[PATCH] gnu: curl: Update to 8.3.0.

  • Done
  • quality assurance status badge
Details
3 participants
  • Efraim Flashner
  • Liliana Marie Prikler
  • Simon Tournier
Owner
unassigned
Submitted by
Liliana Marie Prikler
Severity
normal
L
L
Liliana Marie Prikler wrote on 5 Oct 2023 08:11
(address . guix-patches@gnu.org)
fd95e1915f991c76b2a589971e76e3bbf049df04.1696486469.git.liliana.prikler@gmail.com
According to upstream, the current version has 19 security issues.

* gnu/packages/curl.scm (curl/fixed): New variable.
(curl): Use it as replacement.
---
gnu/packages/curl.scm | 15 +++++++++++++++
1 file changed, 15 insertions(+)

Toggle diff (37 lines)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 4e3c563570..dd612ce356 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -65,6 +65,7 @@ (define-public curl
(package
(name "curl")
(version "7.85.0")
+ (replacement curl/fixed)
(source (origin
(method url-fetch)
(uri (string-append "https://curl.se/download/curl-"
@@ -154,6 +155,20 @@ (define-public curl
"See COPYING in the distribution."))
(home-page "https://curl.haxx.se/")))
+(define curl/fixed
+ (let ((%version "8.3.0"))
+ (package
+ (inherit curl)
+ (version "8.3.0-0") ; add -0 for grafting
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "https://curl.se/download/curl-"
+ %version ".tar.xz"))
+ (sha256
+ (base32
+ "0qza6yf20y2l4aaxkn8dfw8p3fls1mxljvdb0m8z1i6ncxvn4v9p"))
+ (patches (search-patches "curl-use-ssl-cert-env.patch")))))))
+
(define-public curl-ssh
(package/inherit curl
(arguments

base-commit: e71864793021051cff35597abd59bb2d5649977d
--
2.41.0
E
E
Efraim Flashner wrote on 5 Oct 2023 09:19
(name . Liliana Marie Prikler)(address . liliana.prikler@gmail.com)(address . 66359@debbugs.gnu.org)
ZR5jdDlKpE3lgvDC@3900XT
On Thu, Oct 05, 2023 at 08:11:34AM +0200, Liliana Marie Prikler wrote:
Toggle quote (31 lines)
> According to upstream, the current version has 19 security issues.
> See also <https://curl.se/docs/vuln-7.85.0.html>.
>
> * gnu/packages/curl.scm (curl/fixed): New variable.
> (curl): Use it as replacement.
> ---
> gnu/packages/curl.scm | 15 +++++++++++++++
> 1 file changed, 15 insertions(+)
>
> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
> index 4e3c563570..dd612ce356 100644
> --- a/gnu/packages/curl.scm
> +++ b/gnu/packages/curl.scm
> @@ -65,6 +65,7 @@ (define-public curl
> (package
> (name "curl")
> (version "7.85.0")
> + (replacement curl/fixed)
> (source (origin
> (method url-fetch)
> (uri (string-append "https://curl.se/download/curl-"
> @@ -154,6 +155,20 @@ (define-public curl
> "See COPYING in the distribution."))
> (home-page "https://curl.haxx.se/")))
>
> +(define curl/fixed
> + (let ((%version "8.3.0"))
> + (package
> + (inherit curl)
> + (version "8.3.0-0") ; add -0 for grafting

'7.85.0' is 6 characters, bit '8.3.0-0' is 7 characters. I think I'd go
with '8.3.0A' to keep with previous (tribal knowledge) version mangling
schemes.

Toggle quote (17 lines)
> + (source (origin
> + (method url-fetch)
> + (uri (string-append "https://curl.se/download/curl-"
> + %version ".tar.xz"))
> + (sha256
> + (base32
> + "0qza6yf20y2l4aaxkn8dfw8p3fls1mxljvdb0m8z1i6ncxvn4v9p"))
> + (patches (search-patches "curl-use-ssl-cert-env.patch")))))))
> +
> (define-public curl-ssh
> (package/inherit curl
> (arguments
>
> base-commit: e71864793021051cff35597abd59bb2d5649977d
> --
> 2.41.0

Once the version string is the same length (your choice how!) then LGTM!

