From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id +JVcBpOnl2DXBAEAgWs5BA (envelope-from ) for ; Sun, 09 May 2021 11:12:51 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id 4NkWApOnl2DAbAAA1q6Kng (envelope-from ) for ; Sun, 09 May 2021 09:12:51 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id A08E42D11F for ; Sun, 9 May 2021 11:12:50 +0200 (CEST) Received: from localhost ([::1]:53086 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lffUX-0007Tx-QT for larch@yhetil.org; Sun, 09 May 2021 05:12:49 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51120) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lffUN-0007Ta-Ov for guix-devel@gnu.org; Sun, 09 May 2021 05:12:39 -0400 Received: from albert.telenet-ops.be ([2a02:1800:110:4::f00:1a]:56270) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lffUK-00031R-Qh for guix-devel@gnu.org; Sun, 09 May 2021 05:12:39 -0400 Received: from butterfly.local ([5.23.235.147]) by albert.telenet-ops.be with bizsmtp id 2ZCY2500G3BV9L506ZCYV3; Sun, 09 May 2021 11:12:33 +0200 Message-ID: <565eaa11163d5bc416387217ca8c6d6718608246.camel@telenet.be> Subject: Re: Expat 2.3.0 has been released From: Maxime Devos To: guix-devel@gnu.org, sebastian@pipping.org Date: Sun, 09 May 2021 11:12:11 +0200 In-Reply-To: <20afb227-5e89-e416-4ca4-12bd0ac98a29@pipping.org> References: <102746ca-be9b-bfb4-efcf-899abab4d5d7@pipping.org> <20afb227-5e89-e416-4ca4-12bd0ac98a29@pipping.org> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-V/7hd2/6sWRlwgz18HmA" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1620551553; bh=cJt63neqck4bbbzrL7x6hpfBaUGgccZG7vXf0lic7Og=; h=Subject:From:To:Date:In-Reply-To:References; b=dBUmyYX9JzKsvBc+e7JX/eUxKVpvVFopI2xdcaRZqfRPhmARy9DjzV/Y01MNdH8Wx Ng7FILsbWXSWH9QdSSyIqMCGXXc/Ghn9S/rOz9ogT7ytOY82dqtvSdDfZ/qpx2DlBP awPQHmALmZkCQrsN6Ete/t+JKRIiEgMVkNoisoN0FjzZsfFi6nZ/oc6d/pXm3s9Ls7 4IVjy7okYrJU5z/pERf6vcLoHlWJX9Lm/jdaybtZioBURyBMQsk7CmlrOJcluOYK10 96qhlszzDLlHxHxZ0Tgp22rKAm4c0qxMwo1dSrWEQsYYOAnlHcLgIbeO9eaPDkx6So ewYcZF2SgSqWQ== Received-SPF: pass client-ip=2a02:1800:110:4::f00:1a; envelope-from=maximedevos@telenet.be; helo=albert.telenet-ops.be X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1620551570; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=cJt63neqck4bbbzrL7x6hpfBaUGgccZG7vXf0lic7Og=; b=bI+OxcddTPJji/MscGsYON993WbKuRKci/c7SAS7MLK+xPimR6GlPEnUw3Ca63UoSHSuuL bHAdoRICjQsZvOujrKC5LLX81gqjVrqzQdopecd5SSEGI6mYYNefwRcBFUFTLdY5gXxiDp