From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id OJEaEkfdWV/pPQAA0tVLHw (envelope-from ) for ; Thu, 10 Sep 2020 08:01:11 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id eNjYDUfdWV8vAQAAB5/wlQ (envelope-from ) for ; Thu, 10 Sep 2020 08:01:11 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id DB3DE940221 for ; Thu, 10 Sep 2020 08:01:10 +0000 (UTC) Received: from localhost ([::1]:42340 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kGHW1-0008AK-SX for larch@yhetil.org; Thu, 10 Sep 2020 04:01:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45600) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kGHVu-0008A8-5q for bug-guix@gnu.org; Thu, 10 Sep 2020 04:01:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:52589) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kGHVt-0001ME-T4 for bug-guix@gnu.org; Thu, 10 Sep 2020 04:01:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kGHVt-00050K-S1 for bug-guix@gnu.org; Thu, 10 Sep 2020 04:01:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#43075: Prioritize providing substitutes for security-critical packages with potentially long build times Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 10 Sep 2020 08:01:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 43075 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: chaosmonk Received: via spool by 43075-submit@debbugs.gnu.org id=B43075.159972481816789 (code B ref 43075); Thu, 10 Sep 2020 08:01:01 +0000 Received: (at 43075) by debbugs.gnu.org; 10 Sep 2020 08:00:18 +0000 Received: from localhost ([127.0.0.1]:35902 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kGHVB-0004MK-O1 for submit@debbugs.gnu.org; Thu, 10 Sep 2020 04:00:18 -0400 Received: from eggs.gnu.org ([209.51.188.92]:35200) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kGHVA-0004Ey-Ab for 43075@debbugs.gnu.org; Thu, 10 Sep 2020 04:00:16 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:52526) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kGHV4-00017K-TC; Thu, 10 Sep 2020 04:00:10 -0400 Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=40180 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kGHV2-0004NN-Dv; Thu, 10 Sep 2020 04:00:09 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <2WPQFQ.3JQYOGZG7WXZ@riseup.net> Date: Thu, 10 Sep 2020 10:00:00 +0200 In-Reply-To: <2WPQFQ.3JQYOGZG7WXZ@riseup.net> (chaosmonk@riseup.net's message of "Thu, 27 Aug 2020 13:50:26 -0700") Message-ID: <87bliejc3j.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -3.3 (---) X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 43075@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Spam-Score: -1.01 X-TUID: oF2OO6llYa0O Hi, chaosmonk skribis: > ungoogled-chromium receives frequent security updates, so it is > important for users to keep it up-to-date. However, binary > substitutes for the latest version are usually not available, and it > can take a very long time to build from source, possibly multiple > days on low-end hardware. This might tempt or force some users to put > off upgrading the package and run an older, vulnerable version until a > binary substitute is available or they have a chance to set aside the > uptime needed to build from source. > > I don't know what Guix's CI system looks like or how packages are > queued for building, but if there is a way to prioritize builds for > certain packages, I propose that substitutes for packages like > ungoogled-chromium should be built as soon as possible once there is a > new version. Other security-critical packages with potentially long > build times that come to mind are icecat and linux-libre. Thanks for your feedback. Our build farm has often been lagging behind lately and that=E2=80=99s something we=E2=80=99ve been working on. The ungoogled-chromium package is even more problematic because it takes more than ~80 CPU-hours to build, and that often times out with our current build farm settings (where we don=E2=80=99t allow builds to take mo= re than 6h, IIRC). Right now we=E2=80=99re trying to improve build throughput in general but y= our proposal makes sense, of course. Thanks, Ludo=E2=80=99.