[bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946].

[Christopher Baines]

Leo Famulari <leo@famulari.name> writes:

> On Sat, Mar 04, 2023 at 07:52:04PM +0100, Simon Tournier wrote:
>> I get 546 dependent packages for git + git-minimal which need to be
>> re-built.  And some are really expensive -- that what I meant by "a
>> lot of rebuilds". :-)
>>
>> Well, I do not know if there is an issue with QA or it is just really
>> expensive but the process is still pending, if I read correctly
>> <https://qa.guix.gnu.org/issue/61583>.
>
> At the Guix Days, it was said that there is a limit to how many builds
> the QA server will perform for a change. I don't recall the number, but
> maybe 300 builds per change? So, if a change causes too many rebuilds,
> the QA server will not perform the builds.

Currently the limit is 200 builds per system.

https://git.cbaines.net/guix/qa-frontpage/tree/guix-qa-frontpage/manage-builds.scm#n99

> Aside: Chris, I'd be happy to add a FAQ page to the QA server that
> answers this type of question. Let me know if I've missed that one
> already exists.

Contributions are very welcome, there's no documentation yet.

>> > Concretely, why can't we push this to master immediately?
>>
>> Somehow the guarantee that none of these 546 would not be broken by
>> the update. ;-)
>
> It's certainly possible that something breaks. But we can do a simple
> test by trying to update our profiles and Guix System installations, and
> checking that our tools still work. I think it's okay to cause a little
> breakage in order to deploy important security updates.

The backlog of revisions to be processed by data.qa.guix.gnu.org is
being processed faster now, so hopefully the impact of this change will
be visible there shortly.

signature.asc
Description: PGP signature