GNU bug report logs - #48304
[PATCH] gnu: expat: Update via graft.

Previous Next

Package: guix-patches;

Reported by: Leo Prikler <leo.prikler <at> student.tugraz.at>

Date: Sat, 8 May 2021 23:29:01 UTC

Severity: normal

Tags: patch, security

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 48304 in the body.
You can then email your comments to 48304 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#48304; Package guix-patches. (Sat, 08 May 2021 23:29:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Leo Prikler <leo.prikler <at> student.tugraz.at>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Sat, 08 May 2021 23:29:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Prikler <leo.prikler <at> student.tugraz.at>
To: guix-patches <at> gnu.org
Cc: sebastian <at> pipping.org
Subject: [PATCH] gnu: expat: Update via graft.
Date: Sun,  9 May 2021 01:27:29 +0200

* gnu/packages/xml.scm (expat-2.3.0): New variable.
(expat)[replacement]: Add it.
---
 gnu/packages/xml.scm | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 931698a575..d8472f5fa3 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -120,6 +120,7 @@ the entire document.")
   (package
     (name "expat")
     (version "2.2.9")
+    (replacement expat-2.3.0)
     (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
               (origin
                 (method url-fetch)
@@ -143,6 +144,23 @@ stream-oriented parser in which an application registers handlers for
 things the parser might find in the XML document (like start tags).")
     (license license:expat)))
 
+(define-public expat-2.3.0
+  (package
+    (inherit expat)
+    (version "2.3.0")
+    (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
+              (origin
+                (method url-fetch)
+                (uri (list (string-append "mirror://sourceforge/expat/expat/"
+                                          version "/expat-" version ".tar.xz")
+                           (string-append
+                            "https://github.com/libexpat/libexpat/releases/download/R_"
+                            (string-map dot->underscore version)
+                            "/expat-" version ".tar.xz")))
+                (sha256
+                 (base32
+                  "1ab7fkab4wbj53xqsx2a4h5m310ak9abczjh0a2ymg73nsclz8ya")))))))
+
 (define-public libebml
   (package
     (name "libebml")
-- 
2.31.1
Information forwarded to guix-patches <at> gnu.org:
bug#48304; Package guix-patches. (Sun, 09 May 2021 14:06:01 GMT) Full text and rfc822 format available.

Message #8 received at 48304 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Leo Prikler <leo.prikler <at> student.tugraz.at>
Cc: 48304 <at> debbugs.gnu.org
Subject: Re: [bug#48304] [PATCH] gnu: expat: Update via graft.
Date: Sun, 9 May 2021 10:05:34 -0400

On Sun, May 09, 2021 at 01:27:29AM +0200, Leo Prikler wrote:
> * gnu/packages/xml.scm (expat-2.3.0): New variable.
> (expat)[replacement]: Add it.

Nitpick: It should be

(expat)[replacement]: New field.

Otherwise, looks okay assuming ABI compatibility, but we only use grafts
for security updates.
Information forwarded to guix-patches <at> gnu.org:
bug#48304; Package guix-patches. (Sun, 09 May 2021 14:28:02 GMT) Full text and rfc822 format available.

Message #11 received at 48304 <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: Leo Famulari <leo <at> famulari.name>, Leo Prikler
 <leo.prikler <at> student.tugraz.at>
Cc: 48304 <at> debbugs.gnu.org
Subject: Re: [bug#48304] [PATCH] gnu: expat: Update via graft.
Date: Sun, 09 May 2021 16:27:20 +0200

[Message part 1 (text/plain, inline)]
Leo Famulari schreef op zo 09-05-2021 om 10:05 [-0400]:
> On Sun, May 09, 2021 at 01:27:29AM +0200, Leo Prikler wrote:
> > * gnu/packages/xml.scm (expat-2.3.0): New variable.
> > (expat)[replacement]: Add it.
> 
> Nitpick: It should be
> 
> (expat)[replacement]: New field.
> 
> Otherwise, looks okay assuming ABI compatibility, but we only use grafts
> for security updates.

The maintainer of expat will release a 2.4.0 with security fixes soon.

Greetings,
Maxime.

[signature.asc (application/pgp-signature, inline)]
Information forwarded to guix-patches <at> gnu.org:
bug#48304; Package guix-patches. (Sun, 09 May 2021 14:33:01 GMT) Full text and rfc822 format available.

Message #14 received at 48304 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Maxime Devos <maximedevos <at> telenet.be>
Cc: Leo Prikler <leo.prikler <at> student.tugraz.at>, 48304 <at> debbugs.gnu.org
Subject: Re: [bug#48304] [PATCH] gnu: expat: Update via graft.
Date: Sun, 9 May 2021 10:32:50 -0400

[Message part 1 (text/plain, inline)]
On Sun, May 09, 2021 at 04:27:20PM +0200, Maxime Devos wrote:
> Leo Famulari schreef op zo 09-05-2021 om 10:05 [-0400]:
> > On Sun, May 09, 2021 at 01:27:29AM +0200, Leo Prikler wrote:
> > > * gnu/packages/xml.scm (expat-2.3.0): New variable.
> > > (expat)[replacement]: Add it.
> > 
> > Nitpick: It should be
> > 
> > (expat)[replacement]: New field.
> > 
> > Otherwise, looks okay assuming ABI compatibility, but we only use grafts
> > for security updates.
> 
> The maintainer of expat will release a 2.4.0 with security fixes soon.

Yes, I know :) I think we all received the same private email.

We can test the graft with 2.3.0 but wait until 2.4.0 to actually use
it.

[signature.asc (application/pgp-signature, inline)]
Information forwarded to guix-patches <at> gnu.org:
bug#48304; Package guix-patches. (Sun, 09 May 2021 14:38:01 GMT) Full text and rfc822 format available.

