Message ID | cover.1711917891.git.leo@famulari.name |
---|---|
Headers | show |
Series | Xz backdoor / JiaT75 cleanup for libarchive | expand |
Hi Leo, On Sun, Mar 31, 2024 at 04:44 PM, Leo Famulari wrote: > https://github.com/libarchive/libarchive/pull/2101 > > * gnu/packages/backup.scm (libarchive)[replacement]: New field. > (libarchive/fixed): New variable. > * gnu/packages/patches/libarchive-remove-potential-backdoor.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > Overall changes look good, but I have not had a chance to try it locally (building or dependents). [...] > +(define-public libarchive/fixed > + (package > + (inherit libarchive) > + (version "3.6.1") > + (source > + (origin > + (method url-fetch) > + (uri (list (string-append "https://libarchive.org/downloads/libarchive-" > + version ".tar.xz") > + (string-append "https://github.com/libarchive/libarchive" > + "/releases/download/v" version "/libarchive-" > + version ".tar.xz"))) In light of the xz backdoor, perhaps we should just do a git checkout of the v3.6.1 tag rather than the tarballs? Assuming that works, of course. I haven't had a chance to look at potential ABI changes, but perhaps at least v3.6.2 is graftable? That also lists a security update (as well as later versions). Or, if it is easier and this is tested on your end, let's push this and do an upgrade to the latest on a branch. I would volunteer mesa-updates, but Cuirass has been stuck all day not building anything, so I don't know what will end up being quickest (which branch or a new one). Thanks for the quick work! John