unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#46194: Doas vulnerability CVE-2019-25016
@ 2021-01-30 20:51 Leo Famulari
  2021-01-31 19:41 ` bug#46194: [PATCH] gnu: opendoas: Update to 6.8.1 Brice Waegeneire
  0 siblings, 1 reply; 4+ messages in thread
From: Leo Famulari @ 2021-01-30 20:51 UTC (permalink / raw)
  To: 46194

Our package of doas is apparently vulnerable to CVE-2019-25016:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25016




^ permalink raw reply	[flat|nested] 4+ messages in thread

* bug#46194: [PATCH] gnu: opendoas: Update to 6.8.1.
  2021-01-30 20:51 bug#46194: Doas vulnerability CVE-2019-25016 Leo Famulari
@ 2021-01-31 19:41 ` Brice Waegeneire
  2021-01-31 20:16   ` Leo Famulari
  2021-01-31 20:35   ` me--- via Bug reports for GNU Guix
  0 siblings, 2 replies; 4+ messages in thread
From: Brice Waegeneire @ 2021-01-31 19:41 UTC (permalink / raw)
  To: 46194

* gnu/packages/admin.scm (opendoas): Update to 6.8.1.

Fixes #46194.
---
As there isn't any service for this package (I'm working on it), it's quite
useless and there isn't any package depending on it.  I guess very few
people, if any, are using it so I see no need for grafting here.

 gnu/packages/admin.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 538e8d3eb4..1ddbea7a02 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -1512,7 +1512,7 @@ commands and their arguments.")
 (define-public opendoas
   (package
     (name "opendoas")
-    (version "6.8")
+    (version "6.8.1")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -1521,7 +1521,7 @@ commands and their arguments.")
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "1dlwnvy8r6slxcy260gfkximp1ms510wdslpfq9y6xvd2qi5izcb"))))
+                "0gfcssm21vdfg6kcrcc7hz1h4jmhy2zv29rfqyrrj3a6r9b5ah8p"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
-- 
2.29.2





^ permalink raw reply related	[flat|nested] 4+ messages in thread

* bug#46194: [PATCH] gnu: opendoas: Update to 6.8.1.
  2021-01-31 19:41 ` bug#46194: [PATCH] gnu: opendoas: Update to 6.8.1 Brice Waegeneire
@ 2021-01-31 20:16   ` Leo Famulari
  2021-01-31 20:35   ` me--- via Bug reports for GNU Guix
  1 sibling, 0 replies; 4+ messages in thread
From: Leo Famulari @ 2021-01-31 20:16 UTC (permalink / raw)
  To: Brice Waegeneire; +Cc: 46194-done

On Sun, Jan 31, 2021 at 08:41:07PM +0100, Brice Waegeneire wrote:
> * gnu/packages/admin.scm (opendoas): Update to 6.8.1.
> 
> Fixes #46194.
> ---
> As there isn't any service for this package (I'm working on it), it's quite
> useless and there isn't any package depending on it.  I guess very few
> people, if any, are using it so I see no need for grafting here.

Thanks! I pushed as 9c8156507abeb15f6d3816800c077fd99f861e3d

The question of "should it be grafted" depends on how many packages
depend on it:

$ guix refresh -l opendoas
No dependents other than itself: opendoas@6.8

If `guix refresh` reports that more than 300 packages will be rebuilt,
security updates should use grafts, as specified in the manual section
Submitting Patches:

https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html

We don't want to wait for a 'staging' or 'core-updates' cycle for
security updates, so grafts let us cheat and push things directly to
master, without requiring expensive recompilation of dependent packages.

I know you could have pushed this yourself, although I did it on your
behalf. Now that we've clarified the use case of grafts, please feel
free to push things like this without review :)

The manual section Commit Access offers some guidelines:

"For patches that just add a new package, and a simple one, it’s OK to
commit, if you’re confident (which means you successfully built it in a
chroot setup, and have done a reasonable copyright and license
auditing). Likewise for package upgrades, except upgrades that trigger a
lot of rebuilds (for example, upgrading GnuTLS or GLib)."




^ permalink raw reply	[flat|nested] 4+ messages in thread

* bug#46194: [PATCH] gnu: opendoas: Update to 6.8.1.
  2021-01-31 19:41 ` bug#46194: [PATCH] gnu: opendoas: Update to 6.8.1 Brice Waegeneire
  2021-01-31 20:16   ` Leo Famulari
@ 2021-01-31 20:35   ` me--- via Bug reports for GNU Guix
  1 sibling, 0 replies; 4+ messages in thread
From: me--- via Bug reports for GNU Guix @ 2021-01-31 20:35 UTC (permalink / raw)
  To: Brice Waegeneire; +Cc: 46194

Brice,

On 2021-01-31 20:41, Brice Waegeneire wrote:
> * gnu/packages/admin.scm (opendoas): Update to 6.8.1.

Thanks for the prompt security bump!  The number of CVE fixes I've 
pushed for sudo the past year has made me reconsider its use in favour 
of this package.

> As there isn't any service for this package (I'm working on it), it's 
> quite
> useless

Services are nice to have but always optional: I doubt there's a package 
in Guix that is 'useless' or unused because it lacks a service.

Kind regards,

T G-R

Sent from a Web browser. Excuse or enjoy my brevity.




^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2021-01-31 20:36 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-30 20:51 bug#46194: Doas vulnerability CVE-2019-25016 Leo Famulari
2021-01-31 19:41 ` bug#46194: [PATCH] gnu: opendoas: Update to 6.8.1 Brice Waegeneire
2021-01-31 20:16   ` Leo Famulari
2021-01-31 20:35   ` me--- via Bug reports for GNU Guix

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).