++++++++++++
 1 file changed, 15 insertions(+)


base-commit: e9b25a6c6c626a560d28a1f732e6e5d362d584a4

Hi,

vagrant@reproducible-builds.org writes:

> From: Vagrant Cascadian <vagrant@reproducible-builds.org>
>
> * gnu/packages/compression.scm (xz-5.4): New variable.
> ---
>  gnu/packages/compression.scm | 15 +++++++++++++++
>  1 file changed, 15 insertions(+)
>
> diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
> index dd88fce9ca..d89d72c9b7 100644
> --- a/gnu/packages/compression.scm
> +++ b/gnu/packages/compression.scm
> @@ -573,6 +573,21 @@ (define-public xz
>     (license (list license:gpl2+ license:lgpl2.1+)) ; bits of both
>     (home-page "https://tukaani.org/xz/")))
>  
> +(define-public xz-5.4
> +  (package
> +    (inherit xz)
> +    (name "xz-5.4")
> +    (version "5.4.5")
> +    (source (origin
> +              (method url-fetch)
> +              (uri (list (string-append "http://tukaani.org/xz/xz-" version
> +                                        ".tar.gz")
> +                         (string-append "http://multiprecision.org/guix/xz-"
> +                                        version ".tar.gz")))
> +              (sha256
> +               (base32
> +                "1mmpwl4kg1vs6n653gkaldyn43dpbjh8gpk7sk0gps5f6jwr0p0k"))))))
> +

Any reason not to use the latest, which is v5.6.1 (fetched from git, to
avoid the xz backdoor issue)?

On 2024-05-20, Maxim Cournoyer wrote:
> vagrant@reproducible-builds.org writes:
>
>> From: Vagrant Cascadian <vagrant@reproducible-builds.org>
>>
>> * gnu/packages/compression.scm (xz-5.4): New variable.
>> ---
>>  gnu/packages/compression.scm | 15 +++++++++++++++
>>  1 file changed, 15 insertions(+)
>>
>> diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
>> index dd88fce9ca..d89d72c9b7 100644
>> --- a/gnu/packages/compression.scm
>> +++ b/gnu/packages/compression.scm
>> @@ -573,6 +573,21 @@ (define-public xz
>>     (license (list license:gpl2+ license:lgpl2.1+)) ; bits of both
>>     (home-page "https://tukaani.org/xz/")))
>>  
>> +(define-public xz-5.4
>> +  (package
>> +    (inherit xz)
>> +    (name "xz-5.4")
>> +    (version "5.4.5")
>> +    (source (origin
>> +              (method url-fetch)
>> +              (uri (list (string-append "http://tukaani.org/xz/xz-" version
>> +                                        ".tar.gz")
>> +                         (string-append "http://multiprecision.org/guix/xz-"
>> +                                        version ".tar.gz")))
>> +              (sha256
>> +               (base32
>> +                "1mmpwl4kg1vs6n653gkaldyn43dpbjh8gpk7sk0gps5f6jwr0p0k"))))))
>> +
>
> Any reason not to use the latest, which is v5.6.1 (fetched from git, to
> avoid the xz backdoor issue)?

For one, 5.6.1 was also released by "Jia Tan" according to:

  https://tukaani.org/xz-backdoor/

To fix bugs in the backdoor partly introduced in 5.6.0... e.g. not to
remove the backdoor, but to make it a working backdoor.

In other words, DO NOT USE 5.6.1. :)


There are some concerns about questionable code by "Jia Tan" in earlier
versions too:

  https://bugs.debian.org/1068024

... although even the 5.4.x version I proposed was, admittedly, being a
bit lazy and just picking a version already present in core-updates as
the easiest path forward that was reasonably close to the version
present in Debian which diffoscope was tested against...

Reverting to 5.3.1 might be a more conservative approach, although I
have not tested it with diffoscope.

Or fixing diffoscope to work with the older xz version in master
(5.2.x?) that guix is already using, which, now that I have spelled out
all of the above, seems possibly a much better idea!


live well,
  vagrant

On 2024-05-20, Vagrant Cascadian wrote:
> On 2024-05-20, Maxim Cournoyer wrote:
>> vagrant@reproducible-builds.org writes:
>>
>>> From: Vagrant Cascadian <vagrant@reproducible-builds.org>
>>>
>>> * gnu/packages/compression.scm (xz-5.4): New variable.
...
> Or fixing diffoscope to work with the older xz version in master
> (5.2.x?) that guix is already using, which, now that I have spelled out
> all of the above, seems possibly a much better idea!

This was "fixed" in upstream diffoscope git by setting a version
requirement on the test, and I think this was a new test, so not exactly
a regression in test coverage.

  https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/17c061e767e612540dd0227c3fd1f9cab460a78f

So we could build diffoscope from that commit instead, or manually apply
the patch, or just wait till the next diffoscope version.


live well,
  vagrant

Hi Vagrant,

Vagrant Cascadian <vagrant@reproducible-builds.org> writes:

> On 2024-05-20, Vagrant Cascadian wrote:
>> On 2024-05-20, Maxim Cournoyer wrote:
>>> vagrant@reproducible-builds.org writes:
>>>
>>>> From: Vagrant Cascadian <vagrant@reproducible-builds.org>
>>>>
>>>> * gnu/packages/compression.scm (xz-5.4): New variable.
> ...
>> Or fixing diffoscope to work with the older xz version in master
>> (5.2.x?) that guix is already using, which, now that I have spelled out
>> all of the above, seems possibly a much better idea!
>
> This was "fixed" in upstream diffoscope git by setting a version
> requirement on the test, and I think this was a new test, so not exactly
> a regression in test coverage.
>
>   https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/17c061e767e612540dd0227c3fd1f9cab460a78f
>
> So we could build diffoscope from that commit instead, or manually apply
> the patch, or just wait till the next diffoscope version.

Given the xz horror story, waiting a bit more seems a good option to me.
Thanks for explaining it in more details; it seems upstream is working
on a cleaned up 5.8.0 version, which isn't ready yet.