Message ID | 20210508232729.11557-1-leo.prikler@student.tugraz.at |
---|---|
State | Accepted |
Headers | show |
Series | [bug#48304] gnu: expat: Update via graft. | expand |
Context | Check | Description |
---|---|---|
cbaines/comparison | success | View comparision |
cbaines/git branch | success | View Git branch |
cbaines/applying patch | success | View Laminar job |
cbaines/issue | success | View issue |
On Sun, May 09, 2021 at 01:27:29AM +0200, Leo Prikler wrote: > * gnu/packages/xml.scm (expat-2.3.0): New variable. > (expat)[replacement]: Add it. Nitpick: It should be (expat)[replacement]: New field. Otherwise, looks okay assuming ABI compatibility, but we only use grafts for security updates.
Leo Famulari schreef op zo 09-05-2021 om 10:05 [-0400]: > On Sun, May 09, 2021 at 01:27:29AM +0200, Leo Prikler wrote: > > * gnu/packages/xml.scm (expat-2.3.0): New variable. > > (expat)[replacement]: Add it. > > Nitpick: It should be > > (expat)[replacement]: New field. > > Otherwise, looks okay assuming ABI compatibility, but we only use grafts > for security updates. The maintainer of expat will release a 2.4.0 with security fixes soon. Greetings, Maxime.
On Sun, May 09, 2021 at 04:27:20PM +0200, Maxime Devos wrote: > Leo Famulari schreef op zo 09-05-2021 om 10:05 [-0400]: > > On Sun, May 09, 2021 at 01:27:29AM +0200, Leo Prikler wrote: > > > * gnu/packages/xml.scm (expat-2.3.0): New variable. > > > (expat)[replacement]: Add it. > > > > Nitpick: It should be > > > > (expat)[replacement]: New field. > > > > Otherwise, looks okay assuming ABI compatibility, but we only use grafts > > for security updates. > > The maintainer of expat will release a 2.4.0 with security fixes soon. Yes, I know :) I think we all received the same private email. We can test the graft with 2.3.0 but wait until 2.4.0 to actually use it.
Am Sonntag, den 09.05.2021, 16:27 +0200 schrieb Maxime Devos: > Leo Famulari schreef op zo 09-05-2021 om 10:05 [-0400]: > > On Sun, May 09, 2021 at 01:27:29AM +0200, Leo Prikler wrote: > > > * gnu/packages/xml.scm (expat-2.3.0): New variable. > > > (expat)[replacement]: Add it. > > > > Nitpick: It should be > > > > (expat)[replacement]: New field. > > > > Otherwise, looks okay assuming ABI compatibility, but we only use > > grafts > > for security updates. > > The maintainer of expat will release a 2.4.0 with security fixes > soon. > > Greetings, > Maxime. Indeed, the mail they dropped over at guix-devel made it seem as though not being on 2.3.0 was a security risk already. The ChangeLog does mention some items worth fuzzing over. That said, I simply wanted to claim a bug ID for this and let people check whether the update really breaks nothing. The list of dependants is far too big for me to handle. Regards, Leo
On Sun, May 09, 2021 at 04:37:39PM +0200, Leo Prikler wrote: > Indeed, the mail they dropped over at guix-devel made it seem as though > not being on 2.3.0 was a security risk already. The ChangeLog does > mention some items worth fuzzing over. In general, all updates are security updates. But we shouldn't / can't update all core packages with grafts just because. Grafting is a kludge that doesn't always work as expected (and the problems are hidden), and it has a high I/O performance cost. So, let's wait for a security advisory.
merge 48304 48612 thanks Leo Famulari <leo@famulari.name> skriver: > On Sun, May 09, 2021 at 04:37:39PM +0200, Leo Prikler wrote: >> Indeed, the mail they dropped over at guix-devel made it seem as though >> not being on 2.3.0 was a security risk already. The ChangeLog does >> mention some items worth fuzzing over. > > In general, all updates are security updates. But we shouldn't / can't > update all core packages with grafts just because. Grafting is a kludge > that doesn't always work as expected (and the problems are hidden), and > it has a high I/O performance cost. > > So, let's wait for a security advisory. I opened a similar discussion about the security fix in Expat 2.4.0 recently and am merging with this issue (which I had not seen): https://issues.guix.gnu.org/48612
On Sun, May 23, 2021 at 05:33:05PM +0200, Marius Bakke wrote:
> merge 48304 48612
The merge didn't work (one bug was for 'guix', and one for
'guix-patches'), but I pushed a graft as
6d71f6a73cd27d61d3302b9658893428af6314d2
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index 931698a575..d8472f5fa3 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -120,6 +120,7 @@ the entire document.") (package (name "expat") (version "2.2.9") + (replacement expat-2.3.0) (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c)))) (origin (method url-fetch) @@ -143,6 +144,23 @@ stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags).") (license license:expat))) +(define-public expat-2.3.0 + (package + (inherit expat) + (version "2.3.0") + (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c)))) + (origin + (method url-fetch) + (uri (list (string-append "mirror://sourceforge/expat/expat/" + version "/expat-" version ".tar.xz") + (string-append + "https://github.com/libexpat/libexpat/releases/download/R_" + (string-map dot->underscore version) + "/expat-" version ".tar.xz"))) + (sha256 + (base32 + "1ab7fkab4wbj53xqsx2a4h5m310ak9abczjh0a2ymg73nsclz8ya"))))))) + (define-public libebml (package (name "libebml")