Expat in GuixSD, please update

Expat in GuixSD, please update

[Sebastian Pipping]

Hi GuixSD team,


from looking at [1] and [2] my impression is that GuixSD is still at
version 2.2.2 with Expat, while there is version 2.2.4 with bugfixes
upstream.  Is there anything blocking an update on your side that needs
fixing upstream?

Best



Sebastian


[1] https://repology.org/metapackage/expat/versions
[2] https://www.gnu.org/software/guix/packages/e.html

Re: Expat in GuixSD, please update

[Vincent Legoll]

Hello,

maybe you can try to submit a patch for review...

That ought to be fairly easy

-- 
Vincent Legoll

Re: Expat in GuixSD, please update

[Sebastian Pipping]

Sorry, no time.


On 25.10.2017 16:05, Vincent Legoll wrote:
> Hello,
> 
> maybe you can try to submit a patch for review...
> 
> That ought to be fairly easy
> 

Re: Expat in GuixSD, please update

[Tobias Geerinckx-Rice]

Sebastian,

Sebastian Pipping wrote on 25/10/17 at 14:58:
> from looking at [1] and [2] my impression is that GuixSD is still at
> version 2.2.2 with Expat, while there is version 2.2.4 with bugfixes
> upstream.

Thanks for the report!

I see that 2.2.3 fixed a CVE, so I hurried up a patch[0].

Kind regards,

T G-R

[0]: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=28996

Re: Expat in GuixSD, please update

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1248 bytes --]

On Wed, Oct 25, 2017 at 02:58:13PM +0200, Sebastian Pipping wrote:
> Hi GuixSD team,
> 
> 
> from looking at [1] and [2] my impression is that GuixSD is still at
> version 2.2.2 with Expat, while there is version 2.2.4 with bugfixes
> upstream.  Is there anything blocking an update on your side that needs
> fixing upstream?

Thank you very much for reaching out, Sebastian.

No, there is nothing concrete blocking the update. I've just given
Tobias a "LGTM" for his 2.2.4 update patch.

There is a slight cost to updating packages with many dependents in Guix
[0], so we prefer not to update them between "core update" cycles unless
there are security issues affecting our users.

Expat 2.2.3's release notes only mentioned CVE-2017-11742, which is a
Windows vulnerability and out of scope for Guix. And I didn't see
security issues disclosed in the 2.2.4 release notes.

But, we can treat Expat as one of those "always update" libraries if
that is suggested. It's probably the right choice for any widely-used C
library.

[0] By treating package building as a pure function, if a lower-level
package changes, all dependent packages must be rebuilt. We have a
mechanism called grafting to cheat for security updates.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Expat in GuixSD, please update

[Tobias Geerinckx-Rice]

[-- Attachment #1.1: Type: text/plain, Size: 416 bytes --]

Leo Famulari wrote on 25/10/17 at 19:22:
> Expat 2.2.3's release notes only mentioned CVE-2017-11742, which is a
> Windows vulnerability and out of scope for Guix. And I didn't see
> security issues disclosed in the 2.2.4 release notes.

Ah, sorry to spread misinfo. I don't have Web access at the moment and
erred on the side of caution. I'll adjust the patch accordingly & push.

Kind regards,

T G-R


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 248 bytes --]

Re: Expat in GuixSD, please update

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 671 bytes --]

On Wed, Oct 25, 2017 at 07:29:28PM +0200, Tobias Geerinckx-Rice wrote:
> Leo Famulari wrote on 25/10/17 at 19:22:
> > Expat 2.2.3's release notes only mentioned CVE-2017-11742, which is a
> > Windows vulnerability and out of scope for Guix. And I didn't see
> > security issues disclosed in the 2.2.4 release notes.
> 
> Ah, sorry to spread misinfo. I don't have Web access at the moment and
> erred on the side of caution. I'll adjust the patch accordingly & push.

I think we can still mention that we've fixed that bug. Somebody could
still use Guix as a source of free source code even if they were
developing for Windows.

No big deal either way, IMO.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]