Re: imagemagick@6.9.11-48 to graft or not to graft with 6.9.12-2

[Leo Famulari]

On Tue, Mar 23, 2021 at 07:05:42PM -0400, Mark H Weaver wrote:
> Also, I'm not sure why you qualify your suggestion with "in this case".
> What is it that distinguishes ImageMagick from, e.g. glib, for purposes
> of this question?  Would it be any less bad for "guix install glib" to
> install a glib with security flaws?

I forgot the reason that end-user applications should have public
replacements, and why it's less important for the replacements of
libraries to be public.

It's about the Guix user interface, that is, `guix show` and `guix
search`.

`guix show gnutls` won't show a meaningful result for a gnutls/fixed
replacement that cherry-picks some patches. Everything is the same about
the replacement package, except some very narrow bug fixing.

But `guix show imagemagick` will show the new version, available as a
replacement, in its results, and users should see it in the UI.

> It would be good to reach agreement on whether replacement packages
> should be made public.  I haven't thought much about it, so I don't know
> what the relevant issues are.

Based on those examples, I'd suggest that replacements that update the
package's version should be public.

It's been suggested before that all the package variables should be
publicly exported, but using the hidden-package procedure. I don't
remember the exact reason.

Sorry for the unreliable communication!