From: "Ludovic Courtès" <ludo@gnu.org>
To: chaosmonk <chaosmonk@riseup.net>
Cc: 43075@debbugs.gnu.org
Subject: bug#43075: Prioritize providing substitutes for security-critical packages with potentially long build times
Date: Thu, 10 Sep 2020 10:00:00 +0200 [thread overview]
Message-ID: <87bliejc3j.fsf@gnu.org> (raw)
In-Reply-To: <2WPQFQ.3JQYOGZG7WXZ@riseup.net> (chaosmonk@riseup.net's message of "Thu, 27 Aug 2020 13:50:26 -0700")
Hi,
chaosmonk <chaosmonk@riseup.net> skribis:
> ungoogled-chromium receives frequent security updates, so it is
> important for users to keep it up-to-date. However, binary
> substitutes for the latest version are usually not available, and it
> can take a very long time to build from source, possibly multiple
> days on low-end hardware. This might tempt or force some users to put
> off upgrading the package and run an older, vulnerable version until a
> binary substitute is available or they have a chance to set aside the
> uptime needed to build from source.
>
> I don't know what Guix's CI system looks like or how packages are
> queued for building, but if there is a way to prioritize builds for
> certain packages, I propose that substitutes for packages like
> ungoogled-chromium should be built as soon as possible once there is a
> new version. Other security-critical packages with potentially long
> build times that come to mind are icecat and linux-libre.
Thanks for your feedback. Our build farm has often been lagging behind
lately and that’s something we’ve been working on. The
ungoogled-chromium package is even more problematic because it takes
more than ~80 CPU-hours to build, and that often times out with our
current build farm settings (where we don’t allow builds to take more
than 6h, IIRC).
Right now we’re trying to improve build throughput in general but your
proposal makes sense, of course.
Thanks,
Ludo’.
next prev parent reply other threads:[~2020-09-10 8:01 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-27 20:50 bug#43075: Prioritize providing substitutes for security-critical packages with potentially long build times chaosmonk
2020-09-10 8:00 ` Ludovic Courtès [this message]
2020-09-10 9:19 ` zimoun
2020-09-11 0:47 ` Bengt Richter
2020-09-11 1:06 ` Mason Hock
2020-09-11 6:56 ` Ludovic Courtès
2020-09-11 7:37 ` zimoun
2020-09-11 8:23 ` Ricardo Wurmus
2020-09-11 13:39 ` Leo Famulari
2020-09-11 14:33 ` Dr. Arne Babenhauserheide
2020-09-11 14:45 ` Ludovic Courtès
2020-09-11 1:14 ` Mason Hock
2020-09-11 6:53 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bliejc3j.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=43075@debbugs.gnu.org \
--cc=chaosmonk@riseup.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).