unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Expat 2.3.0 has been released
@ 2021-03-25 20:27 Sebastian Pipping
  2021-05-08 16:00 ` Sebastian Pipping
  0 siblings, 1 reply; 11+ messages in thread
From: Sebastian Pipping @ 2021-03-25 20:27 UTC (permalink / raw)
  To: sebastian

Hello everyone!


Expat 2.3.0 — simplified — brings…

  - bugfixes,

  - improvements to both build systems, and

  - improvements to xmlwf usability.

Please see the changelog at [1] for more details.


If you have patches for Expat that are still required
with version 2.3.0, please send them my way.  Thank you!

Best



Sebastian


[1] https://github.com/libexpat/libexpat/blob/R_2_3_0/expat/Changes


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Expat 2.3.0 has been released
  2021-03-25 20:27 Expat 2.3.0 has been released Sebastian Pipping
@ 2021-05-08 16:00 ` Sebastian Pipping
  2021-05-09  9:12   ` Maxime Devos
  2021-05-09 22:07   ` Marius Bakke
  0 siblings, 2 replies; 11+ messages in thread
From: Sebastian Pipping @ 2021-05-08 16:00 UTC (permalink / raw)
  To: sebastian

Hello everyone,


just a quick heads up that there will be a new release of libexpat with
security fix in a few weeks.  Unless I looked in the wrong place, I
noticed that your distro has not updated to libexpat 2.3.0 as of today.
 If you ran into any issues with packaging 2.3.0, please let me know now
so that I can fix things upstream for you and everyone while there is
still a window before next releases to do so.  Thank you!

Best



Sebastian


On 25.03.21 21:27, Sebastian Pipping wrote:
> Hello everyone!
> 
> 
> Expat 2.3.0 — simplified — brings…
> 
>   - bugfixes,
> 
>   - improvements to both build systems, and
> 
>   - improvements to xmlwf usability.
> 
> Please see the changelog at [1] for more details.
> 
> 
> If you have patches for Expat that are still required
> with version 2.3.0, please send them my way.  Thank you!
> 
> Best
> 
> 
> 
> Sebastian
> 
> 
> [1] https://github.com/libexpat/libexpat/blob/R_2_3_0/expat/Changes
> 



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Expat 2.3.0 has been released
  2021-05-08 16:00 ` Sebastian Pipping
@ 2021-05-09  9:12   ` Maxime Devos
  2021-05-09  9:17     ` Maxime Devos
  2021-05-09 12:53     ` Sebastian Pipping
  2021-05-09 22:07   ` Marius Bakke
  1 sibling, 2 replies; 11+ messages in thread
From: Maxime Devos @ 2021-05-09  9:12 UTC (permalink / raw)
  To: guix-devel, sebastian


[-- Attachment #1.1: Type: text/plain, Size: 925 bytes --]

Sebastian Pipping schreef op za 08-05-2021 om 18:00 [+0200]:
> Hello everyone,
> 
> 
> just a quick heads up that there will be a new release of libexpat with
> security fix in a few weeks.  Unless I looked in the wrong place, I
> noticed that your distro has not updated to libexpat 2.3.0 as of today.

Correct

> > If you ran into any issues with packaging 2.3.0, please let me know now
> so that I can fix things upstream for you and everyone while there is
> still a window before next releases to do so.  Thank you!

According to "guix refresh -l", simply updating expat would entail rebuilding 6031
packages. This can be avoided is v2.4.0 is binary compatible with v2.2.9.
Is this the case? If this is not the case, we
will have to cherry-pick the
security fixes.

I have attached a patch adding a graft for expat, updating from v2.2.9 to
v2.3.0, but it needs some testing.

Greetings,
Maxime.

[-- Attachment #1.2: 0001-gnu-expat-Add-graft-for-2.3.0-security-fixes.patch --]
[-- Type: text/x-patch, Size: 3382 bytes --]

From f87aa1ef0ecfcda27c798ecfd140ce3b33218ddc Mon Sep 17 00:00:00 2001
From: Maxime Devos <maximedevos@telenet.be>
Date: Sun, 9 May 2021 11:05:14 +0200
Subject: [PATCH] gnu: expat: Add graft for 2.3.0 [security fixes]

There will be security fixes in the upcoming 2.4.0 release.
For now, upgrade to 2.3.0. As this would cause 6031 rebuilds,
use the grafting mechanism.

