[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#47144: security patching of 'patch' package
|
From: |
Simon Tournier |
|
Subject: |
bug#47144: security patching of 'patch' package |
|
Date: |
Wed, 05 Jun 2024 18:44:40 +0200 |
Hi,
On Wed, 05 Jun 2024 at 18:04, Ludovic Courtès <ludo@gnu.org> wrote:
> What about renaming ‘patch’ to ‘patch/pinned’ and having ‘patch’ point
> to the new version?
>
> Internally, we’d refer to ‘patch/pinned’ in (guix packages), but user
> code etc. would refer to ‘patch’ and thus get the latest version.
I agree; it appears to me “safer” than the graft.
However, the cost is to identify which package needs ’patch/pinned’ and
which needs new ’patch’. Then once upstream Patch upgrades, there is
also the question to unpin all the packages.
Somehow, your previous suggestion ’patch-latest’ for this new package
appears to me the best solution. Because it does not require any update
here and there, and since the source field follows the Git upstream
latest instead of the released tarball, this solution of ’patch-latest’
seems appropriated.
Cheers,
simon
bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes]., Simon Tournier, 2024/06/04