[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#47144: security patching of 'patch' package
|
From: |
Ludovic Courtès |
|
Subject: |
bug#47144: security patching of 'patch' package |
|
Date: |
Wed, 05 Jun 2024 18:04:39 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) |
Hi Maxim,
Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
> Ludovic Courtès <ludo@gnu.org> writes:
[...]
>> Unless I’m mistaken, this will have practically no effect because Patch
>> is a build-time-only dependency.
>>
>> My recommendation would be to not add a ‘replacement’ field at all.
>> Instead, you could add a new ‘patch/latest’ public variable pointing to
>> that commit that you picked. That way, users running ‘guix install
>> patch’ or similar will get the latest version of Patch.
>
> I see what you mean, but for all practical purposes, using a graft seems
> a more thorough (because it affects the original 'patch' *variable* as
> well) means that have the same effect for users, so I'd seems like a
> slightly better option to me.
Strictly speaking, yes, but in practice the benefit are largely
theoretical IMO, and the cost of having a graft this deep in the
dependency graph.
What about renaming ‘patch’ to ‘patch/pinned’ and having ‘patch’ point
to the new version?
Internally, we’d refer to ‘patch/pinned’ in (guix packages), but user
code etc. would refer to ‘patch’ and thus get the latest version.
Ludo’.
bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes]., Simon Tournier, 2024/06/04