From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:8:6d80::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id ycuvGhpFXmAROAAAgWs5BA (envelope-from ) for ; Fri, 26 Mar 2021 21:33:30 +0100 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id OCNQExpFXmAqBwAAB5/wlQ (envelope-from ) for ; Fri, 26 Mar 2021 20:33:30 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 88BF31A275 for ; Fri, 26 Mar 2021 21:33:29 +0100 (CET) Received: from localhost ([::1]:35248 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lPt94-00050L-Qj for larch@yhetil.org; Fri, 26 Mar 2021 16:33:26 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60086) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPsn3-0002Q5-2q for guix-devel@gnu.org; Fri, 26 Mar 2021 16:10:41 -0400 Received: from mail.zaclys.net ([178.33.93.72]:33497) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPsmx-00029g-4u for guix-devel@gnu.org; Fri, 26 Mar 2021 16:10:38 -0400 Received: from guix-xps.local (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12QKAWfk007731 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 26 Mar 2021 21:10:32 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12QKAWfk007731 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616789432; bh=ZBN+YCRJqQwUCu+YmXKZEG7GsQiOAJqdfY1f10fds40=; h=Subject:From:To:Date:From; b=KH07TBnYnDz58xuezSCERbHmKbHl+uxyFYHEyIbeXqSLuS/I0Ela7oJgE+YAgsHzL jR7rskAD0hfNhbA/1SkD98/rjky/5JshZVzy/C7VhD2shF8uFr5SuPt8S4nr78DsmE loTwlFcBuHL6xhBalldjcLCN2auzl6nGd/PxHLOk= Message-ID: <12b4006a4a28c9678c523ab129945850b4adf37f.camel@zaclys.net> Subject: Security patching and the branching workflow: a new security-updates branch From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: guix-devel@gnu.org Date: Fri, 26 Mar 2021 21:10:28 +0100 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-pkVGKAQiwJwGAuRf3utB" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616790810; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=ZBN+YCRJqQwUCu+YmXKZEG7GsQiOAJqdfY1f10fds40=; b=ptcudN8ovfSY5ysEfyZVR/h5Ya5b0JKgCCuJk3NgsHp6ZLW3Vdn8Nv6QCyhqgA2xgVNP1P S50L0kX/WVrT1eJ0QEWpH8a6cRTstPpeLfTekUVoOFeduEoC/2IUTlyMLbnodxI6J9LDdV BoEzuMmQYGzdPybbFxjklyYYDHRPWCaKyU8BKsRfTr6y9K+d1w++I1YWcwX7M3y5iKjngm GRgNJzuYDx0LC3ZkQcXBfR854NXp9m/M7HwXGj44CtSD3p8hAbQjblt57LhCfBZRUrjLUn lmKPPBEbvC3cENoVGUXjGdlYD9Q5Oq0eamSgrgwmBDySpcXHH7bxaqV0wD2U4g== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616790810; a=rsa-sha256; cv=none; b=ema07+NsUO4g+0TygBhIOot6b9YRO9JZprmEXjk06eQPK6jCyMqAaV9kFVo+UA2+9w951/ WfcQS9gGEdA3TqCJeR4w6t8bCJh3RFaGzmJNWLgvjiE6+MM3FbfExnNJBDCxIuwpeqz5hz TQAkhuAteNRSCqfZC0seTxQAuVy8CzPAeFs6PLJD3CihFGzKBVhoc5s1QbfOzxTPUdcNRb Bh5zk7iimK+iGPpnG2eSbC2PezSjVVOCC4veyL3e/xl2KpEWQUWPHdBI61+1WaxF3vdL03 WADIvtSxpNeR15FWsdm9W5aBe2mPO5fhmS4QwNy6xKDhWt33JsuBoojfyWmU2A== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=KH07TBnY; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -5.77 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=KH07TBnY; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 88BF31A275 X-Spam-Score: -5.77 X-Migadu-Scanner: scn0.migadu.com X-TUID: 4KTjkky2RKYN --=-pkVGKAQiwJwGAuRf3utB Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello! There is two ways to ship security fixes to packages: 1. Update to a patched version if upstream provides one 2. Apply or backport individual patches to fix the issues in the shipped version Grafts are most reliable for 2. but there's cases where using 2. is lots of work and we can't afford that right now. An example is ImageMagick where not all security issues get a CVE so essentially the only way of getting security fixes is to fetch master or get the latest release. There's also some types of packages where we are not sure whether we can use grafting or not, such as Python ones. For these reasons, I would like to propose a new branch called security-updates that would be based on master where we queue security fixes that introduce any arbitrary number of rebuilds without using grafts. We would merge the security-updates branch as soon as there is complete substitute availability for the branch and it's future merged version within master. The downsides of this approach are that: 1. Substitutes availability does not mean we can ship the updates quickly because this might mean hundreds of megabytes if not gigabytes of new substitutes to fetch to actually get the update. 2. Users that don't use substitutes will suffer big rebuilds on each security update shipped through this branch. For these reasons, grafting should still be preferred when possible, but there are cases where it cannot be used for technical reasons or lack of resources reasons but we still must provide a fix quickly. What do you think? L=C3=A9o --=-pkVGKAQiwJwGAuRf3utB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBeP7QACgkQRaix6GvN EKbKUA//QOx59gFx0D793PoGn9IjmvB9ruAmcJ/Uy4XSE3mAxd35aJnA/41TCpGF 0/y7dTVDQPM12cbNgleG+BviHcuq/KgRWKaUkStJTmSAxv/uoq71DpvhFgKH6Its q/4xK5xnJm0D6dD8mKJE3ezeZm/0J5uy2y6n0m/fgiu5t1RkUO+KDcBSDLl6T+kK YGGH5n9wek741TFgRNL/jmz9obxdMZpommfcNaMtYhjUapq8+P+dECqh5pHdp54G j31elIQS3FZkOIij3InxNZFujepXkc+ogrF+O898m7mocu+0Hq9BOeLiCk4W1g0V dZvKLsvQL6/xMx6R3paIOfzSb+cMt+3gjim2IDXj7r9Ur9geBDxEXkfOu/KtAgN4 Ef6CcuqBI2SptzzfimGxUxtTiM5NNebvZIq7ictK6cHhqvfHKpMYa86CrzC8OfGQ iwtrw6oDE/bmVkvsJqCYKUPeorhglV+rTbmU/q5ZoUKfTnJ8QEq3/lSwFh3RBiTm 8GF0tgWvgtCBR9F1MAYMvxO67RmzdUjbcD92FmVPWyb2pgFQ3dS4TNO5bZVbQV5z ig/EWCFeFm7glftJbdwabhgFazFnRLVS8/mFE2YhlORJmBSo0jTJRILNMZHZzs1F lRTETWwb7YPrPnRee3dLsKOUnITqn8xtamPekrnQ6DF5O40E5Ho= =l+rI -----END PGP SIGNATURE----- --=-pkVGKAQiwJwGAuRf3utB--