SfV/dOagDn9jrsYN9QeQWhnKju8NXv9U8HxzpxD3/tmq1QbmOMIap8HuVDTWR/RQQeXk+Q zpit/0zdZwTd3578zkjy9Z/dfdRuk4RsyctgNVV6KYrgdindz+VT7vNaX3aYRjedTxHPKc Uu5RX+A7NDvbZ7mTUOkYvznuJ6myGj7rQ/BK/anky/gc4YiCX39X31+TbnOW9w== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1620551570; a=rsa-sha256; cv=none; b=JlE9sGJUE4tSCyuYQWo9ZEzuP2acIW/oCe1GM2j+Iyahtc3YQSkZr0fKHpByczLQeU3mqW 1VZKcdrQTfLXdk0K86wzxIKwlsvoux8wrCarlq24W4GnEERlktkzUNtK2erGNl+zPVzJF1 m8rEzCxLwx2sb2eJgByosoTycoTNfpW1v2Xy4HjN3bR4AMBs9cGybRID0WzaGeozAtFyVy wy4+HOgelBWqcI+0EAHRRPU0qc7fJ7IOEU3eId2cwwQf9N8Z3EiR8fXWmy+LexIeWfa7Uj RLjeiuBB+J/IU3Y2vfHHNMXuzIPQaO8BF4akzlqIcP6hLFgwEhq4lWTwPIo81w== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=telenet.be header.s=r21 header.b=dBUmyYX9; dmarc=pass (policy=none) header.from=telenet.be; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -5.15 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=telenet.be header.s=r21 header.b=dBUmyYX9; dmarc=pass (policy=none) header.from=telenet.be; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: A08E42D11F X-Spam-Score: -5.15 X-Migadu-Scanner: scn0.migadu.com X-TUID: 3HOXg1rAoQqm --=-V/7hd2/6sWRlwgz18HmA Content-Type: multipart/mixed; boundary="=-vIkOpbd1gHu3O6MPY0FN" --=-vIkOpbd1gHu3O6MPY0FN Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sebastian Pipping schreef op za 08-05-2021 om 18:00 [+0200]: > Hello everyone, >=20 >=20 > just a quick heads up that there will be a new release of libexpat with > security fix in a few weeks. Unless I looked in the wrong place, I > noticed that your distro has not updated to libexpat 2.3.0 as of today. Correct > > If you ran into any issues with packaging 2.3.0, please let me know now > so that I can fix things upstream for you and everyone while there is > still a window before next releases to do so. Thank you! According to "guix refresh -l", simply updating expat would entail rebuildi= ng 6031 packages. This can be avoided is v2.4.0 is binary compatible with v2.2.9. Is this the case? If this is not the case, we will have to cherry-pick the security fixes. I have attached a patch adding a graft for expat, updating from v2.2.9 to v2.3.0, but it needs some testing. Greetings, Maxime. --=-vIkOpbd1gHu3O6MPY0FN Content-Disposition: attachment; filename="0001-gnu-expat-Add-graft-for-2.3.0-security-fixes.patch" Content-Type: text/x-patch; name="0001-gnu-expat-Add-graft-for-2.3.0-security-fixes.patch"; charset="UTF-8" Content-Transfer-Encoding: base64 