* gnu/packages/xml.scm
  (expat-uris): New procedure.
  (expat)[source]<uri>: Use new procedure.
  (expat)[replacement]: Add graft for 2.3.0.
  (expat/fixed): New package.
---
 gnu/packages/xml.scm | 43 +++++++++++++++++++++++++++++++------------
 1 file changed, 31 insertions(+), 12 deletions(-)

diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 04cb09779b..4412660ae0 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -31,6 +31,7 @@
 ;;; Copyright © 2021 Julien Lepiller <julien@lepiller.eu>
 ;;; Copyright © 2021 Felix Gruber <felgru@posteo.net>
 ;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net>
+;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -116,22 +117,27 @@ the entire document.")
     (home-page "https://github.com/hughsie/libxmlb")
     (license license:lgpl2.1+)))
 
+(define (expat-uris version)
+  (define (dot->underscore c)
+    (if (char=? #\. c) #\_ c))
+  (list (string-append "mirror://sourceforge/expat/expat/"
+                       version "/expat-" version ".tar.xz")
+        (string-append
+         "https://github.com/libexpat/libexpat/releases/download/R_"
+         (string-map dot->underscore version)
+         "/expat-" version ".tar.xz")))
+
 (define-public expat
   (package
     (name "expat")
     (version "2.2.9")
-    (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
-              (origin
-                (method url-fetch)
-                (uri (list (string-append "mirror://sourceforge/expat/expat/"
-                                          version "/expat-" version ".tar.xz")
-                           (string-append
-                            "https://github.com/libexpat/libexpat/releases/download/R_"
-                            (string-map dot->underscore version)
-                            "/expat-" version ".tar.xz")))
-                (sha256
-                 (base32
-                  "1960mmgbb4cm64n1p0nz3hrs1pw03hkrfcw8prmnn4622mdrd9hy")))))
+    (source (origin
+              (method url-fetch)
+              (uri (expat-uris version))
+              (sha256
+               (base32
+                "1960mmgbb4cm64n1p0nz3hrs1pw03hkrfcw8prmnn4622mdrd9hy"))))
+    (replacement expat/fixed)
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags '("--disable-static")))
@@ -143,6 +149,19 @@ stream-oriented parser in which an application registers handlers for
 things the parser might find in the XML document (like start tags).")
     (license license:expat)))
 
+;; There will be a new release with security fixes soon.
+(define-public expat/fixed
+  (package
+    (inherit expat)
+    (version "2.3.0")
+    (source
+     (origin
+       (inherit (package-source expat))
+       (uri (expat-uris version))
+       (sha256
+        (base32
+         "1ab7fkab4wbj53xqsx2a4h5m310ak9abczjh0a2ymg73nsclz8ya"))))))
+
 (define-public libebml
   (package
     (name "libebml")
-- 
2.31.1


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

^ permalink raw reply related	[flat|nested] 11+ messages in thread

* Re: Expat 2.3.0 has been released
  2021-05-09  9:12   ` Maxime Devos
@ 2021-05-09  9:17     ` Maxime Devos
  2021-05-09 12:53     ` Sebastian Pipping
  1 sibling, 0 replies; 11+ messages in thread
From: Maxime Devos @ 2021-05-09  9:17 UTC (permalink / raw)
  To: guix-devel, sebastian

[-- Attachment #1: Type: text/plain, Size: 69 bytes --]

I see Leo Prikler has already sent a patch (48304@debbugs.gnu.org).

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Expat 2.3.0 has been released
  2021-05-09  9:12   ` Maxime Devos
  2021-05-09  9:17     ` Maxime Devos
@ 2021-05-09 12:53     ` Sebastian Pipping
  2021-05-09 14:07       ` Leo Famulari
  1 sibling, 1 reply; 11+ messages in thread
From: Sebastian Pipping @ 2021-05-09 12:53 UTC (permalink / raw)
  To: Maxime Devos, guix-devel

Hi Maxime,


On 09.05.21 11:17, Maxime Devos wrote:
> I see Leo Prikler has already sent a patch (48304@debbugs.gnu.org).

yes, thanks for you interest in the topic.


On 09.05.21 11:12, Maxime Devos wrote:
> According to "guix refresh -l", simply updating expat would entail rebuilding 6031
> packages. This can be avoided is v2.4.0 is binary compatible with v2.2.9.
> Is this the case?

The short answer is: there is no break of ABI.

A longer answer would include that the next release will also be hiding
a previously exposed internal symbol by the name
"_INTERNAL_trim_to_complete_utf8_characters".  I don't consider that an
ABI break but we'll probably find someone who does, on a technical level.

The related soversions are:

  2.2. 9 = 7:11:6 -> libexpatso.1.6.11 (GUIX today)
  2.2.10 = 7:12:6 -> libexpatso.1.6.12
  2.3. 0 = 8: 0:7 -> libexpatso.1.7.0 (GUIX W.I.P.)
  2.4. 0 = 9: 0:8 -> libexpatso.1.8.0 (upcoming)

I wish related tool https://verbump.de/ was more widely known.

Best



Sebastian


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Expat 2.3.0 has been released
  2021-05-09 12:53     ` Sebastian Pipping
@ 2021-05-09 14:07       ` Leo Famulari
  2021-05-09 14:23         ` Sebastian Pipping
  2021-05-09 14:25         ` Maxime Devos
  0 siblings, 2 replies; 11+ messages in thread
From: Leo Famulari @ 2021-05-09 14:07 UTC (permalink / raw)
  To: Sebastian Pipping; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 652 bytes --]

On Sun, May 09, 2021 at 02:53:09PM +0200, Sebastian Pipping wrote:
> The related soversions are:
> 
>   2.2. 9 = 7:11:6 -> libexpatso.1.6.11 (GUIX today)
>   2.2.10 = 7:12:6 -> libexpatso.1.6.12
>   2.3. 0 = 8: 0:7 -> libexpatso.1.7.0 (GUIX W.I.P.)
>   2.4. 0 = 9: 0:8 -> libexpatso.1.8.0 (upcoming)

Alright, in this case we'll need to cherry-pick the relevant bug fixes.

