|
From: | Tobias Geerinckx-Rice |
Subject: | Re: Release 1.2.1: zstd 1.4.4 -> 1.4.9: grafting or core-updates? |
Date: | Tue, 16 Mar 2021 21:53:01 +0100 |
Hi L[ée]o,Wow, Léo. You've done some seriously impressive CVE squashing in such a short timespan, and I'm very grateful to have you on board.
Leo Famulari 写道:
I do agree that updating this program 5 versions in a graft was perhapstoo much.We should always try to cherry-pick bug-fix patches when grafting.Otherwise the risk of breakage is too high.
I agree. Whilst grafts are indispensible for timely deployment of security patches, they're also a dirty hack composed entirely of rough edges.
They exist for one purpose: patch out known vulnerabilities. Every extra change not strictly required for security is a liability.
We sometimes get away with grafting entire releases (OpenSSL comes to mind), but this is not an ideal to emulate.
At least, these types of patches should be reviewed on guix-patches.Léo, can you send them to guix-patches in the future?
I have the same request :-) Please submit non-trivial patches for review (and, unfortunately, grafts are hardly ever trivial). This isn't a comment on your work; it's our standard way of doing things.
I know we're not the #1 bestest project when it comes to the swift review of patches. I understand the sense of urgency in fixing things that one feels should have been fixed long ago. Thank you for helping us to improve on both points.
Kind regards, T G-R
signature.asc
Description: PGP signature
[Prev in Thread] | Current Thread | [Next in Thread] |