#47144 - security patching of 'patch' package

Package	Source(s)		Maintainer(s)
guix		PTS Buildd Popcon

Message #92 received at 47144@debbugs.gnu.org (full text, mbox, reply):

Received: (at 47144) by debbugs.gnu.org; 6 Jun 2024 00:51:18 +0000
From debbugs-submit-bounces@debbugs.gnu.org Wed Jun 05 20:51:18 2024
Received: from localhost ([127.0.0.1]:52133 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1sF1La-0003ld-7U
	for submit@debbugs.gnu.org; Wed, 05 Jun 2024 20:51:18 -0400
Received: from mail-qv1-f52.google.com ([209.85.219.52]:43122)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@gmail.com>) id 1sF1LY-0003lK-NF
 for 47144@debbugs.gnu.org; Wed, 05 Jun 2024 20:51:17 -0400
Received: by mail-qv1-f52.google.com with SMTP id
 6a1803df08f44-6af4fcb45ccso12592716d6.0
 for <47144@debbugs.gnu.org>; Wed, 05 Jun 2024 17:51:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1717634997; x=1718239797; darn=debbugs.gnu.org;
 h=content-transfer-encoding:mime-version:user-agent:message-id:date
 :references:in-reply-to:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=Hm93P/zYQRFDhFm8vK9C1J7LKvtS01MgqAg+JIcdLj8=;
 b=C9ImgxI79mDTifCHSDc0G+YCm4osHRsiZsb7EO8fyZYKqrLY52I/RhkMur1GV8IlU4
 KzkgJRkI3PEd7Jtlrv9Jk+jvlzGV+tkZPhBaH8Sl/vIN0iswcmIrL1q0n9LBOZGJ7kHh
 BpLON/yjL4TV96uUmb4J4kwgrwCSq7/GQfToxzdRNQQZIhII4nYTT+lBv9DuYBLCAS0h
 yFuyfJltUk3duVltw9nUnxlNAQiXCxidmQ/d/ATnmoHpTv/cB/boA/se3aUF7uj9yzWk
 P69IVbyeFmQZ6yeZvxIIFJZrndu0nZvXFyzLIYsR1N91OyM2l59i1AoRU6Fv1CIxbO28
 qHYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1717634997; x=1718239797;
 h=content-transfer-encoding:mime-version:user-agent:message-id:date
 :references:in-reply-to:subject:cc:to:from:x-gm-message-state:from
 :to:cc:subject:date:message-id:reply-to;
 bh=Hm93P/zYQRFDhFm8vK9C1J7LKvtS01MgqAg+JIcdLj8=;
 b=Otu5bqcLVp30jNc/E+ru1LaqSMs0yZPF7tHi7P50kobsBO1kfPTZ0xxnSVjm21bs6g
 g9x+oITo8astN2Ok80BKzcIOIP6ZJoYEOfYeVzME4WuHWvjm8KBUtmTDhCrA+7bpfBbQ
 X+Zk1yd/3v4jQ7+64UbGXCZdcljFtKT19g/nTrGtJR9F59rzixJw5zdzbmzIR5kVbRqW
 cYjn/q8hNlwXbciy0UXo90X/RuDslUWZiB3CC43YlugCm81A56de9KQjjf58WE2DuXsY
 19BpyJ6GkdFqCiGP0V+sWTl+FlgcpXLpnMoQI4iU8w4DHhTPSF78NBeYQgIpEDje/jLh
 9L2Q==
X-Forwarded-Encrypted: i=1;
 AJvYcCXbROoQhRk7zrp2mDM/2RQwtYZDJuvc5EJv7HyZbKZaR1+eU93+h6j1TOKYMRdObB4dqRuE9BYDCAV64ZXxIcljvapk22U=
X-Gm-Message-State: AOJu0YxOt61QFg1Rk/sAbIfBt+GLWp591/8W79XjQASfB4LQqRsL3nLc
 jl2MbMZ42FmkvPfxwRto87+yXoLsa2aSipcGBtlp3pB2vbCRULXK
X-Google-Smtp-Source: AGHT+IHMBmqycDA+mbARCh3Rkz+ldPiVsZKrq2eRIQ8ELk5yEp/750bVzJBOvpH6DIbFPwDyIXxKWg==
X-Received: by 2002:a05:6214:1cc6:b0:6ad:84aa:2956 with SMTP id
 6a1803df08f44-6b04c00aedfmr24434926d6.13.1717634996661; 
 Wed, 05 Jun 2024 17:49:56 -0700 (PDT)
Received: from hurd (dsl-10-133-150.b2b2c.ca. [72.10.133.150])
 by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6b04f712e00sm1136106d6.61.2024.06.05.17.49.55
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 05 Jun 2024 17:49:56 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: Simon Tournier <zimon.toutoune@gmail.com>
Subject: Re: bug#47144: security patching of 'patch' package
In-Reply-To: <87a5jznxtz.fsf@gmail.com> (Simon Tournier's message of "Wed, 05
 Jun 2024 18:44:40 +0200")
References: <28b457771ab0e7ad87cb65600a5898f68be5074a.1717124361.git.maxim.cournoyer@gmail.com>
 <5eda21a09360653b198f1b0d7f52cf531dc97485.1717124361.git.maxim.cournoyer@gmail.com>
 <87r0dgn36w.fsf@gnu.org> <875xusln8m.fsf@gmail.com>
 <878qzj74vc.fsf_-_@gnu.org> <87a5jznxtz.fsf@gmail.com>
Date: Wed, 05 Jun 2024 20:49:54 -0400
Message-ID: <87ikym3nf1.fsf@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 47144
Cc: Mark H Weaver <mhw@netris.org>,
 Ludovic Courtès <ludo@gnu.org>,
 Leo Famulari <leo@famulari.name>, Vivien Kraus <vivien@planete-kraus.eu>,
 47144@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Simon,

Simon Tournier <zimon.toutoune@gmail.com> writes:

> Hi,
>
> On Wed, 05 Jun 2024 at 18:04, Ludovic Courtès <ludo@gnu.org> wrote:
>
>> What about renaming ‘patch’ to ‘patch/pinned’ and having ‘patch’ point
>> to the new version?
>>
>> Internally, we’d refer to ‘patch/pinned’ in (guix packages), but user
>> code etc. would refer to ‘patch’ and thus get the latest version.
>
> I agree; it appears to me “safer” than the graft.
>
> However, the cost is to identify which package needs ’patch/pinned’ and
> which needs new ’patch’.  Then once upstream Patch upgrades, there is
> also the question to unpin all the packages.

Indeed.  It'll be easy though to grep for 'patch/pinned', which are far
and few in between, compared to grepping for 'patch'...  I've
implemented Ludovic's suggestion in v4, before I actually read this
reply of yours... I think it's OK; it goes a bit further than
'patch-latest' to protect users in case they refer to the 'patch'
package variable directly.

-- 
Thanks,
Maxim

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Dec 21 17:09:12 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

#47144 security patching of 'patch' package