RnJvbSBmODdhYTFlZjBlY2ZjZGEyN2M3OThlY2ZkMTQwY2UzYjMzMjE4ZGRjIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBNYXhpbWUgRGV2b3MgPG1heGltZWRldm9zQHRlbGVuZXQuYmU+ CkRhdGU6IFN1biwgOSBNYXkgMjAyMSAxMTowNToxNCArMDIwMApTdWJqZWN0OiBbUEFUQ0hdIGdu dTogZXhwYXQ6IEFkZCBncmFmdCBmb3IgMi4zLjAgW3NlY3VyaXR5IGZpeGVzXQoKVGhlcmUgd2ls bCBiZSBzZWN1cml0eSBmaXhlcyBpbiB0aGUgdXBjb21pbmcgMi40LjAgcmVsZWFzZS4KRm9yIG5v dywgdXBncmFkZSB0byAyLjMuMC4gQXMgdGhpcyB3b3VsZCBjYXVzZSA2MDMxIHJlYnVpbGRzLAp1 c2UgdGhlIGdyYWZ0aW5nIG1lY2hhbmlzbS4KCiogZ251L3BhY2thZ2VzL3htbC5zY20KICAoZXhw YXQtdXJpcyk6IE5ldyBwcm9jZWR1cmUuCiAgKGV4cGF0KVtzb3VyY2VdPHVyaT46IFVzZSBuZXcg cHJvY2VkdXJlLgogIChleHBhdClbcmVwbGFjZW1lbnRdOiBBZGQgZ3JhZnQgZm9yIDIuMy4wLgog IChleHBhdC9maXhlZCk6IE5ldyBwYWNrYWdlLgotLS0KIGdudS9wYWNrYWdlcy94bWwuc2NtIHwg NDMgKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKy0tLS0tLS0tLS0tLQogMSBmaWxlIGNo YW5nZWQsIDMxIGluc2VydGlvbnMoKyksIDEyIGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL2du dS9wYWNrYWdlcy94bWwuc2NtIGIvZ251L3BhY2thZ2VzL3htbC5zY20KaW5kZXggMDRjYjA5Nzc5 Yi4uNDQxMjY2MGFlMCAxMDA2NDQKLS0tIGEvZ251L3BhY2thZ2VzL3htbC5zY20KKysrIGIvZ251 L3BhY2thZ2VzL3htbC5zY20KQEAgLTMxLDYgKzMxLDcgQEAKIDs7OyBDb3B5cmlnaHQgwqkgMjAy MSBKdWxpZW4gTGVwaWxsZXIgPGp1bGllbkBsZXBpbGxlci5ldT4KIDs7OyBDb3B5cmlnaHQgwqkg MjAyMSBGZWxpeCBHcnViZXIgPGZlbGdydUBwb3N0ZW8ubmV0PgogOzs7IENvcHlyaWdodCDCqSAy MDIxIEd1aWxsYXVtZSBMZSBWYWlsbGFudCA8Z2x2QHBvc3Rlby5uZXQ+Cis7OzsgQ29weXJpZ2h0 IMKpIDIwMjEgTWF4aW1lIERldm9zIDxtYXhpbWVkZXZvc0B0ZWxlbmV0LmJlPgogOzs7CiA7Ozsg VGhpcyBmaWxlIGlzIHBhcnQgb2YgR05VIEd1aXguCiA7OzsKQEAgLTExNiwyMiArMTE3LDI3IEBA IHRoZSBlbnRpcmUgZG9jdW1lbnQuIikKICAgICAoaG9tZS1wYWdlICJodHRwczovL2dpdGh1Yi5j b20vaHVnaHNpZS9saWJ4bWxiIikKICAgICAobGljZW5zZSBsaWNlbnNlOmxncGwyLjErKSkpCiAK KyhkZWZpbmUgKGV4cGF0LXVyaXMgdmVyc2lvbikKKyAgKGRlZmluZSAoZG90LT51bmRlcnNjb3Jl IGMpCisgICAgKGlmIChjaGFyPT8gI1wuIGMpICNcXyBjKSkKKyAgKGxpc3QgKHN0cmluZy1hcHBl bmQgIm1pcnJvcjovL3NvdXJjZWZvcmdlL2V4cGF0L2V4cGF0LyIKKyAgICAgICAgICAgICAgICAg ICAgICAgdmVyc2lvbiAiL2V4cGF0LSIgdmVyc2lvbiAiLnRhci54eiIpCisgICAgICAgIChzdHJp bmctYXBwZW5kCisgICAgICAgICAiaHR0cHM6Ly9naXRodWIuY29tL2xpYmV4cGF0L2xpYmV4cGF0 L3JlbGVhc2VzL2Rvd25sb2FkL1JfIgorICAgICAgICAgKHN0cmluZy1tYXAgZG90LT51bmRlcnNj b3JlIHZlcnNpb24pCisgICAgICAgICAiL2V4cGF0LSIgdmVyc2lvbiAiLnRhci54eiIpKSkKKwog KGRlZmluZS1wdWJsaWMgZXhwYXQKICAgKHBhY2thZ2UKICAgICAobmFtZSAiZXhwYXQiKQogICAg ICh2ZXJzaW9uICIyLjIuOSIpCi0gICAgKHNvdXJjZSAobGV0ICgoZG90LT51bmRlcnNjb3JlIChs YW1iZGEgKGMpIChpZiAoY2hhcj0/ICNcLiBjKSAjXF8gYykpKSkKLSAgICAgICAgICAgICAgKG9y