[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & C
|
From: |
Leo Famulari |
|
Subject: |
[bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]. |
|
Date: |
Sat, 04 Mar 2023 09:41:08 -0500 |
|
User-agent: |
Cyrus-JMAP/3.9.0-alpha0-183-gbf7d00f500-fm-20230220.001-gbf7d00f5 |
On Sat, Mar 4, 2023, at 05:30, Josselin Poiret wrote:
> Hi Leo,
>
> Leo Famulari <leo@famulari.name> writes:
>
>> That's not a significant number of packages.
>>
>> Overall, git and git-minimal will cause more than 300 rebuilds, but not
>> too many for the current state of the build farm.
>>
>> Concretely, why can't we push this to master immediately?
>
> `guix refresh` is not great for core packages: it only detects things
> that depend on other packages through inputs. Here though, git is used
> indirectly by git-fetch origins, and would affect the dependency graph a
> lot more. I think this should be grafted to avoid too many rebuilds,
> and ungrafted on core-updates (maybe now, maybe after the big
> core-updates merge).
Changing the Git package shouldn't affect fixed-output derivations that fetch
from Git. If they do, that's a recent and very serious bug.
Git is a security critical package that we've always updated freely.
I'm AFK, only have my phone today . But, please try updating Git and check if
the fixed-output source derivations change.
Leo
[bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]., Simon Tournier, 2023/03/04