--
Efraim Flashner <efraim@flashner.co.il> ????? ?????
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmUeY3MACgkQQarn3Mo9
g1EJmRAAkfTVD5cm1u50Hbfk6YnR0L13F9qONmasItRpIeORYACzX8qYTWFlKrfB
d2ApDS91hLSBpGdPidowMv0jExgin42P75DK3ROdI5N2BAjQacfBgTvmwuQg8lRw
cZ1Lvn1GrUaGlo+CAq2nwDqNanjMv2Vn6Mgx9w+L+IhkpYmWybRmVOeET2IZMAXz
3PJQJ0NIX8oQqsQTNr0kJxGftGjXpfuCJvpSbCi+YrUWsnVCOx14dNB9u6tTSNfO
jPTruEAhxXXh42NNQqf+Qz6AvIBS0CZnKZKvoTsTFbsQY9tLIR/ibMkGAQ1/APWq
SSNyEaSyQ4/gDwnQy65Fb2SsVR2UN5cuYoa7yq31WI6ptd+89YtRd9G8IUuGK6Cf
8d9nemh+jaxyvN0UhnqZUGD8ROLF6tFYh4tpTtobDG3CBnU+6lpejoCCfoL6shi6
cK6kQaD8krrvQ841yjTOYdTQ+JQkusJAmQPk4GKMaEglIB767BEfmPEof0+Xo0G6
6CzC+k94UVj8UkFm6lRs5eYtqkJmbPmzM/WmnpxQ8KyGeD1L5D53UMGGklbZMAtG
r9J2+wZm9PZZX5uwUFoTBCBqzewN4FWtznKQTKcAkdzUNGQnWQ+iHJktPIusaeS0
gFm3xUcKbfnMQ+wvaxF/qt22OrPPtxQlrXvNnHR4Wf83JC+fu+Y=
=9kXj
-----END PGP SIGNATURE-----


L
L
Liliana Marie Prikler wrote on 5 Oct 2023 09:44
(name . Efraim Flashner)(address . efraim@flashner.co.il)(address . 66359-done@debbugs.gnu.org)
cfdeed35241230e07ef115d920e1576617a218ac.camel@gmail.com
Am Donnerstag, dem 05.10.2023 um 10:19 +0300 schrieb Efraim Flashner:
Toggle quote (11 lines)
> On Thu, Oct 05, 2023 at 08:11:34AM +0200, Liliana Marie Prikler
> wrote:
> > +(define curl/fixed
> > +  (let ((%version "8.3.0"))
> > +    (package
> > +      (inherit curl)
> > +      (version "8.3.0-0")               ; add -0 for grafting
>
> '7.85.0' is 6 characters, bit '8.3.0-0' is 7 characters. I think I'd
> go with '8.3.0A' to keep with previous (tribal knowledge) version
> mangling schemes.
D'oh.

Toggle quote (22 lines)
> > +      (source (origin
> > +                (method url-fetch)
> > +                (uri (string-append
> > "https://curl.se/download/curl-"
> > +                                    %version ".tar.xz"))
> > +                (sha256
> > +                 (base32
> > +                 
> > "0qza6yf20y2l4aaxkn8dfw8p3fls1mxljvdb0m8z1i6ncxvn4v9p"))
> > +                (patches (search-patches "curl-use-ssl-cert-
> > env.patch")))))))
> > +
> >  (define-public curl-ssh
> >    (package/inherit curl
> >      (arguments
> >
> > base-commit: e71864793021051cff35597abd59bb2d5649977d
> > --
> > 2.41.0
>
> Once the version string is the same length (your choice how!) then
> LGTM!
I used lowercase 'a' and pushed it.

Chers
Closed
S
S
Simon Tournier wrote on 5 Oct 2023 18:26
87lechujbn.fsf@gmail.com
Hi,

On Thu, 05 Oct 2023 at 08:11, Liliana Marie Prikler <liliana.prikler@gmail.com> wrote:

Toggle quote (3 lines)
> +(define curl/fixed
> + (let ((%version "8.3.0"))

Naive question, why %version and not version?

