[PATCH] gnu: expat: Update via graft.

DoneSubmitted by Leo Prikler.
Details
5 participants
  • Leo Prikler
  • Leo Famulari
  • Ludovic Courtès
  • Marius Bakke
  • Maxime Devos
Owner
unassigned
Severity
normal
L
L
Leo Prikler wrote on 9 May 01:27 +0200
(address . guix-patches@gnu.org)(address . sebastian@pipping.org)
20210508232729.11557-1-leo.prikler@student.tugraz.at
* gnu/packages/xml.scm (expat-2.3.0): New variable.(expat)[replacement]: Add it.--- gnu/packages/xml.scm | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+)
Toggle diff (38 lines)diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scmindex 931698a575..d8472f5fa3 100644--- a/gnu/packages/xml.scm+++ b/gnu/packages/xml.scm@@ -120,6 +120,7 @@ the entire document.") (package (name "expat") (version "2.2.9")+ (replacement expat-2.3.0) (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c)))) (origin (method url-fetch)@@ -143,6 +144,23 @@ stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags).") (license license:expat))) +(define-public expat-2.3.0+ (package+ (inherit expat)+ (version "2.3.0")+ (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))+ (origin+ (method url-fetch)+ (uri (list (string-append "mirror://sourceforge/expat/expat/"+ version "/expat-" version ".tar.xz")+ (string-append+ "https://github.com/libexpat/libexpat/releases/download/R_"+ (string-map dot->underscore version)+ "/expat-" version ".tar.xz")))+ (sha256+ (base32+ "1ab7fkab4wbj53xqsx2a4h5m310ak9abczjh0a2ymg73nsclz8ya")))))))+ (define-public libebml (package (name "libebml")-- 2.31.1
L
L
Leo Famulari wrote on 9 May 16:05 +0200
(name . Leo Prikler)(address . leo.prikler@student.tugraz.at)(address . 48304@debbugs.gnu.org)
YJfsLgjGmIf2b8VS@jasmine.lan
On Sun, May 09, 2021 at 01:27:29AM +0200, Leo Prikler wrote:
Toggle quote (3 lines)> * gnu/packages/xml.scm (expat-2.3.0): New variable.> (expat)[replacement]: Add it.
Nitpick: It should be
(expat)[replacement]: New field.
Otherwise, looks okay assuming ABI compatibility, but we only use graftsfor security updates.
M
M
Maxime Devos wrote on 9 May 16:27 +0200
(address . 48304@debbugs.gnu.org)
829778414d37d154393f014d52c17e58b72aa1ac.camel@telenet.be
Leo Famulari schreef op zo 09-05-2021 om 10:05 [-0400]:
Toggle quote (11 lines)> On Sun, May 09, 2021 at 01:27:29AM +0200, Leo Prikler wrote:> > * gnu/packages/xml.scm (expat-2.3.0): New variable.> > (expat)[replacement]: Add it.> > Nitpick: It should be> > (expat)[replacement]: New field.> > Otherwise, looks okay assuming ABI compatibility, but we only use grafts> for security updates.
The maintainer of expat will release a 2.4.0 with security fixes soon.
Greetings,Maxime.
-----BEGIN PGP SIGNATURE-----
iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYJfxSBccbWF4aW1lZGV2b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7t5cAP4jLEoCF/w0AWqKOFcL19cxENdb9h3dyFlRQwsz4ppUYAD/cafSwJHIUA5MEB8RBfY/l1jMyislJMVUNYWwRlFc5QI==j72h-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 9 May 16:32 +0200
(name . Maxime Devos)(address . maximedevos@telenet.be)
YJfyktlty0F6W2BC@jasmine.lan
On Sun, May 09, 2021 at 04:27:20PM +0200, Maxime Devos wrote:
Toggle quote (14 lines)> Leo Famulari schreef op zo 09-05-2021 om 10:05 [-0400]:> > On Sun, May 09, 2021 at 01:27:29AM +0200, Leo Prikler wrote:> > > * gnu/packages/xml.scm (expat-2.3.0): New variable.> > > (expat)[replacement]: Add it.> > > > Nitpick: It should be> > > > (expat)[replacement]: New field.> > > > Otherwise, looks okay assuming ABI compatibility, but we only use grafts> > for security updates.> > The maintainer of expat will release a 2.4.0 with security fixes soon.
