| Message ID | 20240518035037.190183-1-vagrant@reproducible-builds.org |
|---|---|
| State | New |
| Headers |
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 9F4EC27BBE9; Sat, 18 May 2024 04:52:16 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 1E7E627BBE2 for <patchwork@mira.cbaines.net>; Sat, 18 May 2024 04:52:14 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from <guix-patches-bounces@gnu.org>) id 1s8B74-00016p-7X; Fri, 17 May 2024 23:52:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1s8B72-00013m-5H for guix-patches@gnu.org; Fri, 17 May 2024 23:52:00 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1s8B71-0000dd-SE for guix-patches@gnu.org; Fri, 17 May 2024 23:51:59 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1s8B74-0001Bl-HM for guix-patches@gnu.org; Fri, 17 May 2024 23:52:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#71024] [PATCH 1/2] gnu: Add xz-5.4 variant. References: <87r0dzriwi.fsf@wireframe> In-Reply-To: <87r0dzriwi.fsf@wireframe> Resent-From: vagrant@reproducible-builds.org Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org> Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 18 May 2024 03:52:02 +0000 Resent-Message-ID: <handler.71024.B71024.17160042914537@debbugs.gnu.org> Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 71024 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 71024@debbugs.gnu.org Cc: vagrant@reproducible-builds.org Received: via spool by 71024-submit@debbugs.gnu.org id=B71024.17160042914537 (code B ref 71024); Sat, 18 May 2024 03:52:02 +0000 Received: (at 71024) by debbugs.gnu.org; 18 May 2024 03:51:31 +0000 Received: from localhost ([127.0.0.1]:58919 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>) id 1s8B6Y-0001B4-Li for submit@debbugs.gnu.org; Fri, 17 May 2024 23:51:31 -0400 Received: from cascadia.aikidev.net ([173.255.214.101]:54238) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <vagrant@aikidev.net>) id 1s8B6T-0001AZ-7J for 71024@debbugs.gnu.org; Fri, 17 May 2024 23:51:29 -0400 Received: from localhost (unknown [IPv6:2600:3c01:e000:21:7:77:0:50]) (Authenticated sender: vagrant@aikidev.net) by cascadia.aikidev.net (Postfix) with ESMTPSA id 61D731AB90; Fri, 17 May 2024 20:50:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=reproducible-builds.org; s=1.vagrant; t=1716004242; bh=LoTYqbwMQ97JHqOL+VSRRYBL/44R19Gmg0ys5GE4XEE=; h=From:To:Cc:Subject:Date:From; b=u/tUpUeCqLwtUDy1Z8Ja0sykVq9fNGVIV3YcwzrXvJ7MtCu3dYUtsWaLO9mxObgqD UcFxXpqaIvMBgGo35mwo0imWxuY0beRiscOmwIYo3jOr+K9shFo9RKA4+3WLAD37SR BKogcI8Lty+I0Xx8VRPD/zpBnl9CivbKPBNdZtodoDF5GlfI36hUFt1jjhFbZmC28f sP6nkYhZTVc39fnEl9w8tBnW9UTxCjW6gOwxA/Mi7rDNZQcV8COwgDPyTSHwVfpM+m xOxKjA6NO/6kiAbbC8WzURpZtaAN+7IC8BpL8fCwMy4xXcsSlcWM7IyG0Z7dh5qm+p HAT1d/vRYF9pQ== From: vagrant@reproducible-builds.org Date: Fri, 17 May 2024 20:50:36 -0700 Message-Id: <20240518035037.190183-1-vagrant@reproducible-builds.org> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: <guix-patches.gnu.org> List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=unsubscribe> List-Archive: <https://lists.gnu.org/archive/html/guix-patches> List-Post: <mailto:guix-patches@gnu.org> List-Help: <mailto:guix-patches-request@gnu.org?subject=help> List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=subscribe> Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches |
| Series |
[bug#71024,1/2] gnu: Add xz-5.4 variant.
|
|
Commit Message
Vagrant Cascadian
May 18, 2024, 3:50 a.m. UTC
From: Vagrant Cascadian <vagrant@reproducible-builds.org>
* gnu/packages/compression.scm (xz-5.4): New variable.
---
gnu/packages/compression.scm | 15 +++++++++++++++
1 file changed, 15 insertions(+)
base-commit: e9b25a6c6c626a560d28a1f732e6e5d362d584a4
Comments
Hi, vagrant@reproducible-builds.org writes: > From: Vagrant Cascadian <vagrant@reproducible-builds.org> > > * gnu/packages/compression.scm (xz-5.4): New variable. > --- > gnu/packages/compression.scm | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > > diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm > index dd88fce9ca..d89d72c9b7 100644 > --- a/gnu/packages/compression.scm > +++ b/gnu/packages/compression.scm > @@ -573,6 +573,21 @@ (define-public xz > (license (list license:gpl2+ license:lgpl2.1+)) ; bits of both > (home-page "https://tukaani.org/xz/"))) > > +(define-public xz-5.4 > + (package > + (inherit xz) > + (name "xz-5.4") > + (version "5.4.5") > + (source (origin > + (method url-fetch) > + (uri (list (string-append "http://tukaani.org/xz/xz-" version > + ".tar.gz") > + (string-append "http://multiprecision.org/guix/xz-" > + version ".tar.gz"))) > + (sha256 > + (base32 > + "1mmpwl4kg1vs6n653gkaldyn43dpbjh8gpk7sk0gps5f6jwr0p0k")))))) > + Any reason not to use the latest, which is v5.6.1 (fetched from git, to avoid the xz backdoor issue)?
