[PATCH] gnu: expat: Update via graft.

  • Done
  • quality assurance status badge
Details
5 participants
  • Leo Prikler
  • Leo Famulari
  • Ludovic Courtès
  • Marius Bakke
  • Maxime Devos
Owner
unassigned
Submitted by
Leo Prikler
Severity
normal
L
L
Leo Prikler wrote on 9 May 2021 01:27
(address . guix-patches@gnu.org)(address . sebastian@pipping.org)
20210508232729.11557-1-leo.prikler@student.tugraz.at
* gnu/packages/xml.scm (expat-2.3.0): New variable.
(expat)[replacement]: Add it.
---
gnu/packages/xml.scm | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)

Toggle diff (38 lines)
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 931698a575..d8472f5fa3 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -120,6 +120,7 @@ the entire document.")
(package
(name "expat")
(version "2.2.9")
+ (replacement expat-2.3.0)
(source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
(origin
(method url-fetch)
@@ -143,6 +144,23 @@ stream-oriented parser in which an application registers handlers for
things the parser might find in the XML document (like start tags).")
(license license:expat)))
+(define-public expat-2.3.0
+ (package
+ (inherit expat)
+ (version "2.3.0")
+ (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
+ (origin
+ (method url-fetch)
+ (uri (list (string-append "mirror://sourceforge/expat/expat/"
+ version "/expat-" version ".tar.xz")
+ (string-append
+ "https://github.com/libexpat/libexpat/releases/download/R_"
+ (string-map dot->underscore version)
+ "/expat-" version ".tar.xz")))
+ (sha256
+ (base32
+ "1ab7fkab4wbj53xqsx2a4h5m310ak9abczjh0a2ymg73nsclz8ya")))))))
+
(define-public libebml
(package
(name "libebml")
--
2.31.1
L
L
Leo Famulari wrote on 9 May 2021 16:05
(name . Leo Prikler)(address . leo.prikler@student.tugraz.at)(address . 48304@debbugs.gnu.org)
YJfsLgjGmIf2b8VS@jasmine.lan
On Sun, May 09, 2021 at 01:27:29AM +0200, Leo Prikler wrote:
Toggle quote (3 lines)
> * gnu/packages/xml.scm (expat-2.3.0): New variable.
> (expat)[replacement]: Add it.

Nitpick: It should be

(expat)[replacement]: New field.

Otherwise, looks okay assuming ABI compatibility, but we only use grafts
for security updates.
M
M
Maxime Devos wrote on 9 May 2021 16:27
(address . 48304@debbugs.gnu.org)
829778414d37d154393f014d52c17e58b72aa1ac.camel@telenet.be
Leo Famulari schreef op zo 09-05-2021 om 10:05 [-0400]:
Toggle quote (11 lines)
> On Sun, May 09, 2021 at 01:27:29AM +0200, Leo Prikler wrote:
> > * gnu/packages/xml.scm (expat-2.3.0): New variable.
> > (expat)[replacement]: Add it.
>
> Nitpick: It should be
>
> (expat)[replacement]: New field.
>
> Otherwise, looks okay assuming ABI compatibility, but we only use grafts
> for security updates.

The maintainer of expat will release a 2.4.0 with security fixes soon.

Greetings,
Maxime.
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYJfxSBccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7t5cAP4jLEoCF/w0AWqKOFcL19cxENdb
9h3dyFlRQwsz4ppUYAD/cafSwJHIUA5MEB8RBfY/l1jMyislJMVUNYWwRlFc5QI=
=j72h
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 9 May 2021 16:32
(name . Maxime Devos)(address . maximedevos@telenet.be)
YJfyktlty0F6W2BC@jasmine.lan
On Sun, May 09, 2021 at 04:27:20PM +0200, Maxime Devos wrote:
Toggle quote (14 lines)
> Leo Famulari schreef op zo 09-05-2021 om 10:05 [-0400]:
> > On Sun, May 09, 2021 at 01:27:29AM +0200, Leo Prikler wrote:
> > > * gnu/packages/xml.scm (expat-2.3.0): New variable.
> > > (expat)[replacement]: Add it.
> >
> > Nitpick: It should be
> >
> > (expat)[replacement]: New field.
> >
> > Otherwise, looks okay assuming ABI compatibility, but we only use grafts
> > for security updates.
>
> The maintainer of expat will release a 2.4.0 with security fixes soon.

