[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#71729: Emacs 29.4 emergency bugfix release
From: |
Adam Porter |
Subject: |
bug#71729: Emacs 29.4 emergency bugfix release |
Date: |
Thu, 27 Jun 2024 08:57:20 -0500 |
User-agent: |
Mozilla Thunderbird |
Hi Liliana,
On 6/23/24 03:39, Liliana Marie Prikler wrote:
Am Samstag, dem 22.06.2024 um 19:52 -0500 schrieb Adam Porter:
Hello,
Today an emergency bugfix release was made of Emacs v29.4. It fixes
an important security vulnerability.
Note: Security bugs should go to guix-security instead. But thanks for
pointing out the new Emacs release, I've pushed an update. (Thus
marking this done)
Thanks.
If I may ask here, as it seems relevant and might help other users in
the future:
A few minutes ago I ran "guix pull", but after it finished, "guix show
emacs" still shows:
name: emacs
version: 29.3
Am I missing something? e.g. the equivalents in Debian, like "apt show
emacs" or "apt policy emacs", show both installed and available versions.
So as a user, how am I to know whether I'm using the latest version of a
package? I also tried "guix upgrade -n" (which updates substitute lists
from the network, which can significantly delay its finishing for a
simple check like this), and it shows:
The following packages would be upgraded:
emacs (dependencies or package changed)
But maybe that's affected by the workaround I'm using (see below).
FWIW, I had hoped that I could install it by running:
guix install --with-version=emacs=29.4 emacs
But that fails the validate-comp-integrity phase, showing that all of
its tests fail, with every function being loaded in byte-compiled
form instead of native-compiled.
Ah, yes, that is not something you can do with --with-version, as it
disregards our patches and everything.
Ah, I wish I had known that. FWIW, looking at
<https://guix.gnu.org/manual/en/html_node/Package-Transformation-Options.html>,
I can't even find "--with-version" documented at all. But besides that,
none of them seem to explain that such options may discard parts of the
package definition, such as patches (if any of those other options
do--is it only "--with-version" that does?). Does a documentation bug
need to be filed about this?
As for how to work around this, you can do a more elaborate package
definition:
(package
(inherit emacs)
(version NEW_VERSION)
(source (origin (inherit (package-source emacs))
(uri NEW_URI))))
This should automatically apply our patches. Or, you can locally run
`guix refresh -u emacs'.
Thanks for the pointer. I defined a package called "emacs-jit" (and a
corresponding "emacs-minimal-jit") that comments out the JIT-disabling
patches, so that I can still JIT-compile packages installed through
Emacs, and it seems to be working fine.
Would you be willing to accept some kind of package definition like that
being added to Guix, as an alternative to the main "emacs" package? (I
won't quibble over the name.) I think that there are a significant
number of users who would like to use Guix to keep Emacs up-to-date
without sacrificing the ability to native-compile packages installed
from within Emacs. It would be nice to have this in Guix so that I
wouldn't have to manually update the package definition according to
upstream changes.
Thanks,
Adam