Message #17 received at 48304 <at> debbugs.gnu.org (full text, mbox):

From: Leo Prikler <leo.prikler <at> student.tugraz.at>
To: Maxime Devos <maximedevos <at> telenet.be>, Leo Famulari <leo <at> famulari.name>
Cc: 48304 <at> debbugs.gnu.org
Subject: Re: [bug#48304] [PATCH] gnu: expat: Update via graft.
Date: Sun, 09 May 2021 16:37:39 +0200

Am Sonntag, den 09.05.2021, 16:27 +0200 schrieb Maxime Devos:
> Leo Famulari schreef op zo 09-05-2021 om 10:05 [-0400]:
> > On Sun, May 09, 2021 at 01:27:29AM +0200, Leo Prikler wrote:
> > > * gnu/packages/xml.scm (expat-2.3.0): New variable.
> > > (expat)[replacement]: Add it.
> > 
> > Nitpick: It should be
> > 
> > (expat)[replacement]: New field.
> > 
> > Otherwise, looks okay assuming ABI compatibility, but we only use
> > grafts
> > for security updates.
> 
> The maintainer of expat will release a 2.4.0 with security fixes
> soon.
> 
> Greetings,
> Maxime.
Indeed, the mail they dropped over at guix-devel made it seem as though
not being on 2.3.0 was a security risk already.  The ChangeLog does
mention some items worth fuzzing over.

That said, I simply wanted to claim a bug ID for this and let people
check whether the update really breaks nothing.  The list of dependants
is far too big for me to handle.

Regards,
Leo
Information forwarded to guix-patches <at> gnu.org:
bug#48304; Package guix-patches. (Sun, 09 May 2021 15:24:02 GMT) Full text and rfc822 format available.

Message #20 received at 48304 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Leo Prikler <leo.prikler <at> student.tugraz.at>
Cc: 48304 <at> debbugs.gnu.org, Maxime Devos <maximedevos <at> telenet.be>
Subject: Re: [bug#48304] [PATCH] gnu: expat: Update via graft.
Date: Sun, 9 May 2021 11:22:54 -0400

On Sun, May 09, 2021 at 04:37:39PM +0200, Leo Prikler wrote:
> Indeed, the mail they dropped over at guix-devel made it seem as though
> not being on 2.3.0 was a security risk already.  The ChangeLog does
> mention some items worth fuzzing over.

In general, all updates are security updates. But we shouldn't / can't
update all core packages with grafts just because. Grafting is a kludge
that doesn't always work as expected (and the problems are hidden), and
it has a high I/O performance cost.

So, let's wait for a security advisory.
Added tag(s) security. Request was from Ludovic Courtès <ludo <at> gnu.org> to control <at> debbugs.gnu.org. (Sat, 15 May 2021 10:13:01 GMT) Full text and rfc822 format available.
Information forwarded to guix-patches <at> gnu.org:
bug#48304; Package guix-patches. (Sun, 23 May 2021 15:34:02 GMT) Full text and rfc822 format available.

Message #25 received at 48304 <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <marius <at> gnu.org>
To: Leo Famulari <leo <at> famulari.name>, Leo Prikler
 <leo.prikler <at> student.tugraz.at>
Cc: Maxime Devos <maximedevos <at> telenet.be>, 48304 <at> debbugs.gnu.org
Subject: Re: [bug#48304] [PATCH] gnu: expat: Update via graft.
Date: Sun, 23 May 2021 17:33:05 +0200

[Message part 1 (text/plain, inline)]
merge 48304 48612
thanks

Leo Famulari <leo <at> famulari.name> skriver:

> On Sun, May 09, 2021 at 04:37:39PM +0200, Leo Prikler wrote:
>> Indeed, the mail they dropped over at guix-devel made it seem as though
>> not being on 2.3.0 was a security risk already.  The ChangeLog does
>> mention some items worth fuzzing over.
>
> In general, all updates are security updates. But we shouldn't / can't
> update all core packages with grafts just because. Grafting is a kludge
> that doesn't always work as expected (and the problems are hidden), and
> it has a high I/O performance cost.
>
> So, let's wait for a security advisory.

I opened a similar discussion about the security fix in Expat 2.4.0
recently and am merging with this issue (which I had not seen):

  https://issues.guix.gnu.org/48612

[signature.asc (application/pgp-signature, inline)]
Reply sent to Leo Famulari <leo <at> famulari.name>:
You have taken responsibility. (Thu, 03 Jun 2021 03:18:02 GMT) Full text and rfc822 format available.
Notification sent to Leo Prikler <leo.prikler <at> student.tugraz.at>:
bug acknowledged by developer. (Thu, 03 Jun 2021 03:18:02 GMT) Full text and rfc822 format available.

Message #30 received at 48304-done <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Marius Bakke <marius <at> gnu.org>
Cc: Maxime Devos <maximedevos <at> telenet.be>,
 Leo Prikler <leo.prikler <at> student.tugraz.at>, 48304-done <at> debbugs.gnu.org
Subject: Re: [bug#48304] [PATCH] gnu: expat: Update via graft.
Date: Wed, 2 Jun 2021 23:17:40 -0400

[Message part 1 (text/plain, inline)]
On Sun, May 23, 2021 at 05:33:05PM +0200, Marius Bakke wrote:
> merge 48304 48612

The merge didn't work (one bug was for 'guix', and one for
'guix-patches'), but I pushed a graft as
6d71f6a73cd27d61d3302b9658893428af6314d2

[signature.asc (application/pgp-signature, inline)]
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Thu, 01 Jul 2021 11:24:05 GMT) Full text and rfc822 format available.
This bug report was last modified 2 years and 312 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.