unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* grafted package and CLI
@ 2022-07-05  0:07 zimoun
  2022-07-07  8:00 ` Ludovic Courtès
  0 siblings, 1 reply; 6+ messages in thread
From: zimoun @ 2022-07-05  0:07 UTC (permalink / raw)
  To: Guix Devel; +Cc: Marius Bakke

Hi,

Commit 3fc6709d4285f44d1e861c7b09951adf3073e898 is a security fixes for
the package ’curl’; it reads,

--8<---------------cut here---------------start------------->8---
(define-public curl
   (package
    (name "curl")
    (version "7.79.1")
+   (replacement curl-7.84.0)

[...]

+;; Replacement package with fixes for multiple vulnerabilities.
+;; See <https://curl.se/docs/security.html>.
+(define curl-7.84.0
+  (package
+    (inherit curl)
--8<---------------cut here---------------end--------------->8---

So far, so good!  Well, it leads to these behaviour:

        $ guix show curl | recsel -p name,version
        name: curl
        version: 7.79.1

        $ guix build curl -S
        /gnu/store/67w9zrlm1xahczf55f9rd15aaqadbixj-curl-7.84.0.tar.xz

Or even, it can be confusing:

        $ guix shell curl@7.79.1 -- curl --version
        curl 7.84.0 (x86_64-unknown-linux-gnu) libcurl/7.84.0 GnuTLS/3.7.2 zlib/1.2.11 libidn2/2.3.1 nghttp2/1.44.0
        Release-Date: 2022-06-27
        [..]

The issue is not new, e.g., see [1].  I proposed a patch [2] (see below)
which addresses the issue with “guix show”.

However, it does not address issue with “guix package -A | grep ^curl”;
and it is potentially not fixable because it uses
’fold-available-packages’ which loads the cache (for performance) and
this cache does not contain the ’replacement’ field – it is not a good
idea to introduce it, IMHO.

About “guix shell”, a warning could be added.

Well, WDYT?


Cheers,
simon


--8<---------------cut here---------------start------------->8---
diff --git a/guix/ui.scm b/guix/ui.scm
index 7fbd4c63a2..b6497f5e5c 100644
--- a/guix/ui.scm
+++ b/guix/ui.scm
@@ -1528,9 +1528,18 @@ HYPERLINKS? is true, emit hyperlink escape sequences when appropriate."
   (define (package<? p1 p2)
     (string<? (package-full-name p1) (package-full-name p2)))

+  (define replacement
+    (package-replacement p))
+
   ;; Note: Don't i18n field names so that people can post-process it.
   (format port "name: ~a~%" (package-name p))
   (format port "version: ~a~%" (package-version p))
+  (when replacement
+    (unless
+     (string=?
+      (package-version p)
+      (package-version replacement))
+     (format port "replacement: ~a~%" (package-version replacement))))
   (format port "outputs: ~a~%" (string-join (package-outputs p)))
   (format port "systems: ~a~%"
           (string-join (package-transitive-supported-systems p)))
--8<---------------cut here---------------end--------------->8---

1: <https://yhetil.org/guix/871rc5jv1o.fsf@netris.org>
2: <https://yhetil.org/guix/86im5a6ea4.fsf@gmail.com>


^ permalink raw reply related	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2022-07-17 15:35 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-07-05  0:07 grafted package and CLI zimoun
2022-07-07  8:00 ` Ludovic Courtès
2022-07-07 13:29   ` zimoun
2022-07-07 15:09     ` Ludovic Courtès
2022-07-07 16:58       ` zimoun
2022-07-17 15:35         ` bokr

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).