From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:8:6d80::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id fe9kKtFgXmDLaAAAgWs5BA (envelope-from ) for ; Fri, 26 Mar 2021 23:31:45 +0100 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id oGFEI9FgXmAvWwAAB5/wlQ (envelope-from ) for ; Fri, 26 Mar 2021 22:31:45 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 2DDC71C067 for ; Fri, 26 Mar 2021 23:31:45 +0100 (CET) Received: from localhost ([::1]:58804 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lPuzX-0000ck-UH for larch@yhetil.org; Fri, 26 Mar 2021 18:31:44 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34276) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPuz9-0000cY-TR for guix-devel@gnu.org; Fri, 26 Mar 2021 18:31:20 -0400 Received: from mail.zaclys.net ([178.33.93.72]:58791) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPuz2-0000KK-Ty for guix-devel@gnu.org; Fri, 26 Mar 2021 18:31:19 -0400 Received: from [192.168.0.44] (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12QMUVdq039909 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 26 Mar 2021 23:30:48 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12QMUVdq039909 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616797854; bh=om2FhaGwB/veBczMz9tkgPhwX69xUnIzArKH6YMa8cs=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=MeNPFtBF56jQZlhqzM51ZtCGouv2UWOQp7wyttujdMfknxJKI0UHMQVHKa2qAz0El JbIEyS/Jle8j3pPGT0Wkl9J+HdmdO750SEIM06L9oWQ8wq9m/LUfwzZP7OVIc79fZQ +RRv3+UAPSx1uEzXtUFcMKWkPoDvvVGlKrDcmSAc= Message-ID: <2860899294934b02fba39e41043c88c5c5068098.camel@zaclys.net> Subject: Re: Security patching and the branching workflow: a new security-updates branch From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: Christopher Baines Cc: guix-devel@gnu.org Date: Fri, 26 Mar 2021 23:30:22 +0100 In-Reply-To: <87eeg1a7hy.fsf@cbaines.net> References: <12b4006a4a28c9678c523ab129945850b4adf37f.camel@zaclys.net> <87eeg1a7hy.fsf@cbaines.net> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-2gaQWR14OpiQbx+OWPvp" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616797905; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=om2FhaGwB/veBczMz9tkgPhwX69xUnIzArKH6YMa8cs=; b=SA26JWOF7dbm+TGBUpO3X+is3inYjMl5ANjN4SVjHGMrFWPccpU2hQYHyCxsvwQYccPrFV XPlUEn4219LoIYC+4RPgTCODldmNCIc1t5RZbEapGICO7rSqNJJGuQx61G7wB6J1VkN609 jq0d6kp1DS2WHiaibWWof7AL7j9YZiLk58dMh+RneRlUO9EjrIJXq9ixIgCN+T1e1D41K5 T51hEKkICOS7mlzMrTINYH2jUSNse19EJA0vKgeEl3aSQkzmPoXFqXrbnF/lSAjBdiqztc F27uo/uh0qDJ1XPcc2nj2XAa3T6KrfUkyLF4GimLiFX5OEmmSkQzpVBF8tkMzg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616797905; a=rsa-sha256; cv=none; b=l9DwsL0XLzqKUNKZ+AMVxB0Hx0xDxTQNQRDxNvRw7xUeboyBo1oApyMnTcLGzT8Qjm9hJu ZG0NmgpCPe6rArxYL2Gw2BdoVS6BJ7pPRPPWYbBncfYv8mhwy7d/EDCGUCZ5y5LPjF1Epk KOSek068d8IZlrlt8yAGq0POi/85qnOGI/78aB+vLRVZtb2GSGgopPjUQPQcEt9YmwnXfS WAVAu2k1+DwW07Om2Qh/M0S+QAyfEPPPonF+VODEOhEVkoy7J+jLKJiC2szPmmgNqRZbi5 p4s/AgSDFttotuPl10Ns282MBywbeY7QiQIdRMlijD4xQt6iTPLrTAY0a3lncg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=MeNPFtBF; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -5.22 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=MeNPFtBF; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 2DDC71C067 X-Spam-Score: -5.22 X-Migadu-Scanner: scn0.migadu.com X-TUID: axNC0I6j9h6S --=-2gaQWR14OpiQbx+OWPvp Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, 2021-03-26 at 22:13 +0000, Christopher Baines wrote: > Can you clarify what specific problem or problems you're proposing > this > security-updates branch to address? Substitute availability of security updates when they are released, without causing big rebuilds on master for users before the build farm had time to produce substitutes. > You mention applying and backporting patches is lots of work, and > uncertainty around whether grafts work in particular > situations. Also that some times backporting is just not possible because security fixes are not properly labeled upstream as security-relevant and manual review of each and every commit is just not viable. > Personally I think staging and core-updates are quite a bit of work, > and > adding more complexity to the process involves more work in my > mind. Additionally, this isn't going to provide more information > about > areas where grafts can't be used (if those exist). I understand. There's lot of uncertainty on how grafts work exactly for me and in what situations they work and what situations they do not. The only way I am certain some security fix is correctly applied in GNU Guix is when the vulnerable version of the package is not packaged at all anymore in GNU Guix. > Now the software involved is getting better at rapidly building > things > for substitutes, personally I see a way forward through trying to > measure and potentially increase the rate of change for outputs in > general. Going faster also involves more work probably, but in terms > of > the process, that might just mean that updates to more packages can > be > merged to master directly, without sitting on a non-master branch. I would like this, merging things to master directly when we feel it is the right thing would be what I would like to do. Even if it causes big world rebuilds, when we can't graft. There's another thing I saw that was ongoing but can't remember where, that 'guix pull' could hold off updating to newer revisions unless substitutes are available. Thanks for your input. L=C3=A9o --=-2gaQWR14OpiQbx+OWPvp Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBeYH4ACgkQRaix6GvN EKbamBAAmKDBJUaNtNYG5FzwC2J0Wd7JtxhBUTMkyGNjhXDA7GdUnIrLiNeUky+z 0wgDXPvXjaWT5dvwIqWrr4aW+uDrSUxyPJuqdBFb85Zt2yHcMEXnzZ7uMINIlQFO NFtvOldMAAkQdgwK5hzbCbbIXGS4wndo4vBzPlQ7czdY543ZMQUvBlMMMw+0uYGj 72I2SuqfcmGOrRbFBKoUeYI6KXFP/Y5QAA2TDyM8Ky2/4YcCILSTSmItFHqafakM fwm0jCLHT4tCjmJLuiWNfafx+HeO5CKfH7IRbEsp4eCndo+rfIRTaj4rKx5ZxGGo hwayT/SXhXKrPqckMvjsU+pLuGnWE3ZBsT08XAD7VKBP8yL0VqspQNq2ByMCn5fW PG/LtJhMG/PyEAZ2bYvT3FSi6r1vePsEDDWueyawttMWW8AFhhQm+/2UJF7JswHO Z+7laXXIchpNA0RTAJR2+YNRqyCKojYpI7dWoUE8Nkzs0c16AMkKZxeA6qy9N7Jo 9n/pTGJ0sEDczrLV+wPoiPMLJanJ8XMw848se+c9Hzv/lVcREUnPssHJEh6IbQA+ HumDhkRJfKCPxbfUyeJYlJ55TO4KVuYi+MNiijhg6EICvKjKj0d3YAQvRXijlgEp 2qMnNvsdbwT1+cWZL5C1iYOcLlZRgtTxrF8zdihcgk/VDn2FH0Y= =aqeA -----END PGP SIGNATURE----- --=-2gaQWR14OpiQbx+OWPvp--