Toggle quote (8 lines)
> + (package
> + (inherit curl)
> + (version "8.3.0-0") ; add -0 for grafting
> + (source (origin
> + (method url-fetch)
> + (uri (string-append "https://curl.se/download/curl-"
> + %version ".tar.xz"))

Cheers,
simon
L
L
Liliana Marie Prikler wrote on 6 Oct 2023 10:54
480ea5ee0112c1a790da72af34405e0df6fcd2a0.camel@gmail.com
Am Donnerstag, dem 05.10.2023 um 18:26 +0200 schrieb Simon Tournier:
Toggle quote (9 lines)
> Hi,
>
> On Thu, 05 Oct 2023 at 08:11, Liliana Marie Prikler
> <liliana.prikler@gmail.com> wrote:
>
> > +(define curl/fixed
> > +  (let ((%version "8.3.0"))
>
> Naive question, why %version and not version?
Because version gets shadowed by (package …). I could reorder the
fields in a non-standard way, but that'd be even less readable,
therefore the extra variable.

Toggle quote (1 lines)
>
Cheers,

Liliana
S
S
Simon Tournier wrote on 6 Oct 2023 11:09
(name . Liliana Marie Prikler)(address . liliana.prikler@gmail.com)(address . 66359@debbugs.gnu.org)
CAJ3okZ39D+99jx9JqodcPG9xVJR2y06+eWBqaWm9VAQadtVtgg@mail.gmail.com
Hi Liliana,

On Fri, 6 Oct 2023 at 10:54, Liliana Marie Prikler
<liliana.prikler@gmail.com> wrote:

Toggle quote (6 lines)
> > Naive question, why %version and not version?
>
> Because version gets shadowed by (package …). I could reorder the
> fields in a non-standard way, but that'd be even less readable,
> therefore the extra variable.

Ah, I see. Thanks for explaining.

Well, %something is usually for "global" parameters. At least, that
the convention with Guix. Therefore, I would suggest to not use it in
order to avoid confusion.

Why not "this-version"?

Cheers,
simon
L
L
Liliana Marie Prikler wrote on 6 Oct 2023 11:55
(name . Simon Tournier)(address . zimon.toutoune@gmail.com)(address . 66359@debbugs.gnu.org)
20d7107dea14e1d879a08f562848cc0b5bf57a1d.camel@gmail.com
Am Freitag, dem 06.10.2023 um 11:09 +0200 schrieb Simon Tournier:
Toggle quote (16 lines)
> Hi Liliana,
>
> On Fri, 6 Oct 2023 at 10:54, Liliana Marie Prikler
> <liliana.prikler@gmail.com> wrote:
>
> > > Naive question, why %version and not version?
> >
> > Because version gets shadowed by (package …).  I could reorder the
> > fields in a non-standard way, but that'd be even less readable,
> > therefore the extra variable.
>
> Ah, I see.  Thanks for explaining.
>
> Well, %something is usually for "global" parameters.  At least, that
> the convention with Guix.  Therefore, I would suggest to not use it
> in order to avoid confusion.
As far as I understand %something means "implementation detail" and
*something* means global, important something, but I might be mistaken
about that.

Toggle quote (1 lines)
> Why not "this-version"?
Ain't nobody got time to type that.
S
S
Simon Tournier wrote on 6 Oct 2023 12:15
(name . Liliana Marie Prikler)(address . liliana.prikler@gmail.com)(address . 66359@debbugs.gnu.org)
CAJ3okZ28AofwbMOuKR-eM2r+qMd1M92ZYWYu0U6DriaJ4w+EcA@mail.gmail.com
Re,

On Fri, 6 Oct 2023 at 11:55, Liliana Marie Prikler
<liliana.prikler@gmail.com> wrote:

Toggle quote (8 lines)
> > Well, %something is usually for "global" parameters. At least, that
> > the convention with Guix. Therefore, I would suggest to not use it
> > in order to avoid confusion.
>
> As far as I understand %something means "implementation detail" and
> *something* means global, important something, but I might be mistaken
> about that.

