From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 30 08:05:19 2017 Received: (at 27943) by debbugs.gnu.org; 30 Nov 2017 13:05:19 +0000 Received: from localhost ([127.0.0.1]:37633 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eKOWl-0007tD-27 for submit@debbugs.gnu.org; Thu, 30 Nov 2017 08:05:19 -0500 Received: from flashner.co.il ([178.62.234.194]:58447) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eKOWj-0007sz-6G for 27943@debbugs.gnu.org; Thu, 30 Nov 2017 08:05:17 -0500 Received: from localhost (46-117-129-230.bb.netvision.net.il [46.117.129.230]) by flashner.co.il (Postfix) with ESMTPSA id 39A4A4016D; Thu, 30 Nov 2017 13:05:11 +0000 (UTC) Date: Thu, 30 Nov 2017 15:05:10 +0200 From: Efraim Flashner To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#27943: tar complains about too-long names (guix release) Message-ID: <20171130130510.GT991@macbook41> References: <20170804092212.77f65fef@scratchpost.org> <87shcyzdhg.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="apg+fY3UKMMABzWO" Content-Disposition: inline In-Reply-To: <87shcyzdhg.fsf@gnu.org> User-Agent: Mutt/1.9.1 (2017-09-22) X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 27943 Cc: Danny Milosavljevic , 27943@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) --apg+fY3UKMMABzWO Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 28, 2017 at 03:26:03PM +0100, Ludovic Court=C3=A8s wrote: > Hi Danny, >=20 > Danny Milosavljevic skribis: >=20 > > guix $ make release > > ... || chmod -R a+r "guix-0.13.0.1849-cf189-dirty" > > tardir=3Dguix-0.13.0.1849-cf189-dirty && ${TAR-tar} chof - "$tardir" | = GZIP=3D--best gzip -c >guix-0.13.0.1849-cf189-dirty.tar.gz > > gzip: warning: GZIP environment variable is deprecated; use an alias or= script > > tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/ghc-dont-pass-li= nker-flags-via-response-files.patch: file name is too long (max 99); not du= mped > > tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/libevent-2.0-evb= uffer-add-use-last-with-datap.patch: file name is too long (max 99); not du= mped > > tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/python-genshi-st= ripping-of-unsafe-script-tags.patch: file name is too long (max 99); not du= mped > > tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/python2-pygobjec= t-2-gi-info-type-error-domain.patch: file name is too long (max 99); not du= mped > > tar: guix-0.13.0.1849-cf189-dirty/gnu/packages/patches/t1lib-CVE-2011-1= 552+CVE-2011-1553+CVE-2011-1554.patch: file name is too long (max 99); not = dumped > > tar: Exiting with failure status due to previous errors > > make[1]: Leaving directory '/home/dannym/src/guix-master/guix' >=20 > =E2=80=9Cmake dist=E2=80=9D works fine for me with tar 1.29: >=20 > --8<---------------cut here---------------start------------->8--- > || chmod -R a+r "guix-0.13.0.3626-da9b8" > tardir=3Dguix-0.13.0.3626-da9b8 && ${TAR-tar} chof - "$tardir" | eval GZI= P=3D gzip --best -c >guix-0.13.0.3626-da9b8.tar.gz > make[1]: Leaving directory '/home/ludo/src/guix' > --8<---------------cut here---------------end--------------->8--- >=20 > Actually, > =E2=80=9Cguix-0.13.0.1849-cf189-dirty/gnu/packages/patches/ghc-dont-pass-= linker-flags-via-response-files.patch=E2=80=9D > is 101-character long, so without the =E2=80=9C-dirty=E2=80=9D prefix as = above, we=E2=80=99re > doing OK. :-) >=20 > Anyway, commit eef01cfe8eac8dee8ecf727e4ca459ae065e15ea augments the > =E2=80=98patch-file-names=E2=80=99 linter to catch this issue. >=20 > There=E2=80=99s one problematic case left, which is t1lib, but I voluntee= red > Efraim to split the big CVE patch in several ones. :-) >=20 > Thanks, > Ludo=E2=80=99. It gets worse than that, our t1lib-CVE-2010-2462 is also CVE-2011-0433 and CVE-2011-5244.=C2=B9 I tried creating a blank patch (touch t1lib-CVE...) and adding that to satisfy the linter (and bookeeping) but unsuprisingly patch didn't like trying to apply a blank file as a patch. Debian removed it after squeeze=C2=B2, which was Debian 6, so about 6 years ago. Gentoo apparently still has it=C2=B3. We don't have anything that depends on it so I'm in favor of removing it; even the upstream homepage is gone. This doesn't deal with the possibility that patches that address multiple CVEs that can't be split easily and have a very long name will continue to occur, so the best option I can think of right now is to change the linter to logic like this: CVE- -> The following are all CVEs YYYY-ZZZZ???? -> Full CVE reference ZZZZ???? -> Follows the year of the previous CVE which would change t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554 -> t1lib-CVE-2011-1552+1553+1554, and our under-referenced t1lib-CVE-2010-2642 -> t1lib-CVE-2010-2642+2011-0433+5244 =C2=B9 https://github.com/gentoo/gentoo/pull/2906/files =C2=B2 https://sources.debian.net/src/t1lib/ =C2=B3 https://security.gentoo.org/glsa/201701-57 --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --apg+fY3UKMMABzWO Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAlogAgMACgkQQarn3Mo9 g1HHCxAAjGof9tX07DvEkvuq8ApQF3ZEaSPToPDhIiBYwAbLMJL6jlnCyMJkhjh3 xd61ne6z4pE0XeO57FBXfyEKDCC4mY9UqxtN6db1N9w1E9IPyQMeX2MUaN8WzjeW Mg1lfzWcLhJYMGDH7HMc1PKPG2Hl1k/hOQ+AydRH+69felyufVx4YWzc+hRqGEou ovUmT+BJqEeurlbn5NXMFP0LT3/945oqFeKhVIq6b0wa3cJ4ADNkAesvvDWzqz68 UlfDsc4WzSltt2kdTJZLbGgriGQRUl2j2d33ySunTQ/o67vTxyyXbZK42K6ddWdj rmxqzU9riLib5vYv7ky2qjfXnTGW0tF4Vwp7HNjNmxj4mWhFwJvCfb5v/g0N8zrO f3lykvOwcR4FJGF0X5WDAASGm93cw+NYGQGbi/1ErfOBFzSMPT+PvL/KzEOo3VEe /40PX+LRQs4LAASP2wEFMPy1k6VkgqExtyXUVaUEc2o494jwqWuOD/OldZy+iiSd x28oLd4Rjictu97eNVfoRjM/uH1SqRq/g4BQ/UC9SRctKJNB3jHqLoMYNsT07Ot5 QHiD3e2fp6R/ggq/u21uyAB29yYmAMvjeL5VKleJID5/SjrLdBJWAyfANI1P3wob ECyN5hfoWJDXWFIbJcFV8lp2wSz6OsvU5QDm8ROz2FmmaCQw/00= =hNom -----END PGP SIGNATURE----- --apg+fY3UKMMABzWO--