[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#70663: nss@3.99 is really hard to build
|
From: |
Christopher Baines |
|
Subject: |
bug#70663: nss@3.99 is really hard to build |
|
Date: |
Tue, 14 May 2024 14:37:35 +0100 |
|
User-agent: |
mu4e 1.12.2; emacs 29.3 |
"pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> writes:
> Hello Christopher.
>
> Christopher Baines <mail@cbaines.net> writes:
>> Had the changes waited for longer, then these failures should have been
>> spotted by QA, I would guess that the revision might have failed to be
>> processed, and if it was processed successfully, the nss failures should
>> have shown up, so maybe we should start requiring [5] that not only are
>> changes sent to guix-patches@gnu.org, but that QA processes them (to
>> some extent) before merging?
>>
>> 5:
>> https://guix.gnu.org/manual/devel/en/html_node/Managing-Patches-and-Branches.html#
>
> Yes, though note that the nss change did provide security fixes:
>
> commit e584ff08b162c46ef587daca438e97d56bc20b32
> Author: Maxim Cournoyer <maxim.cournoyer@gmail.com>
> Date: Wed Apr 24 11:22:30 2024 -0400
>
> gnu: nss: Graft with version 3.98 [security fixes].
>
> This fixes CVE-2023-5388, CVE-2023-6135 and CVE-2024-0743.
>
> * gnu/packages/nss.scm (nss) [replacement]: New field.
> (nss-3.98): Rename variable to...
> (nss/fixed): ... this. Make it a hidden package.
> * gnu/packages/librewolf.scm (librewolf) [inputs]: Replace nss-3.98 with
> nss/fixed.
>
> Change-Id: I8cc667c53a270dfe00738bf731923f1342036624
>
> I suppose the requirement to wait for QA should apply to security fixes
> as well?
Well, there's a risk in not testing things across multiple
machines/architectures at least. The value of getting a security fix
merged quickly is reduced if users on some architectures/systems can't
use it.
There's always going to be trade offs, and that's fine, but the question
is more what can be done to try and improve things for the future.
signature.asc
Description: PGP signature