[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#47144: security patching of 'patch' package
|
From: |
Maxim Cournoyer |
|
Subject: |
bug#47144: security patching of 'patch' package |
|
Date: |
Wed, 05 Jun 2024 20:49:54 -0400 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) |
Hi Simon,
Simon Tournier <zimon.toutoune@gmail.com> writes:
> Hi,
>
> On Wed, 05 Jun 2024 at 18:04, Ludovic Courtès <ludo@gnu.org> wrote:
>
>> What about renaming ‘patch’ to ‘patch/pinned’ and having ‘patch’ point
>> to the new version?
>>
>> Internally, we’d refer to ‘patch/pinned’ in (guix packages), but user
>> code etc. would refer to ‘patch’ and thus get the latest version.
>
> I agree; it appears to me “safer” than the graft.
>
> However, the cost is to identify which package needs ’patch/pinned’ and
> which needs new ’patch’. Then once upstream Patch upgrades, there is
> also the question to unpin all the packages.
Indeed. It'll be easy though to grep for 'patch/pinned', which are far
and few in between, compared to grepping for 'patch'... I've
implemented Ludovic's suggestion in v4, before I actually read this
reply of yours... I think it's OK; it goes a bit further than
'patch-latest' to protect users in case they refer to the 'patch'
package variable directly.
--
Thanks,
Maxim
bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes]., Simon Tournier, 2024/06/04