GNU bug report logs -
#48304
[PATCH] gnu: expat: Update via graft.
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 48304 in the body.
You can then email your comments to 48304 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org
:
bug#48304
; Package
guix-patches
.
(Sat, 08 May 2021 23:29:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Prikler <leo.prikler <at> student.tugraz.at>
:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org
.
(Sat, 08 May 2021 23:29:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/xml.scm (expat-2.3.0): New variable.
(expat)[replacement]: Add it.
---
gnu/packages/xml.scm | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 931698a575..d8472f5fa3 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -120,6 +120,7 @@ the entire document.")
(package
(name "expat")
(version "2.2.9")
+ (replacement expat-2.3.0)
(source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
(origin
(method url-fetch)
@@ -143,6 +144,23 @@ stream-oriented parser in which an application registers handlers for
things the parser might find in the XML document (like start tags).")
(license license:expat)))
+(define-public expat-2.3.0
+ (package
+ (inherit expat)
+ (version "2.3.0")
+ (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
+ (origin
+ (method url-fetch)
+ (uri (list (string-append "mirror://sourceforge/expat/expat/"
+ version "/expat-" version ".tar.xz")
+ (string-append
+ "https://github.com/libexpat/libexpat/releases/download/R_"
+ (string-map dot->underscore version)
+ "/expat-" version ".tar.xz")))
+ (sha256
+ (base32
+ "1ab7fkab4wbj53xqsx2a4h5m310ak9abczjh0a2ymg73nsclz8ya")))))))
+
(define-public libebml
(package
(name "libebml")
--
2.31.1
Information forwarded
to
guix-patches <at> gnu.org
:
bug#48304
; Package
guix-patches
.
(Sun, 09 May 2021 14:06:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 48304 <at> debbugs.gnu.org (full text, mbox):
On Sun, May 09, 2021 at 01:27:29AM +0200, Leo Prikler wrote:
> * gnu/packages/xml.scm (expat-2.3.0): New variable.
> (expat)[replacement]: Add it.
Nitpick: It should be
(expat)[replacement]: New field.
Otherwise, looks okay assuming ABI compatibility, but we only use grafts
for security updates.
Information forwarded
to
guix-patches <at> gnu.org
:
bug#48304
; Package
guix-patches
.
(Sun, 09 May 2021 14:28:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 48304 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Leo Famulari schreef op zo 09-05-2021 om 10:05 [-0400]:
> On Sun, May 09, 2021 at 01:27:29AM +0200, Leo Prikler wrote:
> > * gnu/packages/xml.scm (expat-2.3.0): New variable.
> > (expat)[replacement]: Add it.
>
> Nitpick: It should be
>
> (expat)[replacement]: New field.
>
> Otherwise, looks okay assuming ABI compatibility, but we only use grafts
> for security updates.
The maintainer of expat will release a 2.4.0 with security fixes soon.
Greetings,
Maxime.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org
:
bug#48304
; Package
guix-patches
.
(Sun, 09 May 2021 14:33:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 48304 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sun, May 09, 2021 at 04:27:20PM +0200, Maxime Devos wrote:
> Leo Famulari schreef op zo 09-05-2021 om 10:05 [-0400]:
> > On Sun, May 09, 2021 at 01:27:29AM +0200, Leo Prikler wrote:
> > > * gnu/packages/xml.scm (expat-2.3.0): New variable.
> > > (expat)[replacement]: Add it.
> >
> > Nitpick: It should be
> >
> > (expat)[replacement]: New field.
> >
> > Otherwise, looks okay assuming ABI compatibility, but we only use grafts
> > for security updates.
>
> The maintainer of expat will release a 2.4.0 with security fixes soon.
Yes, I know :) I think we all received the same private email.
We can test the graft with 2.3.0 but wait until 2.4.0 to actually use
it.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org
:
bug#48304
; Package
guix-patches
.
(Sun, 09 May 2021 14:38:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 48304 <at> debbugs.gnu.org (full text, mbox):
Am Sonntag, den 09.05.2021, 16:27 +0200 schrieb Maxime Devos:
> Leo Famulari schreef op zo 09-05-2021 om 10:05 [-0400]:
> > On Sun, May 09, 2021 at 01:27:29AM +0200, Leo Prikler wrote:
> > > * gnu/packages/xml.scm (expat-2.3.0): New variable.
> > > (expat)[replacement]: Add it.
> >
> > Nitpick: It should be
> >
> > (expat)[replacement]: New field.
> >
> > Otherwise, looks okay assuming ABI compatibility, but we only use
> > grafts
> > for security updates.
>
> The maintainer of expat will release a 2.4.0 with security fixes
> soon.
>
> Greetings,
> Maxime.
Indeed, the mail they dropped over at guix-devel made it seem as though
not being on 2.3.0 was a security risk already. The ChangeLog does
mention some items worth fuzzing over.
That said, I simply wanted to claim a bug ID for this and let people
check whether the update really breaks nothing. The list of dependants
is far too big for me to handle.
Regards,
Leo
Information forwarded
to
guix-patches <at> gnu.org
:
bug#48304
; Package
guix-patches
.
(Sun, 09 May 2021 15:24:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 48304 <at> debbugs.gnu.org (full text, mbox):
On Sun, May 09, 2021 at 04:37:39PM +0200, Leo Prikler wrote:
> Indeed, the mail they dropped over at guix-devel made it seem as though
> not being on 2.3.0 was a security risk already. The ChangeLog does
> mention some items worth fuzzing over.
In general, all updates are security updates. But we shouldn't / can't
update all core packages with grafts just because. Grafting is a kludge
that doesn't always work as expected (and the problems are hidden), and
it has a high I/O performance cost.
So, let's wait for a security advisory.
Added tag(s) security.
Request was from
Ludovic Courtès <ludo <at> gnu.org>
to
control <at> debbugs.gnu.org
.
(Sat, 15 May 2021 10:13:01 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org
:
bug#48304
; Package
guix-patches
.
(Sun, 23 May 2021 15:34:02 GMT)
Full text and
rfc822 format available.
Message #25 received at 48304 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
merge 48304 48612
thanks
Leo Famulari <leo <at> famulari.name> skriver:
> On Sun, May 09, 2021 at 04:37:39PM +0200, Leo Prikler wrote:
>> Indeed, the mail they dropped over at guix-devel made it seem as though
>> not being on 2.3.0 was a security risk already. The ChangeLog does
>> mention some items worth fuzzing over.
>
> In general, all updates are security updates. But we shouldn't / can't
> update all core packages with grafts just because. Grafting is a kludge
> that doesn't always work as expected (and the problems are hidden), and
> it has a high I/O performance cost.
>
> So, let's wait for a security advisory.
I opened a similar discussion about the security fix in Expat 2.4.0
recently and am merging with this issue (which I had not seen):
https://issues.guix.gnu.org/48612
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Leo Famulari <leo <at> famulari.name>
:
You have taken responsibility.
(Thu, 03 Jun 2021 03:18:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Prikler <leo.prikler <at> student.tugraz.at>
:
bug acknowledged by developer.
(Thu, 03 Jun 2021 03:18:02 GMT)
Full text and
rfc822 format available.
Message #30 received at 48304-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sun, May 23, 2021 at 05:33:05PM +0200, Marius Bakke wrote:
> merge 48304 48612
The merge didn't work (one bug was for 'guix', and one for
'guix-patches'), but I pushed a graft as
6d71f6a73cd27d61d3302b9658893428af6314d2
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Thu, 01 Jul 2021 11:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 312 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.