* bug#46194: Doas vulnerability CVE-2019-25016 @ 2021-01-30 20:51 Leo Famulari 2021-01-31 19:41 ` bug#46194: [PATCH] gnu: opendoas: Update to 6.8.1 Brice Waegeneire 0 siblings, 1 reply; 4+ messages in thread From: Leo Famulari @ 2021-01-30 20:51 UTC (permalink / raw) To: 46194 Our package of doas is apparently vulnerable to CVE-2019-25016: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25016 ^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#46194: [PATCH] gnu: opendoas: Update to 6.8.1. 2021-01-30 20:51 bug#46194: Doas vulnerability CVE-2019-25016 Leo Famulari @ 2021-01-31 19:41 ` Brice Waegeneire 2021-01-31 20:16 ` Leo Famulari 2021-01-31 20:35 ` me--- via Bug reports for GNU Guix 0 siblings, 2 replies; 4+ messages in thread From: Brice Waegeneire @ 2021-01-31 19:41 UTC (permalink / raw) To: 46194 * gnu/packages/admin.scm (opendoas): Update to 6.8.1. Fixes #46194. --- As there isn't any service for this package (I'm working on it), it's quite useless and there isn't any package depending on it. I guess very few people, if any, are using it so I see no need for grafting here. gnu/packages/admin.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index 538e8d3eb4..1ddbea7a02 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -1512,7 +1512,7 @@ commands and their arguments.") (define-public opendoas (package (name "opendoas") - (version "6.8") + (version "6.8.1") (source (origin (method git-fetch) (uri (git-reference @@ -1521,7 +1521,7 @@ commands and their arguments.") (file-name (git-file-name name version)) (sha256 (base32 - "1dlwnvy8r6slxcy260gfkximp1ms510wdslpfq9y6xvd2qi5izcb")))) + "0gfcssm21vdfg6kcrcc7hz1h4jmhy2zv29rfqyrrj3a6r9b5ah8p")))) (build-system gnu-build-system) (arguments `(#:phases -- 2.29.2 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* bug#46194: [PATCH] gnu: opendoas: Update to 6.8.1. 2021-01-31 19:41 ` bug#46194: [PATCH] gnu: opendoas: Update to 6.8.1 Brice Waegeneire @ 2021-01-31 20:16 ` Leo Famulari 2021-01-31 20:35 ` me--- via Bug reports for GNU Guix 1 sibling, 0 replies; 4+ messages in thread From: Leo Famulari @ 2021-01-31 20:16 UTC (permalink / raw) To: Brice Waegeneire; +Cc: 46194-done On Sun, Jan 31, 2021 at 08:41:07PM +0100, Brice Waegeneire wrote: > * gnu/packages/admin.scm (opendoas): Update to 6.8.1. > > Fixes #46194. > --- > As there isn't any service for this package (I'm working on it), it's quite > useless and there isn't any package depending on it. I guess very few > people, if any, are using it so I see no need for grafting here. Thanks! I pushed as 9c8156507abeb15f6d3816800c077fd99f861e3d The question of "should it be grafted" depends on how many packages depend on it: $ guix refresh -l opendoas No dependents other than itself: opendoas@6.8 If `guix refresh` reports that more than 300 packages will be rebuilt, security updates should use grafts, as specified in the manual section Submitting Patches: https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html We don't want to wait for a 'staging' or 'core-updates' cycle for security updates, so grafts let us cheat and push things directly to master, without requiring expensive recompilation of dependent packages. I know you could have pushed this yourself, although I did it on your behalf. Now that we've clarified the use case of grafts, please feel free to push things like this without review :) The manual section Commit Access offers some guidelines: "For patches that just add a new package, and a simple one, it’s OK to commit, if you’re confident (which means you successfully built it in a chroot setup, and have done a reasonable copyright and license auditing). Likewise for package upgrades, except upgrades that trigger a lot of rebuilds (for example, upgrading GnuTLS or GLib)." ^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#46194: [PATCH] gnu: opendoas: Update to 6.8.1. 2021-01-31 19:41 ` bug#46194: [PATCH] gnu: opendoas: Update to 6.8.1 Brice Waegeneire 2021-01-31 20:16 ` Leo Famulari @ 2021-01-31 20:35 ` me--- via Bug reports for GNU Guix 1 sibling, 0 replies; 4+ messages in thread From: me--- via Bug reports for GNU Guix @ 2021-01-31 20:35 UTC (permalink / raw) To: Brice Waegeneire; +Cc: 46194 Brice, On 2021-01-31 20:41, Brice Waegeneire wrote: > * gnu/packages/admin.scm (opendoas): Update to 6.8.1. Thanks for the prompt security bump! The number of CVE fixes I've pushed for sudo the past year has made me reconsider its use in favour of this package. > As there isn't any service for this package (I'm working on it), it's > quite > useless Services are nice to have but always optional: I doubt there's a package in Guix that is 'useless' or unused because it lacks a service. Kind regards, T G-R Sent from a Web browser. Excuse or enjoy my brevity. ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-01-31 20:36 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-01-30 20:51 bug#46194: Doas vulnerability CVE-2019-25016 Leo Famulari 2021-01-31 19:41 ` bug#46194: [PATCH] gnu: opendoas: Update to 6.8.1 Brice Waegeneire 2021-01-31 20:16 ` Leo Famulari 2021-01-31 20:35 ` me--- via Bug reports for GNU Guix
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).