From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 24 18:52:14 2022 Received: (at 56398) by debbugs.gnu.org; 24 Nov 2022 23:52:14 +0000 Received: from localhost ([127.0.0.1]:60534 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oyM0r-0005fV-Ng for submit@debbugs.gnu.org; Thu, 24 Nov 2022 18:52:14 -0500 Received: from mailout.easymail.ca ([64.68.200.34]:36904) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oyM0o-0005fG-Nm for 56398@debbugs.gnu.org; Thu, 24 Nov 2022 18:52:12 -0500 Received: from localhost (localhost [127.0.0.1]) by mailout.easymail.ca (Postfix) with ESMTP id B751C66D06; Thu, 24 Nov 2022 23:52:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=bokr.com; s=easymail; t=1669333924; bh=WLOuFqmDHWcXebdzI/QILTEaxNhRTaHjE8+UYVs7n5k=; h=From:Date:To:Cc:Subject:References:In-Reply-To:From; b=Q7GYPW8yfuaiWfWmA/uKk8wKFck0U/UFQGoqiTIoTq90AsfNGYUZVGqxgt3zXOEsx XJPoav5Z3RoY+v6+YLj5irz1MTwxpTppiic1ujMOIVMtes3wW1xbP77+kEVMkJ0EFQ 6ki+A03+SrW8VsHW7f110+736azQMqiteJ7F4BtmQ88Up0e+zIxaq8KeLSrk8QOwTO d4BvdUoivQEJPQ4JiwbQ8SfTDyBFAJ+5YO5Vh0L3oiu2cGwWAfxHXuoEIhNsf/+v3u gMDO8ZOboMs3wXKlHEGH3a6Cf6iEcC+UrlxC08453VgihUqlRDh3fYJXP8DAbQIV4q j/LJE53xTZQ5Q== X-Virus-Scanned: Debian amavisd-new at emo09-pco.easydns.vpn Received: from mailout.easymail.ca ([127.0.0.1]) by localhost (emo09-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xzx58rBk8zsp; Thu, 24 Nov 2022 23:52:04 +0000 (UTC) Received: from localhost (m90-129-206-71.cust.tele2.se [90.129.206.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mailout.easymail.ca (Postfix) with ESMTPSA id BB2E066B89; Thu, 24 Nov 2022 23:52:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=bokr.com; s=easymail; t=1669333924; bh=WLOuFqmDHWcXebdzI/QILTEaxNhRTaHjE8+UYVs7n5k=; h=From:Date:To:Cc:Subject:References:In-Reply-To:From; b=Q7GYPW8yfuaiWfWmA/uKk8wKFck0U/UFQGoqiTIoTq90AsfNGYUZVGqxgt3zXOEsx XJPoav5Z3RoY+v6+YLj5irz1MTwxpTppiic1ujMOIVMtes3wW1xbP77+kEVMkJ0EFQ 6ki+A03+SrW8VsHW7f110+736azQMqiteJ7F4BtmQ88Up0e+zIxaq8KeLSrk8QOwTO d4BvdUoivQEJPQ4JiwbQ8SfTDyBFAJ+5YO5Vh0L3oiu2cGwWAfxHXuoEIhNsf/+v3u gMDO8ZOboMs3wXKlHEGH3a6Cf6iEcC+UrlxC08453VgihUqlRDh3fYJXP8DAbQIV4q j/LJE53xTZQ5Q== From: bokr@bokr.com Date: Fri, 25 Nov 2022 00:51:43 +0100 To: =?utf-8?B?QW5kcsOp?= Batista Subject: Re: bug#56398: (guix git) fails to check out repos with nested submodules Message-ID: <20221124235143.GA8148@LionPure> References: <87sfnf4n7c.fsf@inria.fr> <87pmigxb5r.fsf@inria.fr> <87h72smd7r.fsf@inria.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 56398 Cc: Ludovic =?utf-8?Q?Court=C3=A8s?= , 56398@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi, On +2022-11-24 12:17:01 -0300, André Batista wrote: > Hi! > > qui 04 ago 2022 às 13:59:20 (1659632360), ludovic.courtes@inria.fr enviou: > > I think we should instead report it upstream. Do you feel like doing > > it? I guess we’d need to give them the C version of the three-line > > snippet I gave earlier. > > Upstream issue #6433[1] > > Apparently, GIT_SUBMODULE_STATUS_WD_UNINITIALIZED isn't actually set > in this scenario, only GIT_SUBMODULE_STATUS_IN_CONFIG. > > 1. https://github.com/libgit2/libgit2/issues/6433 > > > Wondering if this[1] is all history in gnu/guix-land: [1] Wherein it says --8<---------------cut here---------------start------------->8--- The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1. --8<---------------cut here---------------end--------------->8--- Is there an automated tool to answer the question, "What executables (command line directly, or indirectly (including config-directed interpretation)) does my system contain that have known vulnerabilities?" BTW: Newsflash: :) RMS paranoia now dernier-cri[3] as cited in [2] [2] [3] Something[3] to get (more) serious about for gnu/guix? -- Regards, Bengt Richter