It is not my understanding. I mean, %something is not for symbol in
'let' binding.

Can we ask on #guix? :-)


Toggle quote (4 lines)
> > Why not "this-version"?
>
> Ain't nobody got time to type that.

So pick the single letter 'v' ;-)

Cheers,
simon
S
S
Simon Tournier wrote on 9 Oct 2023 14:33
meaning of %something? (was Re: [bug#66359] [PATCH] gnu: curl: Update to 8.3.0.)
(name . Liliana Marie Prikler)(address . liliana.prikler@gmail.com)(address . 66359@debbugs.gnu.org)
87pm1ot1ps.fsf@gmail.com
Hi Liliana,

On Fri, 06 Oct 2023 at 11:55, Liliana Marie Prikler <liliana.prikler@gmail.com> wrote:

Toggle quote (8 lines)
>> Well, %something is usually for "global" parameters.  At least, that
>> the convention with Guix.  Therefore, I would suggest to not use it
>> in order to avoid confusion.
>
> As far as I understand %something means "implementation detail" and
> *something* means global, important something, but I might be mistaken
> about that.

For your information, what the Cookbook says about %something:

The percentage % is typically used for read-only global
variables in the build stage. Note that it is merely a
convention, like _ in C. Scheme treats % exactly the same as any
other letter.


I think your change using ’%version’ in some let-binding is not
consistent with the rest.

Well, I have seen you already pushed this change. Not an issue at all,
I can easily live with it. :-)

My aim with this message is only to communicate on some practises.
Maybe something should be raised on guix-devel. Well, if you and I,
both spending some time working on Guix do not have the same
understanding for %something, then it means something is poorly
documented somewhere. :-)

WDYT about adding a paragraph about %something under,


?

Cheers,
simon
L
L
Liliana Marie Prikler wrote on 9 Oct 2023 18:57
(name . Simon Tournier)(address . zimon.toutoune@gmail.com)(address . 66359@debbugs.gnu.org)
6f96ceb637ecb88eefbf851f7dbd1b82811b65d3.camel@gmail.com
Am Montag, dem 09.10.2023 um 14:33 +0200 schrieb Simon Tournier:
Toggle quote (26 lines)
> Hi Liliana,
>
> On Fri, 06 Oct 2023 at 11:55, Liliana Marie Prikler
> <liliana.prikler@gmail.com> wrote:
>
> > > Well, %something is usually for "global" parameters.  At least,
> > > that the convention with Guix.  Therefore, I would suggest to not
> > > use it in order to avoid confusion.
> >
> > As far as I understand %something means "implementation detail" and
> > *something* means global, important something, but I might be
> > mistaken about that.
>
> For your information, what the Cookbook says about %something:
>
>         The percentage % is typically used for read-only global
>         variables in the build stage. Note that it is merely a
>         convention, like _ in C. Scheme treats % exactly the same as
> any
>         other letter.
>
>        
> https://guix.gnu.org/cookbook/en/guix-cookbook.html#A-Scheme-Crash-Course
>
> I think your change using ’%version’ in some let-binding is not
> consistent with the rest.
I don't think my usage of the percent style changes the meaning of
"typically". Our implementation details are typically, but not
exclusively, global variables in the build stage.

Toggle quote (11 lines)
> My aim with this message is only to communicate on some practises.
> Maybe something should be raised on guix-devel.  Well, if you and I,
> both spending some time working on Guix do not have the same
> understanding for %something, then it means something is poorly
> documented somewhere. :-)
>
> WDYT about adding a paragraph about %something under,
>
>     https://guix.gnu.org/manual/devel/en/guix.html#Coding-Style
>
> ?
I'll consider it, but perhaps explaining this within the same cookbook
entry might be a better idea. Regardless of the outcome in Guix Devel,
I don't think that constraining variable names *too* hard is helpful,
though.

Cheers
?
Your comment

This issue is archived.

To comment on this conversation send an email to 66359@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 66359
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch