[bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946].

[Leo Famulari]

> "Leo Famulari" <leo@famulari.name> writes:
> > Changing the Git package shouldn't affect fixed-output derivations that 
> > fetch from Git. If they do, that's a recent and very serious bug.

Now I have confused myself and I'm unsure. I stepped away from Guix for
a while and forgot a lot of the intimate knowledge I had on this
subject.

I checked, and this patch does change the derivation of packages
fetching from Git, although the output is identical. So, I am confused
about if this will cause >10k rebuilds or not.

Here's how I checked, first by calculating derivations and outputs on
the master branch, and then after applying the patch:

------
$ git rev-parse --abbrev-ref HEAD
master
$ git rev-parse HEAD                                 
cedf97ed6ee4eba8c39bfe6cc0efe33fcb977ccf
$ ./pre-inst-env guix build --no-grafts corefreq -d
/gnu/store/78lhq407x6sjlf3k7jh16ph1pff1y2nw-corefreq-1.95.2.drv    
$ ./pre-inst-env guix build --no-grafts corefreq   
/gnu/store/vva0xljihzmpf4ddbihr168f2ymkh2k0-corefreq-1.95.2-linux-module
/gnu/store/qkwah5gnfqh293i36byhc00cd6xb3jml-corefreq-1.95.2
------

Apply the patch:

------
$ git checkout contrib-security-git                 
Switched to branch 'contrib-security-git'
$ git log --oneline | head -n1         
faeb52692d gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946].
$ ./pre-inst-env guix build --no-grafts corefreq -d
/gnu/store/sw5942gj4f5lm9i9zn6bwj7f0q0dlf7a-corefreq-1.95.2.drv         
$ ./pre-inst-env guix build --no-grafts corefreq   
/gnu/store/vva0xljihzmpf4ddbihr168f2ymkh2k0-corefreq-1.95.2-linux-module
/gnu/store/qkwah5gnfqh293i36byhc00cd6xb3jml-corefreq-1.95.2
------

The package derivation changed, but not the output.

I'm looking for guidance on how to interpret these results.