Yes, I know :) I think we all received the same private email.

We can test the graft with 2.3.0 but wait until 2.4.0 to actually use
it.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmCX8pIACgkQJkb6MLrK
fwigKBAA8VcYfpllG7WDqiYjKCbCTXcIoeXpT2YkSO1Fhsc7UZHQTCgat31Th2bd
tuz9fH9T9yBMl77x3c1I4DOBh1mAWUNQYNGUWrWQY1Wl3JSLbdzgxtjtJcQCREdw
0NeTSFhtIePc+c0V7g/Fuj3xGpZs39mDcwlo/7IyP6q7Z60hvLG19QHv52yPJtqV
NS+h8f3FtSheVB530MyIp0MvoYT8GEycPppZAFS2isYsOHLHsfVqdKr42TJolrbH
PEpoBMO+j1NQkpeR943gSCXGtiDA6rdve7QDJl0/m0pt5VAUrJtoTKnSKg0qtH0U
yjSznnJjz1f1p/PMK7CfRclGJsE0nJMWzKgV6c+FflRqzHG2Z/ETst6ub1gxkOgI
DdyPPfGNci31CQg/ITX45mqA28TKRmLq9s48BsaCPz3N79OsMMj4kxX+LsiyRrrm
0hQN5lgK77mJrasOE3bmESSA0S8JigRjYvxIKkTtiezYj4SjAAXfWQaLP+UTPNkm
i4RroaPbaXdYfoktTKZPtSUnoAFbZPuXI8q59hvCgbS/woZtoTOpAjch2jAekSw1
wP6+HfBpaBfjkhlMo4dgu615D0G3NLvo/yJqYEPCTDplW4nxrf+fzcatBH4Bc3Bs
GRFNLUKAEs/BNTgwnhWr/bNFObG5RJpGlrUT1xWNHk/T10b0Q8I=
=3W4z
-----END PGP SIGNATURE-----


L
L
Leo Prikler wrote on 9 May 2021 16:37
(address . 48304@debbugs.gnu.org)
276aa14b795b9046b326e5bc0235049a5710c765.camel@student.tugraz.at
Am Sonntag, den 09.05.2021, 16:27 +0200 schrieb Maxime Devos:
Toggle quote (18 lines)
> Leo Famulari schreef op zo 09-05-2021 om 10:05 [-0400]:
> > On Sun, May 09, 2021 at 01:27:29AM +0200, Leo Prikler wrote:
> > > * gnu/packages/xml.scm (expat-2.3.0): New variable.
> > > (expat)[replacement]: Add it.
> >
> > Nitpick: It should be
> >
> > (expat)[replacement]: New field.
> >
> > Otherwise, looks okay assuming ABI compatibility, but we only use
> > grafts
> > for security updates.
>
> The maintainer of expat will release a 2.4.0 with security fixes
> soon.
>
> Greetings,
> Maxime.
Indeed, the mail they dropped over at guix-devel made it seem as though
not being on 2.3.0 was a security risk already. The ChangeLog does
mention some items worth fuzzing over.

That said, I simply wanted to claim a bug ID for this and let people
check whether the update really breaks nothing. The list of dependants
is far too big for me to handle.

Regards,
Leo
L
L
Leo Famulari wrote on 9 May 2021 17:22
(name . Leo Prikler)(address . leo.prikler@student.tugraz.at)
YJf+TnQ+DenU++Mx@jasmine.lan
On Sun, May 09, 2021 at 04:37:39PM +0200, Leo Prikler wrote:
Toggle quote (4 lines)
> Indeed, the mail they dropped over at guix-devel made it seem as though
> not being on 2.3.0 was a security risk already. The ChangeLog does
> mention some items worth fuzzing over.

In general, all updates are security updates. But we shouldn't / can't
update all core packages with grafts just because. Grafting is a kludge
that doesn't always work as expected (and the problems are hidden), and
it has a high I/O performance cost.

