[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & C
From: |
Leo Famulari |
Subject: |
[bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]. |
Date: |
Sun, 5 Mar 2023 14:30:45 -0500 |
> "Leo Famulari" <leo@famulari.name> writes:
> > Changing the Git package shouldn't affect fixed-output derivations that
> > fetch from Git. If they do, that's a recent and very serious bug.
Now I have confused myself and I'm unsure. I stepped away from Guix for
a while and forgot a lot of the intimate knowledge I had on this
subject.
I checked, and this patch does change the derivation of packages
fetching from Git, although the output is identical. So, I am confused
about if this will cause >10k rebuilds or not.
Here's how I checked, first by calculating derivations and outputs on
the master branch, and then after applying the patch:
------
$ git rev-parse --abbrev-ref HEAD
master
$ git rev-parse HEAD
cedf97ed6ee4eba8c39bfe6cc0efe33fcb977ccf
$ ./pre-inst-env guix build --no-grafts corefreq -d
/gnu/store/78lhq407x6sjlf3k7jh16ph1pff1y2nw-corefreq-1.95.2.drv
$ ./pre-inst-env guix build --no-grafts corefreq
/gnu/store/vva0xljihzmpf4ddbihr168f2ymkh2k0-corefreq-1.95.2-linux-module
/gnu/store/qkwah5gnfqh293i36byhc00cd6xb3jml-corefreq-1.95.2
------
Apply the patch:
------
$ git checkout contrib-security-git
Switched to branch 'contrib-security-git'
$ git log --oneline | head -n1
faeb52692d gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946].
$ ./pre-inst-env guix build --no-grafts corefreq -d
/gnu/store/sw5942gj4f5lm9i9zn6bwj7f0q0dlf7a-corefreq-1.95.2.drv
$ ./pre-inst-env guix build --no-grafts corefreq
/gnu/store/vva0xljihzmpf4ddbihr168f2ymkh2k0-corefreq-1.95.2-linux-module
/gnu/store/qkwah5gnfqh293i36byhc00cd6xb3jml-corefreq-1.95.2
------
The package derivation changed, but not the output.
I'm looking for guidance on how to interpret these results.
[bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]., Simon Tournier, 2023/03/04