GNU bug report logs

#48304 [PATCH] gnu: expat: Update via graft.

Package	Source(s)		Maintainer(s)
guix-patches		PTS Buildd Popcon

Reported by Leo Prikler <leo.prikler@student.tugraz.at>
Date 2021-05-08T23:29:01
Severity normal
Tags patch security
Done Leo Famulari <leo@famulari.name>
Bug is Archived

Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to guix-patches@gnu.org:
bug#48304; Package guix-patches. (Sat, 08 May 2021 23:29:01 GMT) (full text, mbox, link).

Acknowledgement sent to Leo Prikler <leo.prikler@student.tugraz.at>:
New bug report received and forwarded. Copy sent to guix-patches@gnu.org. (Sat, 08 May 2021 23:29:02 GMT) (full text, mbox, link).

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

* gnu/packages/xml.scm (expat-2.3.0): New variable.
(expat)[replacement]: Add it.
---
 gnu/packages/xml.scm | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 931698a575..d8472f5fa3 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -120,6 +120,7 @@ the entire document.")
   (package
     (name "expat")
     (version "2.2.9")
+    (replacement expat-2.3.0)
     (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
               (origin
                 (method url-fetch)
@@ -143,6 +144,23 @@ stream-oriented parser in which an application registers handlers for
 things the parser might find in the XML document (like start tags).")
     (license license:expat)))
 
+(define-public expat-2.3.0
+  (package
+    (inherit expat)
+    (version "2.3.0")
+    (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
+              (origin
+                (method url-fetch)
+                (uri (list (string-append "mirror://sourceforge/expat/expat/"
+                                          version "/expat-" version ".tar.xz")
+                           (string-append
+                            "https://github.com/libexpat/libexpat/releases/download/R_"
+                            (string-map dot->underscore version)
+                            "/expat-" version ".tar.xz")))
+                (sha256
+                 (base32
+                  "1ab7fkab4wbj53xqsx2a4h5m310ak9abczjh0a2ymg73nsclz8ya")))))))
+
 (define-public libebml
   (package
     (name "libebml")
-- 
2.31.1

Information forwarded to guix-patches@gnu.org:
bug#48304; Package guix-patches. (Sun, 09 May 2021 14:06:01 GMT) (full text, mbox, link).

Message #8 received at 48304@debbugs.gnu.org (full text, mbox, reply):

On Sun, May 09, 2021 at 01:27:29AM +0200, Leo Prikler wrote:
> * gnu/packages/xml.scm (expat-2.3.0): New variable.
> (expat)[replacement]: Add it.

Nitpick: It should be

(expat)[replacement]: New field.

Otherwise, looks okay assuming ABI compatibility, but we only use grafts
for security updates.

Information forwarded to guix-patches@gnu.org:
bug#48304; Package guix-patches. (Sun, 09 May 2021 14:28:02 GMT) (full text, mbox, link).

Message #11 received at 48304@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Leo Famulari schreef op zo 09-05-2021 om 10:05 [-0400]:
> On Sun, May 09, 2021 at 01:27:29AM +0200, Leo Prikler wrote:
> > * gnu/packages/xml.scm (expat-2.3.0): New variable.
> > (expat)[replacement]: Add it.
> 
> Nitpick: It should be
> 
> (expat)[replacement]: New field.
> 
> Otherwise, looks okay assuming ABI compatibility, but we only use grafts
> for security updates.

The maintainer of expat will release a 2.4.0 with security fixes soon.

Greetings,
Maxime.

[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches@gnu.org:
bug#48304; Package guix-patches. (Sun, 09 May 2021 14:33:01 GMT) (full text, mbox, link).

Message #14 received at 48304@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Sun, May 09, 2021 at 04:27:20PM +0200, Maxime Devos wrote:
> Leo Famulari schreef op zo 09-05-2021 om 10:05 [-0400]:
> > On Sun, May 09, 2021 at 01:27:29AM +0200, Leo Prikler wrote:
> > > * gnu/packages/xml.scm (expat-2.3.0): New variable.
> > > (expat)[replacement]: Add it.
> > 
> > Nitpick: It should be
> > 
> > (expat)[replacement]: New field.
> > 
> > Otherwise, looks okay assuming ABI compatibility, but we only use grafts
> > for security updates.
> 
> The maintainer of expat will release a 2.4.0 with security fixes soon.

Yes, I know :) I think we all received the same private email.