On 2024-05-20, Maxim Cournoyer wrote: > vagrant@reproducible-builds.org writes: > >> From: Vagrant Cascadian <vagrant@reproducible-builds.org> >> >> * gnu/packages/compression.scm (xz-5.4): New variable. >> --- >> gnu/packages/compression.scm | 15 +++++++++++++++ >> 1 file changed, 15 insertions(+) >> >> diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm >> index dd88fce9ca..d89d72c9b7 100644 >> --- a/gnu/packages/compression.scm >> +++ b/gnu/packages/compression.scm >> @@ -573,6 +573,21 @@ (define-public xz >> (license (list license:gpl2+ license:lgpl2.1+)) ; bits of both >> (home-page "https://tukaani.org/xz/"))) >> >> +(define-public xz-5.4 >> + (package >> + (inherit xz) >> + (name "xz-5.4") >> + (version "5.4.5") >> + (source (origin >> + (method url-fetch) >> + (uri (list (string-append "http://tukaani.org/xz/xz-" version >> + ".tar.gz") >> + (string-append "http://multiprecision.org/guix/xz-" >> + version ".tar.gz"))) >> + (sha256 >> + (base32 >> + "1mmpwl4kg1vs6n653gkaldyn43dpbjh8gpk7sk0gps5f6jwr0p0k")))))) >> + > > Any reason not to use the latest, which is v5.6.1 (fetched from git, to > avoid the xz backdoor issue)? For one, 5.6.1 was also released by "Jia Tan" according to: https://tukaani.org/xz-backdoor/ To fix bugs in the backdoor partly introduced in 5.6.0... e.g. not to remove the backdoor, but to make it a working backdoor. In other words, DO NOT USE 5.6.1. :) There are some concerns about questionable code by "Jia Tan" in earlier versions too: https://bugs.debian.org/1068024 ... although even the 5.4.x version I proposed was, admittedly, being a bit lazy and just picking a version already present in core-updates as the easiest path forward that was reasonably close to the version present in Debian which diffoscope was tested against... Reverting to 5.3.1 might be a more conservative approach, although I have not tested it with diffoscope. Or fixing diffoscope to work with the older xz version in master (5.2.x?) that guix is already using, which, now that I have spelled out all of the above, seems possibly a much better idea! live well, vagrant
On 2024-05-20, Vagrant Cascadian wrote: > On 2024-05-20, Maxim Cournoyer wrote: >> vagrant@reproducible-builds.org writes: >> >>> From: Vagrant Cascadian <vagrant@reproducible-builds.org> >>> >>> * gnu/packages/compression.scm (xz-5.4): New variable. ... > Or fixing diffoscope to work with the older xz version in master > (5.2.x?) that guix is already using, which, now that I have spelled out > all of the above, seems possibly a much better idea! This was "fixed" in upstream diffoscope git by setting a version requirement on the test, and I think this was a new test, so not exactly a regression in test coverage. https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/17c061e767e612540dd0227c3fd1f9cab460a78f So we could build diffoscope from that commit instead, or manually apply the patch, or just wait till the next diffoscope version. live well, vagrant
Hi Vagrant, Vagrant Cascadian <vagrant@reproducible-builds.org> writes: > On 2024-05-20, Vagrant Cascadian wrote: >> On 2024-05-20, Maxim Cournoyer wrote: >>> vagrant@reproducible-builds.org writes: >>> >>>> From: Vagrant Cascadian <vagrant@reproducible-builds.org> >>>> >>>> * gnu/packages/compression.scm (xz-5.4): New variable. > ... >> Or fixing diffoscope to work with the older xz version in master >> (5.2.x?) that guix is already using, which, now that I have spelled out >> all of the above, seems possibly a much better idea! > > This was "fixed" in upstream diffoscope git by setting a version > requirement on the test, and I think this was a new test, so not exactly > a regression in test coverage. > > https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/17c061e767e612540dd0227c3fd1f9cab460a78f > > So we could build diffoscope from that commit instead, or manually apply > the patch, or just wait till the next diffoscope version. Given the xz horror story, waiting a bit more seems a good option to me. Thanks for explaining it in more details; it seems upstream is working on a cleaned up 5.8.0 version, which isn't ready yet.
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index dd88fce9ca..d89d72c9b7 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -573,6 +573,21 @@ (define-public xz (license (list license:gpl2+ license:lgpl2.1+)) ; bits of both (home-page "https://tukaani.org/xz/"))) +(define-public xz-5.4 + (package + (inherit xz) + (name "xz-5.4") + (version "5.4.5") + (source (origin + (method url-fetch) + (uri (list (string-append "http://tukaani.org/xz/xz-" version + ".tar.gz") + (string-append "http://multiprecision.org/guix/xz-" + version ".tar.gz"))) + (sha256 + (base32 + "1mmpwl4kg1vs6n653gkaldyn43dpbjh8gpk7sk0gps5f6jwr0p0k")))))) + (define-public lhasa (package (name "lhasa")