Re: Release 1.2.1: zstd 1.4.4 -> 1.4.9: grafting or core-updates?

[Tobias Geerinckx-Rice]

Hi L[ée]o,

Wow, Léo.  You've done some seriously impressive CVE squashing in 
such a short timespan, and I'm very grateful to have you on board.

Leo Famulari 写道：
> I do agree that updating this program 5 versions in a graft was 
> perhaps
> too much.
>
> We should always try to cherry-pick bug-fix patches when 
> grafting.
> Otherwise the risk of breakage is too high.

I agree.  Whilst grafts are indispensible for timely deployment of 
security patches, they're also a dirty hack composed entirely of 
rough edges.

They exist for one purpose: patch out known vulnerabilities. 
Every extra change not strictly required for security is a 
liability.

We sometimes get away with grafting entire releases (OpenSSL comes 
to mind), but this is not an ideal to emulate.

> At least, these types of patches should be reviewed on 
> guix-patches.
> Léo, can you send them to guix-patches in the future?

I have the same request :-)  Please submit non-trivial patches for 
review (and, unfortunately, grafts are hardly ever trivial).  This 
isn't a comment on your work; it's our standard way of doing 
things.

I know we're not the #1 bestest project when it comes to the swift 
review of patches.  I understand the sense of urgency in fixing 
things that one feels should have been fixed long ago.  Thank you 
for helping us to improve on both points.

Kind regards,

T G-R

signature.asc
Description: PGP signature