From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: Simon Tournier <zimon.toutoune@gmail.com>
Cc: "Mark H Weaver" <mhw@netris.org>,
"Ludovic Courtès" <ludo@gnu.org>,
"Leo Famulari" <leo@famulari.name>,
"Vivien Kraus" <vivien@planete-kraus.eu>,
47144@debbugs.gnu.org
Subject: bug#47144: security patching of 'patch' package
Date: Wed, 05 Jun 2024 20:49:54 -0400 [thread overview]
Message-ID: <87ikym3nf1.fsf@gmail.com> (raw)
In-Reply-To: <87a5jznxtz.fsf@gmail.com> (Simon Tournier's message of "Wed, 05 Jun 2024 18:44:40 +0200")
Hi Simon,
Simon Tournier <zimon.toutoune@gmail.com> writes:
> Hi,
>
> On Wed, 05 Jun 2024 at 18:04, Ludovic Courtès <ludo@gnu.org> wrote:
>
>> What about renaming ‘patch’ to ‘patch/pinned’ and having ‘patch’ point
>> to the new version?
>>
>> Internally, we’d refer to ‘patch/pinned’ in (guix packages), but user
>> code etc. would refer to ‘patch’ and thus get the latest version.
>
> I agree; it appears to me “safer” than the graft.
>
> However, the cost is to identify which package needs ’patch/pinned’ and
> which needs new ’patch’. Then once upstream Patch upgrades, there is
> also the question to unpin all the packages.
Indeed. It'll be easy though to grep for 'patch/pinned', which are far
and few in between, compared to grepping for 'patch'... I've
implemented Ludovic's suggestion in v4, before I actually read this
reply of yours... I think it's OK; it goes a bit further than
'patch-latest' to protect users in case they refer to the 'patch'
package variable directly.
--
Thanks,
Maxim
next prev parent reply other threads:[~2024-06-06 0:51 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <6d01d537754ce50b10035903d8e7d205699c4b39.camel@zaclys.net>
2021-03-14 21:37 ` bug#47144: security patching of 'patch' package Mark H Weaver
2021-03-15 18:26 ` bug#47144: [PATCH 0/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes] Léo Le Bouter via Bug reports for GNU Guix
2021-03-15 18:26 ` bug#47144: [PATCH 1/1] " Léo Le Bouter via Bug reports for GNU Guix
2021-03-18 21:58 ` Ludovic Courtès
2022-03-23 3:03 ` bug#47144: security patching of 'patch' package Maxim Cournoyer
2021-04-14 21:54 ` Leo Famulari
2024-05-31 2:59 ` bug#47144: [PATCH 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer
2024-05-31 2:59 ` bug#47144: [PATCH 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301 Maxim Cournoyer
2024-05-31 2:59 ` bug#47144: [PATCH 3/3] gnu: patch: Graft to latest commit [security fixes] Maxim Cournoyer
2024-05-31 16:13 ` Simon Tournier
2024-06-01 1:49 ` Maxim Cournoyer
2024-06-04 15:39 ` Simon Tournier
2024-06-05 1:08 ` Maxim Cournoyer
2024-06-01 11:34 ` Maxim Cournoyer
2024-06-01 14:32 ` Ludovic Courtès
2024-06-01 15:02 ` Maxim Cournoyer
2024-06-05 16:04 ` bug#47144: security patching of 'patch' package Ludovic Courtès
2024-06-05 16:44 ` Simon Tournier
2024-06-06 0:49 ` Maxim Cournoyer [this message]
2024-06-01 12:56 ` bug#47144: [PATCH v2 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer
2024-06-01 12:56 ` bug#47144: [PATCH v2 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301 Maxim Cournoyer
2024-06-01 12:56 ` bug#47144: [PATCH v2 3/3] gnu: patch: Graft to latest commit [security fixes] Maxim Cournoyer
2024-06-05 1:24 ` bug#47144: [PATCH v3 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer
2024-06-05 1:24 ` bug#47144: [PATCH v3 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301 Maxim Cournoyer
2024-06-05 1:24 ` bug#47144: [PATCH v3 3/3] gnu: patch: Graft to latest commit [security fixes] Maxim Cournoyer
2024-06-06 0:46 ` bug#47144: [PATCH v4 1/3] gnu: ucd: Update to 15.1.0 Maxim Cournoyer
2024-06-06 0:46 ` bug#47144: [PATCH v4 2/3] gnu: gnulib: Update to 2024-05-30-1.ac4b301 Maxim Cournoyer
2024-06-06 0:46 ` bug#47144: [PATCH v4 3/3] gnu: patch: Update to latest commit [security fixes] Maxim Cournoyer
2024-06-24 4:43 ` bug#47144: security patching of 'patch' package Maxim Cournoyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ikym3nf1.fsf@gmail.com \
--to=maxim.cournoyer@gmail.com \
--cc=47144@debbugs.gnu.org \
--cc=leo@famulari.name \
--cc=ludo@gnu.org \
--cc=mhw@netris.org \
--cc=vivien@planete-kraus.eu \
--cc=zimon.toutoune@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).