From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id YBZjJo6WYGZlbgEAe85BDQ:P1 (envelope-from ) for ; Wed, 05 Jun 2024 18:47:10 +0200 Received: from aspmx1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id YBZjJo6WYGZlbgEAe85BDQ (envelope-from ) for ; Wed, 05 Jun 2024 18:47:10 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=akpjUG46; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1717606030; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=YtRoL0+zNBOxc1nOapGTKPKf8ODM32qP9yqLE33OP1M=; b=u+LYql08g8LSHWTWmi/xs3Jg1iVCUU9tAG0T720XFFphvsTMpSApfohKiKBzEZ0QRLKfYG 6SMngX6998Kviln3KO2btjwJNsFNOTEuyavMv2EsZCdV8Te7yzxrVVQ2llKzicTXwkfAcy 8GMps6HF1DdyQYprSSDKfssGNx5Cgnnj6rc0MAY8PmTyMpj0Nrus6u4myMvsfYYIVtGtXL 2XU7kh6cjSbhSbTfNXpMK3zwewmYe7L8QwivFZoqHDNRL+Dyq4dGjXQHQJ4Bn/snWwBEkD 9EMYPglD5BYHO7I9UltcqwOZzbjZ/dog36ut6DSFJ6BwXVmduxST3ywAmwBCRA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=akpjUG46; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none) ARC-Seal: i=1; s=key1; d=yhetil.org; t=1717606030; a=rsa-sha256; cv=none; b=U78RXgJ+OfUwVhz7eGehnRlmYiRwn/Z8jXdf+poRxh9xHpA/Sx3rdY7gKjmQ7xqEFUC9XZ gxty/impmdWkfVM35gP3nA+jdsK1eFpCe7uSnRYx3IHMwIT8xfboHin0Nc0vlgf8jXyM5A bjaU3J5OrmbctCpeSqN7HTp0Ru81PCU2gRPyfrUw/xUYT35fbje9k63QUsStmlwbiygCF5 rGLmA3c1ryadS4BdQPG7aICN5a4ZW2pZ1A/UhX+UZi6NXSFTI7/nFFYBZGjo2VLDCoThyX gLYpci2WGBkV+Ym24eZ0ks6BnCi9eqo8F+C7ObPvYvqzNUEUFOhp6k9bF3VsVw== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 799B76C3BE for ; Wed, 5 Jun 2024 18:47:10 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sEtmk-0002ui-EY; Wed, 05 Jun 2024 12:46:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEtmh-0002uN-T5 for bug-guix@gnu.org; Wed, 05 Jun 2024 12:46:48 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sEtmh-0002y7-LF for bug-guix@gnu.org; Wed, 05 Jun 2024 12:46:47 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1sEtmv-0001f1-MN for bug-guix@gnu.org; Wed, 05 Jun 2024 12:47:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47144: security patching of 'patch' package Resent-From: Simon Tournier Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 05 Jun 2024 16:47:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47144 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Ludovic =?UTF-8?Q?Court=C3=A8s?= , Maxim Cournoyer Cc: Mark H Weaver , Leo Famulari , Vivien Kraus , 47144@debbugs.gnu.org Received: via spool by 47144-submit@debbugs.gnu.org id=B47144.17176059696030 (code B ref 47144); Wed, 05 Jun 2024 16:47:01 +0000 Received: (at 47144) by debbugs.gnu.org; 5 Jun 2024 16:46:09 +0000 Received: from localhost ([127.0.0.1]:47953 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sEtm4-0001Yy-E2 for submit@debbugs.gnu.org; Wed, 05 Jun 2024 12:46:08 -0400 Received: from mail-wm1-f52.google.com ([209.85.128.52]:39954) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sEtm2-0001Lv-5a for 47144@debbugs.gnu.org; Wed, 05 Jun 2024 12:46:06 -0400 Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-42111cf2706so73975e9.0 for <47144@debbugs.gnu.org>; Wed, 05 Jun 2024 09:45:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1717605886; x=1718210686; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:from:to:cc:subject:date:message-id :reply-to; bh=YtRoL0+zNBOxc1nOapGTKPKf8ODM32qP9yqLE33OP1M=; b=akpjUG467mqjBE4gIVahgZdQBrIoHLBaqgZUHx70HFI+CXDOCZYnRU+UE7HU1pQny5 HB4HRNehTHbYMKZ5Kc/z7Mtmuf4cjqVn5yZBOpPYfpOjVkAantbfeW2XeseN/VpEHlLC a0dDGx9wR4kw7blLpTHsT5a/3TBR/AsRW9quAsXw85KR928hmLu9Wxu+1wJyFIDMOZFt UZnNTdgbM2Ty5HRqWfwYVqP/U/rmZCJfPaen5eBugVniEhEbJNsvqyaEVcO9Ob1XMfHg 9LSqIryzvxtpEiXjCanVJdDIbXgzfve3v/I0uqi5g5ZrRoT6nf99uuNrryF3ZWOo/W4X VeRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717605886; x=1718210686; h=content-transfer-encoding:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YtRoL0+zNBOxc1nOapGTKPKf8ODM32qP9yqLE33OP1M=; b=c6YtHXMOnWA7q/yrwWHRSttWwV6p7sXGu3bcC2RCTkoNhvdQ3vZ2m9KW9QbHTSPibi 9Ed++9iGkd+Dn7hSoybX/SYsV6R4PSPC4asdowdXbtIWQePq/MIQ0YO1rzIoW5Uabfft BxpQjnFWXuKM/Rktb5qP2bi2juv5zI0i2Bx+yIKlugmY8VN7gv5zyyhY4+0U+hf87mqX ee4M5r6X/ZPfIAjKghjPG0WkFM0aSsT/qDDZ09t1k0lROIdmYBpLw4qs0HBNaUB+xe0M tgnQmHH1CPu5SsKR/Xo1pw+yrhmUXgdNhG4XPeaGrdVVpaGC5OyjiB4qj/+ELyCMA5EB odng== X-Forwarded-Encrypted: i=1; AJvYcCVA1/n0YGQuRTNDbpnXB+/hbhpSl8lycnRTxl0cQj7ArwTT2DI49V7XnDKIi5lxXIBZwonGSE3h6Ut61ixnAsqF5Br4Dck= X-Gm-Message-State: AOJu0Yw7F3sD9t83jUYl0UglWyCfpoRrx4ZMH43jDSK6IZ9JE2IDYoJh Qkt92Gpw8ChJtY4M4KFGW3t7t0uTGZDddQSCGaPJW0S1cZepQHZL X-Google-Smtp-Source: AGHT+IEd41+DDzv4pGEF980HlveerWAbWLBIK3C1SVKae6KjORIsJA57Juoy7yJWcRbJZ4AP9W+t1g== X-Received: by 2002:a05:600c:35ca:b0:421:54d0:5129 with SMTP id 5b1f17b1804b1-4215635324dmr23157375e9.3.1717605886048; Wed, 05 Jun 2024 09:44:46 -0700 (PDT) Received: from lili (roam-nat-fw-prg-194-254-61-47.net.univ-paris-diderot.fr. [194.254.61.47]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4215813656asm26995305e9.36.2024.06.05.09.44.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Jun 2024 09:44:45 -0700 (PDT) From: Simon Tournier In-Reply-To: <878qzj74vc.fsf_-_@gnu.org> References: <28b457771ab0e7ad87cb65600a5898f68be5074a.1717124361.git.maxim.cournoyer@gmail.com> <5eda21a09360653b198f1b0d7f52cf531dc97485.1717124361.git.maxim.cournoyer@gmail.com> <87r0dgn36w.fsf@gnu.org> <875xusln8m.fsf@gmail.com> <878qzj74vc.fsf_-_@gnu.org> Date: Wed, 05 Jun 2024 18:44:40 +0200 Message-ID: <87a5jznxtz.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: 4.16 X-Spam-Score: 4.16 X-Migadu-Queue-Id: 799B76C3BE X-Migadu-Scanner: mx13.migadu.com X-TUID: 6TlMSWSa/1UG Hi, On Wed, 05 Jun 2024 at 18:04, Ludovic Court=C3=A8s wrote: > What about renaming =E2=80=98patch=E2=80=99 to =E2=80=98patch/pinned=E2= =80=99 and having =E2=80=98patch=E2=80=99 point > to the new version? > > Internally, we=E2=80=99d refer to =E2=80=98patch/pinned=E2=80=99 in (guix= packages), but user > code etc. would refer to =E2=80=98patch=E2=80=99 and thus get the latest = version. I agree; it appears to me =E2=80=9Csafer=E2=80=9D than the graft. However, the cost is to identify which package needs =E2=80=99patch/pinned= =E2=80=99 and which needs new =E2=80=99patch=E2=80=99. Then once upstream Patch upgrades= , there is also the question to unpin all the packages. Somehow, your previous suggestion =E2=80=99patch-latest=E2=80=99 for this n= ew package appears to me the best solution. Because it does not require any update here and there, and since the source field follows the Git upstream latest instead of the released tarball, this solution of =E2=80=99patch-lat= est=E2=80=99 seems appropriated. Cheers, simon