We can test the graft with 2.3.0 but wait until 2.4.0 to actually use
it.

[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches@gnu.org:
bug#48304; Package guix-patches. (Sun, 09 May 2021 14:38:01 GMT) (full text, mbox, link).

Message #17 received at 48304@debbugs.gnu.org (full text, mbox, reply):

Am Sonntag, den 09.05.2021, 16:27 +0200 schrieb Maxime Devos:
> Leo Famulari schreef op zo 09-05-2021 om 10:05 [-0400]:
> > On Sun, May 09, 2021 at 01:27:29AM +0200, Leo Prikler wrote:
> > > * gnu/packages/xml.scm (expat-2.3.0): New variable.
> > > (expat)[replacement]: Add it.
> > 
> > Nitpick: It should be
> > 
> > (expat)[replacement]: New field.
> > 
> > Otherwise, looks okay assuming ABI compatibility, but we only use
> > grafts
> > for security updates.
> 
> The maintainer of expat will release a 2.4.0 with security fixes
> soon.
> 
> Greetings,
> Maxime.
Indeed, the mail they dropped over at guix-devel made it seem as though
not being on 2.3.0 was a security risk already.  The ChangeLog does
mention some items worth fuzzing over.

That said, I simply wanted to claim a bug ID for this and let people
check whether the update really breaks nothing.  The list of dependants
is far too big for me to handle.

Regards,
Leo

Information forwarded to guix-patches@gnu.org:
bug#48304; Package guix-patches. (Sun, 09 May 2021 15:24:02 GMT) (full text, mbox, link).

Message #20 received at 48304@debbugs.gnu.org (full text, mbox, reply):

On Sun, May 09, 2021 at 04:37:39PM +0200, Leo Prikler wrote:
> Indeed, the mail they dropped over at guix-devel made it seem as though
> not being on 2.3.0 was a security risk already.  The ChangeLog does
> mention some items worth fuzzing over.

In general, all updates are security updates. But we shouldn't / can't
update all core packages with grafts just because. Grafting is a kludge
that doesn't always work as expected (and the problems are hidden), and
it has a high I/O performance cost.

So, let's wait for a security advisory.

Added tag(s) security. Request was from Ludovic Courtès <ludo@gnu.org> to control@debbugs.gnu.org. (Sat, 15 May 2021 10:13:01 GMT) (full text, mbox, link).

Information forwarded to guix-patches@gnu.org:
bug#48304; Package guix-patches. (Sun, 23 May 2021 15:34:02 GMT) (full text, mbox, link).

Message #25 received at 48304@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

merge 48304 48612
thanks

Leo Famulari <leo@famulari.name> skriver:

> On Sun, May 09, 2021 at 04:37:39PM +0200, Leo Prikler wrote:
>> Indeed, the mail they dropped over at guix-devel made it seem as though
>> not being on 2.3.0 was a security risk already.  The ChangeLog does
>> mention some items worth fuzzing over.
>
> In general, all updates are security updates. But we shouldn't / can't
> update all core packages with grafts just because. Grafting is a kludge
> that doesn't always work as expected (and the problems are hidden), and
> it has a high I/O performance cost.
>
> So, let's wait for a security advisory.

I opened a similar discussion about the security fix in Expat 2.4.0
recently and am merging with this issue (which I had not seen):

  https://issues.guix.gnu.org/48612

[signature.asc (application/pgp-signature, inline)]

Reply sent to Leo Famulari <leo@famulari.name>:
You have taken responsibility. (Thu, 03 Jun 2021 03:18:02 GMT) (full text, mbox, link).

Notification sent to Leo Prikler <leo.prikler@student.tugraz.at>:
bug acknowledged by developer. (Thu, 03 Jun 2021 03:18:02 GMT) (full text, mbox, link).

Message #30 received at 48304-done@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Sun, May 23, 2021 at 05:33:05PM +0200, Marius Bakke wrote:
> merge 48304 48612

The merge didn't work (one bug was for 'guix', and one for
'guix-patches'), but I pushed a graft as
6d71f6a73cd27d61d3302b9658893428af6314d2

[signature.asc (application/pgp-signature, inline)]

bug archived. Request was from Debbugs Internal Request <help-debbugs@gnu.org> to internal_control@debbugs.gnu.org. (Thu, 01 Jul 2021 11:24:05 GMT) (full text, mbox, link).

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 06:06:56 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.