From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: Re: [PATCH 1/1] gnu: perl: Replace with patched version [fixes
	CVE-2016-2381].
Date: Wed, 2 Mar 2016 23:06:13 -0500
Message-ID: <20160303040613.GA24614@jasmine>
References: <cover.1456947844.git.leo@famulari.name>
	<cover.1456947844.git.leo@famulari.name>
	<92cf16de48838de4d9d060886f0bc9915e8f52e1.1456947844.git.leo@famulari.name>
	<87io14czt1.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:40073)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1abKWn-0005T7-WA
	for guix-devel@gnu.org; Wed, 02 Mar 2016 23:06:18 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1abKWk-0001Wz-Po
	for guix-devel@gnu.org; Wed, 02 Mar 2016 23:06:17 -0500
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:54963)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1abKWk-0001Wr-Lj
	for guix-devel@gnu.org; Wed, 02 Mar 2016 23:06:14 -0500
Content-Disposition: inline
In-Reply-To: <87io14czt1.fsf@gnu.org>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: Ludovic =?iso-8859-1?Q?Court=E8s?= <ludo@gnu.org>
Cc: guix-devel@gnu.org

On Wed, Mar 02, 2016 at 10:52:58PM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> 
> > * gnu/packages/patches/perl-CVE-2016-2381.patch: New file.
> > * gnu-system.am (dist_patch_DATA): Add it.
> > * gnu/packages/perl.scm (perl)[replacement]: New field.
> > (perl-5.22.1-2): New variable.
> 
> Should be ‘perl-fixed’.

Done. I also altered the context of the patch to reflect that its
source is actually upstream Perl, although Debian did cherry-pick it.

> 
> > * gnu/packages/commencement.scm (perl-boot0)[replacement]: New field.
> 
> Otherwise LGTM, as long as you confirm that nothing goes really wrong
> once it’s applied.  :-)

Here are some things I tried:

1) Built and booted a VM with `guix system vm`. I don't know if perl (as
opposed to perl-boot0) is used in this process, but it did work.

2) Built and installed git on top of it, and then rolled back the commit
and used `git add -i` to recreate it, and then `git send-email` to
submit it. Both of those tools are Perl scripts.

https://git.kernel.org/cgit/git/git.git/tree/git-add--interactive.perl
https://git.kernel.org/cgit/git/git.git/tree/git-send-email.perl