Message ID | 20210130042428.16873-1-rprior@protonmail.com |
---|---|
State | Accepted |
Headers | show |
Series | Update gcrypt [URGENT SECURITY ISSUE] | expand |
Context | Check | Description |
---|---|---|
cbaines/comparison | success | View comparision |
cbaines/git branch | success | View Git branch |
cbaines/applying patch | success | View Laminar job |
cbaines/issue | success | View issue |
Ryan, guix-patches--- via 写道: > * gnu/packages/gnupg.scm (libcrypt): Update to 1.9.1. Thanks. > - (version "1.8.5") > + (version "1.9.1") libgcrypt has 12119(!) dependent packages. Can we use a graft here? This nongrafted version can then go to core-updates. Grafting means we keep these packages built against 1.8.5 and force-feed them 1.9.1 instead, which might not work reliably across minor versions but needs to be tried before rebuilding the world. Kind regards, T G-R
guix-patches--- via <guix-patches@gnu.org> skribis: > Ryan, > > guix-patches--- via 写道: >> * gnu/packages/gnupg.scm (libcrypt): Update to 1.9.1. > > Thanks. > >> - (version "1.8.5") >> + (version "1.9.1") > > libgcrypt has 12119(!) dependent packages. Can we use a graft here? This > nongrafted version can then go to core-updates. > > Grafting means we keep these packages built against 1.8.5 and force-feed them > 1.9.1 instead, which might not work reliably across minor versions but needs to > be tried before rebuilding the world. > > Kind regards, > > T G-R According to the news at https://gnupg.org: --8<---------------cut here---------------start------------->8--- Libgcrypt 1.9.1 released (2021-01-29) important Unfortunately we introduced a severe bug in Libgcrypt 1.9.0 released 10 days ago. If you already started to use version 1.9.0 please update immediately to 1.9.1. --8<---------------cut here---------------end--------------->8--- Currently the master and staging branch are using libgcrypt 1.8.5 and core-updates is using 1.8.7. These versions don't have the critical bug as it was introduced in version 1.9.0. So I think updating libgcrypt on master is not an emergency, we just have to remember to never use version 1.9.0.
Hi, Guillaume Le Vaillant <glv@posteo.net> skribis: > According to the news at https://gnupg.org: > > Libgcrypt 1.9.1 released (2021-01-29) important > > Unfortunately we introduced a severe bug in Libgcrypt 1.9.0 released 10 days ago. > If you already started to use version 1.9.0 please update immediately to 1.9.1. > > Currently the master and staging branch are using libgcrypt 1.8.5 and > core-updates is using 1.8.7. These versions don't have the critical bug > as it was introduced in version 1.9.0. So I think updating libgcrypt on > master is not an emergency, we just have to remember to never use > version 1.9.0. Indeed. So closing this bug. That said, we can update libgcrypt in ‘core-updates’. Ludo’.
diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm index a2da166bb4..f226d092dc 100644 --- a/gnu/packages/gnupg.scm +++ b/gnu/packages/gnupg.scm @@ -131,14 +131,13 @@ Daemon and possibly more in the future.") (define-public libgcrypt (package (name "libgcrypt") - (version "1.8.5") + (version "1.9.1") (source (origin (method url-fetch) (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-" version ".tar.bz2")) (sha256 - (base32 - "1hvsazms1bfd769q0ngl0r9g5i4m9mpz9jmvvrdzyzk3rfa2ljiv")))) + (base32 "1nb50bgzp83q6r5cz4v40y1mcbhpqwqyxlay87xp1lrbkf5pm9n5")))) (build-system gnu-build-system) (propagated-inputs `(("libgpg-error-host" ,libgpg-error)))