Yes, I know :) I think we all received the same private email.
We can test the graft with 2.3.0 but wait until 2.4.0 to actually useit.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmCX8pIACgkQJkb6MLrKfwigKBAA8VcYfpllG7WDqiYjKCbCTXcIoeXpT2YkSO1Fhsc7UZHQTCgat31Th2bdtuz9fH9T9yBMl77x3c1I4DOBh1mAWUNQYNGUWrWQY1Wl3JSLbdzgxtjtJcQCREdw0NeTSFhtIePc+c0V7g/Fuj3xGpZs39mDcwlo/7IyP6q7Z60hvLG19QHv52yPJtqVNS+h8f3FtSheVB530MyIp0MvoYT8GEycPppZAFS2isYsOHLHsfVqdKr42TJolrbHPEpoBMO+j1NQkpeR943gSCXGtiDA6rdve7QDJl0/m0pt5VAUrJtoTKnSKg0qtH0UyjSznnJjz1f1p/PMK7CfRclGJsE0nJMWzKgV6c+FflRqzHG2Z/ETst6ub1gxkOgIDdyPPfGNci31CQg/ITX45mqA28TKRmLq9s48BsaCPz3N79OsMMj4kxX+LsiyRrrm0hQN5lgK77mJrasOE3bmESSA0S8JigRjYvxIKkTtiezYj4SjAAXfWQaLP+UTPNkmi4RroaPbaXdYfoktTKZPtSUnoAFbZPuXI8q59hvCgbS/woZtoTOpAjch2jAekSw1wP6+HfBpaBfjkhlMo4dgu615D0G3NLvo/yJqYEPCTDplW4nxrf+fzcatBH4Bc3BsGRFNLUKAEs/BNTgwnhWr/bNFObG5RJpGlrUT1xWNHk/T10b0Q8I==3W4z-----END PGP SIGNATURE-----

L
L
Leo Prikler wrote on 9 May 16:37 +0200
(address . 48304@debbugs.gnu.org)
276aa14b795b9046b326e5bc0235049a5710c765.camel@student.tugraz.at
Am Sonntag, den 09.05.2021, 16:27 +0200 schrieb Maxime Devos:
Toggle quote (18 lines)> Leo Famulari schreef op zo 09-05-2021 om 10:05 [-0400]:> > On Sun, May 09, 2021 at 01:27:29AM +0200, Leo Prikler wrote:> > > * gnu/packages/xml.scm (expat-2.3.0): New variable.> > > (expat)[replacement]: Add it.> > > > Nitpick: It should be> > > > (expat)[replacement]: New field.> > > > Otherwise, looks okay assuming ABI compatibility, but we only use> > grafts> > for security updates.> > The maintainer of expat will release a 2.4.0 with security fixes> soon.> > Greetings,> Maxime.
Indeed, the mail they dropped over at guix-devel made it seem as thoughnot being on 2.3.0 was a security risk already. The ChangeLog doesmention some items worth fuzzing over.
That said, I simply wanted to claim a bug ID for this and let peoplecheck whether the update really breaks nothing. The list of dependantsis far too big for me to handle.
Regards,Leo
L
L
Leo Famulari wrote on 9 May 17:22 +0200
(name . Leo Prikler)(address . leo.prikler@student.tugraz.at)
YJf+TnQ+DenU++Mx@jasmine.lan
On Sun, May 09, 2021 at 04:37:39PM +0200, Leo Prikler wrote:
Toggle quote (4 lines)> Indeed, the mail they dropped over at guix-devel made it seem as though> not being on 2.3.0 was a security risk already. The ChangeLog does> mention some items worth fuzzing over.
In general, all updates are security updates. But we shouldn't / can'tupdate all core packages with grafts just because. Grafting is a kludgethat doesn't always work as expected (and the problems are hidden), andit has a high I/O performance cost.