aWdpbgotICAgICAgICAgICAgICAgIChtZXRob2QgdXJsLWZldGNoKQotICAgICAgICAgICAgICAg ICh1cmkgKGxpc3QgKHN0cmluZy1hcHBlbmQgIm1pcnJvcjovL3NvdXJjZWZvcmdlL2V4cGF0L2V4 cGF0LyIKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZlcnNpb24g Ii9leHBhdC0iIHZlcnNpb24gIi50YXIueHoiKQotICAgICAgICAgICAgICAgICAgICAgICAgICAg KHN0cmluZy1hcHBlbmQKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaHR0cHM6Ly9naXRo dWIuY29tL2xpYmV4cGF0L2xpYmV4cGF0L3JlbGVhc2VzL2Rvd25sb2FkL1JfIgotICAgICAgICAg ICAgICAgICAgICAgICAgICAgIChzdHJpbmctbWFwIGRvdC0+dW5kZXJzY29yZSB2ZXJzaW9uKQot ICAgICAgICAgICAgICAgICAgICAgICAgICAgICIvZXhwYXQtIiB2ZXJzaW9uICIudGFyLnh6Iikp KQotICAgICAgICAgICAgICAgIChzaGEyNTYKLSAgICAgICAgICAgICAgICAgKGJhc2UzMgotICAg ICAgICAgICAgICAgICAgIjE5NjBtbWdiYjRjbTY0bjFwMG56M2hyczFwdzAzaGtyZmN3OHBybW5u NDYyMm1kcmQ5aHkiKSkpKSkKKyAgICAoc291cmNlIChvcmlnaW4KKyAgICAgICAgICAgICAgKG1l dGhvZCB1cmwtZmV0Y2gpCisgICAgICAgICAgICAgICh1cmkgKGV4cGF0LXVyaXMgdmVyc2lvbikp CisgICAgICAgICAgICAgIChzaGEyNTYKKyAgICAgICAgICAgICAgIChiYXNlMzIKKyAgICAgICAg ICAgICAgICAiMTk2MG1tZ2JiNGNtNjRuMXAwbnozaHJzMXB3MDNoa3JmY3c4cHJtbm40NjIybWRy ZDloeSIpKSkpCisgICAgKHJlcGxhY2VtZW50IGV4cGF0L2ZpeGVkKQogICAgIChidWlsZC1zeXN0 ZW0gZ251LWJ1aWxkLXN5c3RlbSkKICAgICAoYXJndW1lbnRzCiAgICAgICcoIzpjb25maWd1cmUt ZmxhZ3MgJygiLS1kaXNhYmxlLXN0YXRpYyIpKSkKQEAgLTE0Myw2ICsxNDksMTkgQEAgc3RyZWFt LW9yaWVudGVkIHBhcnNlciBpbiB3aGljaCBhbiBhcHBsaWNhdGlvbiByZWdpc3RlcnMgaGFuZGxl cnMgZm9yCiB0aGluZ3MgdGhlIHBhcnNlciBtaWdodCBmaW5kIGluIHRoZSBYTUwgZG9jdW1lbnQg KGxpa2Ugc3RhcnQgdGFncykuIikKICAgICAobGljZW5zZSBsaWNlbnNlOmV4cGF0KSkpCiAKKzs7 IFRoZXJlIHdpbGwgYmUgYSBuZXcgcmVsZWFzZSB3aXRoIHNlY3VyaXR5IGZpeGVzIHNvb24uCiso ZGVmaW5lLXB1YmxpYyBleHBhdC9maXhlZAorICAocGFja2FnZQorICAgIChpbmhlcml0IGV4cGF0 KQorICAgICh2ZXJzaW9uICIyLjMuMCIpCisgICAgKHNvdXJjZQorICAgICAob3JpZ2luCisgICAg ICAgKGluaGVyaXQgKHBhY2thZ2Utc291cmNlIGV4cGF0KSkKKyAgICAgICAodXJpIChleHBhdC11 cmlzIHZlcnNpb24pKQorICAgICAgIChzaGEyNTYKKyAgICAgICAgKGJhc2UzMgorICAgICAgICAg IjFhYjdma2FiNHdiajUzeHFzeDJhNGg1bTMxMGFrOWFiY3pqaDBhMnltZzczbnNjbHo4eWEiKSkp KSkpCisKIChkZWZpbmUtcHVibGljIGxpYmVibWwKICAgKHBhY2thZ2UKICAgICAobmFtZSAibGli ZWJtbCIpCi0tIAoyLjMxLjEKCg== --=-vIkOpbd1gHu3O6MPY0FN-- --=-V/7hd2/6sWRlwgz18HmA Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYJenaxccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7mDUAQDuL5Haz7KAB1eASKgiyLVdpkWE k1bBuqa0bSUf9uYb3AEA6nQWohzHZ1kZmAKQA5W8iBq2ze1hkuWeZgTm11DMgwo= =DMmx -----END PGP SIGNATURE----- --=-V/7hd2/6sWRlwgz18HmA--