So, let's wait for a security advisory.
L
L
Ludovic Courtès wrote on 15 May 2021 12:12
control message for bug #48304
(address . control@debbugs.gnu.org)
87cztsl301.fsf@gnu.org
tags 48304 + security
quit
M
M
Marius Bakke wrote on 23 May 2021 17:33
Re: [bug#48304] [PATCH] gnu: expat: Update via graft.
871r9xqxce.fsf@gnu.org
merge 48304 48612
thanks

Leo Famulari <leo@famulari.name> skriver:

Toggle quote (12 lines)
> On Sun, May 09, 2021 at 04:37:39PM +0200, Leo Prikler wrote:
>> Indeed, the mail they dropped over at guix-devel made it seem as though
>> not being on 2.3.0 was a security risk already. The ChangeLog does
>> mention some items worth fuzzing over.
>
> In general, all updates are security updates. But we shouldn't / can't
> update all core packages with grafts just because. Grafting is a kludge
> that doesn't always work as expected (and the problems are hidden), and
> it has a high I/O performance cost.
>
> So, let's wait for a security advisory.

I opened a similar discussion about the security fix in Expat 2.4.0
recently and am merging with this issue (which I had not seen):

-----BEGIN PGP SIGNATURE-----

iIUEARYKAC0WIQRNTknu3zbaMQ2ddzTocYulkRQQdwUCYKp1sQ8cbWFyaXVzQGdu
dS5vcmcACgkQ6HGLpZEUEHe8oAD/e+0e6g1Wvp+wcZ9dDv1CMtr0CIDekMTfBBou
PsAScIMA/2vmC+4Bw9wGrZ7z52fr+kjvNvIFGCTkvSYBaVvOXmoC
=dihy
-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 3 Jun 2021 05:17
(name . Marius Bakke)(address . marius@gnu.org)
YLhJ1Dee1in8cDN7@jasmine.lan
On Sun, May 23, 2021 at 05:33:05PM +0200, Marius Bakke wrote:
Toggle quote (2 lines)
> merge 48304 48612

The merge didn't work (one bug was for 'guix', and one for
'guix-patches'), but I pushed a graft as
6d71f6a73cd27d61d3302b9658893428af6314d2
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmC4SdQACgkQJkb6MLrK
fwizLBAAwqKDw/uFawB3km99bSTNzP0eCPB0+dPJ733qu3Nh6e6sk7VVRJ5514Ie
V6yT9x+/51EsaPVcd0kgYpM53T483JuGYXnMwASR3o+PJkLayS0/S7f73IbENsFe
QqPruuRIiZAFmIJPqpMfDdBJK9aOEpGdUA16gmsHs9DIyF+2i+cseH+88w1oeOz2
ndkGFGpFQiF9gMuPKevDIbTF61GtkvP+vpWIhSeUNw7FWP1eFrLAxJliOmZbp8YM
lVdtGhKQfDZ2laJlhlzuTcGvPMJBELMSknywlFYnna7vSPzM1EIbhD/IEmUEjx6R
QX2Puw3+itknFrWNc9Wt4tI/SDHydYmEQy+6PIc8rnu7uFn2b84dC1d1MW2kzJl4
7tLMqpb2JxOa9j0g6QSnE/p9jkUwKJq9MbFBcGOYCIa2q43O6pICkx5U1X/f7A2G
5Fyctk8kTUEK8rBD3fvczi8zBVzyIErOHOxrXiXqQR/m8I/iYF8v+N2MZ5vobufz
wRF/i/aI6G7fEEuq2xbBmPcFNeNU4EaLuVyyA0W/dZVONyzxikMRsE2FIM0RmtW3
fM6V7NllT1MxbkzkRSflgL1jlWg9MAHipFuq+GMF8Xp21OQOJV5DDZQFXiCviym0
dYFUCPGbWLb5VYN5SIPVmIvE9yMjT631Nv/tN2VO5jNEa+NTmw8=
=O9C7
-----END PGP SIGNATURE-----


Closed
?