#47144 - security patching of 'patch' package

Package	Source(s)		Maintainer(s)
guix		PTS Buildd Popcon

Message #83 received at 47144@debbugs.gnu.org (full text, mbox, reply):

Received: (at 47144) by debbugs.gnu.org; 5 Jun 2024 16:46:09 +0000
From debbugs-submit-bounces@debbugs.gnu.org Wed Jun 05 12:46:08 2024
Received: from localhost ([127.0.0.1]:47953 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1sEtm4-0001Yy-E2
	for submit@debbugs.gnu.org; Wed, 05 Jun 2024 12:46:08 -0400
Received: from mail-wm1-f52.google.com ([209.85.128.52]:39954)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zimon.toutoune@gmail.com>) id 1sEtm2-0001Lv-5a
 for 47144@debbugs.gnu.org; Wed, 05 Jun 2024 12:46:06 -0400
Received: by mail-wm1-f52.google.com with SMTP id
 5b1f17b1804b1-42111cf2706so73975e9.0
 for <47144@debbugs.gnu.org>; Wed, 05 Jun 2024 09:45:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1717605886; x=1718210686; darn=debbugs.gnu.org;
 h=content-transfer-encoding:mime-version:message-id:date:references
 :in-reply-to:subject:cc:to:from:from:to:cc:subject:date:message-id
 :reply-to; bh=YtRoL0+zNBOxc1nOapGTKPKf8ODM32qP9yqLE33OP1M=;
 b=akpjUG467mqjBE4gIVahgZdQBrIoHLBaqgZUHx70HFI+CXDOCZYnRU+UE7HU1pQny5
 HB4HRNehTHbYMKZ5Kc/z7Mtmuf4cjqVn5yZBOpPYfpOjVkAantbfeW2XeseN/VpEHlLC
 a0dDGx9wR4kw7blLpTHsT5a/3TBR/AsRW9quAsXw85KR928hmLu9Wxu+1wJyFIDMOZFt
 UZnNTdgbM2Ty5HRqWfwYVqP/U/rmZCJfPaen5eBugVniEhEbJNsvqyaEVcO9Ob1XMfHg
 9LSqIryzvxtpEiXjCanVJdDIbXgzfve3v/I0uqi5g5ZrRoT6nf99uuNrryF3ZWOo/W4X
 VeRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1717605886; x=1718210686;
 h=content-transfer-encoding:mime-version:message-id:date:references
 :in-reply-to:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=YtRoL0+zNBOxc1nOapGTKPKf8ODM32qP9yqLE33OP1M=;
 b=c6YtHXMOnWA7q/yrwWHRSttWwV6p7sXGu3bcC2RCTkoNhvdQ3vZ2m9KW9QbHTSPibi
 9Ed++9iGkd+Dn7hSoybX/SYsV6R4PSPC4asdowdXbtIWQePq/MIQ0YO1rzIoW5Uabfft
 BxpQjnFWXuKM/Rktb5qP2bi2juv5zI0i2Bx+yIKlugmY8VN7gv5zyyhY4+0U+hf87mqX
 ee4M5r6X/ZPfIAjKghjPG0WkFM0aSsT/qDDZ09t1k0lROIdmYBpLw4qs0HBNaUB+xe0M
 tgnQmHH1CPu5SsKR/Xo1pw+yrhmUXgdNhG4XPeaGrdVVpaGC5OyjiB4qj/+ELyCMA5EB
 odng==
X-Forwarded-Encrypted: i=1;
 AJvYcCVA1/n0YGQuRTNDbpnXB+/hbhpSl8lycnRTxl0cQj7ArwTT2DI49V7XnDKIi5lxXIBZwonGSE3h6Ut61ixnAsqF5Br4Dck=
X-Gm-Message-State: AOJu0Yw7F3sD9t83jUYl0UglWyCfpoRrx4ZMH43jDSK6IZ9JE2IDYoJh
 Qkt92Gpw8ChJtY4M4KFGW3t7t0uTGZDddQSCGaPJW0S1cZepQHZL
X-Google-Smtp-Source: AGHT+IEd41+DDzv4pGEF980HlveerWAbWLBIK3C1SVKae6KjORIsJA57Juoy7yJWcRbJZ4AP9W+t1g==
X-Received: by 2002:a05:600c:35ca:b0:421:54d0:5129 with SMTP id
 5b1f17b1804b1-4215635324dmr23157375e9.3.1717605886048; 
 Wed, 05 Jun 2024 09:44:46 -0700 (PDT)
Received: from lili (roam-nat-fw-prg-194-254-61-47.net.univ-paris-diderot.fr.
 [194.254.61.47]) by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-4215813656asm26995305e9.36.2024.06.05.09.44.45
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 05 Jun 2024 09:44:45 -0700 (PDT)
From: Simon Tournier <zimon.toutoune@gmail.com>
To: Ludovic Courtès <ludo@gnu.org>, Maxim Cournoyer
 <maxim.cournoyer@gmail.com>
Subject: Re: bug#47144: security patching of 'patch' package
In-Reply-To: <878qzj74vc.fsf_-_@gnu.org>
References: <28b457771ab0e7ad87cb65600a5898f68be5074a.1717124361.git.maxim.cournoyer@gmail.com>
 <5eda21a09360653b198f1b0d7f52cf531dc97485.1717124361.git.maxim.cournoyer@gmail.com>
 <87r0dgn36w.fsf@gnu.org> <875xusln8m.fsf@gmail.com>
 <878qzj74vc.fsf_-_@gnu.org>
Date: Wed, 05 Jun 2024 18:44:40 +0200
Message-ID: <87a5jznxtz.fsf@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 47144
Cc: Mark H Weaver <mhw@netris.org>, Leo Famulari <leo@famulari.name>,
 Vivien Kraus <vivien@planete-kraus.eu>, 47144@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi,

On Wed, 05 Jun 2024 at 18:04, Ludovic Courtès <ludo@gnu.org> wrote:

> What about renaming ‘patch’ to ‘patch/pinned’ and having ‘patch’ point
> to the new version?
>
> Internally, we’d refer to ‘patch/pinned’ in (guix packages), but user
> code etc. would refer to ‘patch’ and thus get the latest version.

I agree; it appears to me “safer” than the graft.

However, the cost is to identify which package needs ’patch/pinned’ and
which needs new ’patch’.  Then once upstream Patch upgrades, there is
also the question to unpin all the packages.

Somehow, your previous suggestion ’patch-latest’ for this new package
appears to me the best solution.  Because it does not require any update
here and there, and since the source field follows the Git upstream
latest instead of the released tarball, this solution of ’patch-latest’
seems appropriated.

Cheers,
simon

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Dec 21 16:53:40 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

#47144 security patching of 'patch' package