So, let's wait for a security advisory.
L
L
Ludovic Courtès wrote on 15 May 12:12 +0200
control message for bug #48304
(address . control@debbugs.gnu.org)
87cztsl301.fsf@gnu.org
tags 48304 + securityquit
M
M
Marius Bakke wrote on 23 May 17:33 +0200
Re: [bug#48304] [PATCH] gnu: expat: Update via graft.
871r9xqxce.fsf@gnu.org
merge 48304 48612thanks
Leo Famulari <leo@famulari.name> skriver:
Toggle quote (12 lines)> On Sun, May 09, 2021 at 04:37:39PM +0200, Leo Prikler wrote:>> Indeed, the mail they dropped over at guix-devel made it seem as though>> not being on 2.3.0 was a security risk already. The ChangeLog does>> mention some items worth fuzzing over.>> In general, all updates are security updates. But we shouldn't / can't> update all core packages with grafts just because. Grafting is a kludge> that doesn't always work as expected (and the problems are hidden), and> it has a high I/O performance cost.>> So, let's wait for a security advisory.
I opened a similar discussion about the security fix in Expat 2.4.0recently and am merging with this issue (which I had not seen):
https://issues.guix.gnu.org/48612
-----BEGIN PGP SIGNATURE-----
iIUEARYKAC0WIQRNTknu3zbaMQ2ddzTocYulkRQQdwUCYKp1sQ8cbWFyaXVzQGdudS5vcmcACgkQ6HGLpZEUEHe8oAD/e+0e6g1Wvp+wcZ9dDv1CMtr0CIDekMTfBBouPsAScIMA/2vmC+4Bw9wGrZ7z52fr+kjvNvIFGCTkvSYBaVvOXmoC=dihy-----END PGP SIGNATURE-----
L
L
Leo Famulari wrote on 3 Jun 05:17 +0200
(name . Marius Bakke)(address . marius@gnu.org)
YLhJ1Dee1in8cDN7@jasmine.lan
On Sun, May 23, 2021 at 05:33:05PM +0200, Marius Bakke wrote:
Toggle quote (2 lines)> merge 48304 48612
The merge didn't work (one bug was for 'guix', and one for'guix-patches'), but I pushed a graft as6d71f6a73cd27d61d3302b9658893428af6314d2
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmC4SdQACgkQJkb6MLrKfwizLBAAwqKDw/uFawB3km99bSTNzP0eCPB0+dPJ733qu3Nh6e6sk7VVRJ5514IeV6yT9x+/51EsaPVcd0kgYpM53T483JuGYXnMwASR3o+PJkLayS0/S7f73IbENsFeQqPruuRIiZAFmIJPqpMfDdBJK9aOEpGdUA16gmsHs9DIyF+2i+cseH+88w1oeOz2ndkGFGpFQiF9gMuPKevDIbTF61GtkvP+vpWIhSeUNw7FWP1eFrLAxJliOmZbp8YMlVdtGhKQfDZ2laJlhlzuTcGvPMJBELMSknywlFYnna7vSPzM1EIbhD/IEmUEjx6RQX2Puw3+itknFrWNc9Wt4tI/SDHydYmEQy+6PIc8rnu7uFn2b84dC1d1MW2kzJl47tLMqpb2JxOa9j0g6QSnE/p9jkUwKJq9MbFBcGOYCIa2q43O6pICkx5U1X/f7A2G5Fyctk8kTUEK8rBD3fvczi8zBVzyIErOHOxrXiXqQR/m8I/iYF8v+N2MZ5vobufzwRF/i/aI6G7fEEuq2xbBmPcFNeNU4EaLuVyyA0W/dZVONyzxikMRsE2FIM0RmtW3fM6V7NllT1MxbkzkRSflgL1jlWg9MAHipFuq+GMF8Xp21OQOJV5DDZQFXiCviym0dYFUCPGbWLb5VYN5SIPVmIvE9yMjT631Nv/tN2VO5jNEa+NTmw8==O9C7-----END PGP SIGNATURE-----

Closed
?