See the manual section Security Updates for this note:

"Other restrictions may apply: for instance, when adding a graft to a
package providing a shared library, the original shared library and its
replacement must have the same SONAME and be binary-compatible."

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Expat 2.3.0 has been released
  2021-05-09 14:07       ` Leo Famulari
@ 2021-05-09 14:23         ` Sebastian Pipping
  2021-05-09 14:32           ` Leo Famulari
  2021-05-09 14:25         ` Maxime Devos
  1 sibling, 1 reply; 11+ messages in thread
From: Sebastian Pipping @ 2021-05-09 14:23 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

On 09.05.21 16:07, Leo Famulari wrote:
> On Sun, May 09, 2021 at 02:53:09PM +0200, Sebastian Pipping wrote:
>> The related soversions are:
>>
>>   2.2. 9 = 7:11:6 -> libexpatso.1.6.11 (GUIX today)
>>   2.2.10 = 7:12:6 -> libexpatso.1.6.12
>>   2.3. 0 = 8: 0:7 -> libexpatso.1.7.0 (GUIX W.I.P.)
>>   2.4. 0 = 9: 0:8 -> libexpatso.1.8.0 (upcoming)
> 
> Alright, in this case we'll need to cherry-pick the relevant bug fixes.
> 
> See the manual section Security Updates for this note:
> 
> "Other restrictions may apply: for instance, when adding a graft to a
> package providing a shared library, the original shared library and its
> replacement must have the same SONAME and be binary-compatible."

The soname is the same: it's libexpatso.1 for all of them — no?

  # objdump -p libexpat.so.1.7.0 | grep SONAME
    SONAME               libexpat.so.1

They are binary-compatible.  So I think there may be a misunderstanding
here.


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Expat 2.3.0 has been released
  2021-05-09 14:07       ` Leo Famulari
  2021-05-09 14:23         ` Sebastian Pipping
@ 2021-05-09 14:25         ` Maxime Devos
  1 sibling, 0 replies; 11+ messages in thread
From: Maxime Devos @ 2021-05-09 14:25 UTC (permalink / raw)
  To: Leo Famulari, Sebastian Pipping; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 1350 bytes --]

Leo Famulari schreef op zo 09-05-2021 om 10:07 [-0400]:
> On Sun, May 09, 2021 at 02:53:09PM +0200, Sebastian Pipping wrote:
> > The related soversions are:
> > 
> >   2.2. 9 = 7:11:6 -> libexpatso.1.6.11 (GUIX today)
> >   2.2.10 = 7:12:6 -> libexpatso.1.6.12
> >   2.3. 0 = 8: 0:7 -> libexpatso.1.7.0 (GUIX W.I.P.)
> >   2.4. 0 = 9: 0:8 -> libexpatso.1.8.0 (upcoming)
> 
> Alright, in this case we'll need to cherry-pick the relevant bug fixes.

I don't think so, because ...

> See the manual section Security Updates for this note:
> 
> "Other restrictions may apply: for instance, when adding a graft to a
> package providing a shared library, the original shared library and its
> replacement must have the same SONAME [...]

They do have the same SONAME.

$ guix build expat@2.3.0 expat@2.2.9 --no-grafts
> /gnu/store/imh5xxqw10dql4crlngbbjh4r24raf4j-expat-2.2.9
> /gnu/store/nc1yqjbrb5xalaycz70l8sk88xjnapy5-expat-2.3.0

$ objdump -x /gnu/store/imh5xxqw10dql4crlngbbjh4r24raf4j-expat-2.2.9/lib/libexpat.so.1 | grep -F SONAME
>   SONAME               libexpat.so.1
$ objdump -x /gnu/store/nc1yqjbrb5xalaycz70l8sk88xjnapy5-expat-2.3.0/lib/libexpat.so.1 | grep -F SONAME
>   SONAME               libexpat.so.1

>  and be binary-compatible."

The .6.11 and .8.0 are not part of the SONAME.

Greetings,
Maxime.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Expat 2.3.0 has been released
  2021-05-09 14:23         ` Sebastian Pipping
@ 2021-05-09 14:32           ` Leo Famulari
  0 siblings, 0 replies; 11+ messages in thread
From: Leo Famulari @ 2021-05-09 14:32 UTC (permalink / raw)
  To: Sebastian Pipping; +Cc: guix-devel

On Sun, May 09, 2021 at 04:23:16PM +0200, Sebastian Pipping wrote:
> On 09.05.21 16:07, Leo Famulari wrote:
> > On Sun, May 09, 2021 at 02:53:09PM +0200, Sebastian Pipping wrote:
> >> The related soversions are:
> >>
> >>   2.2. 9 = 7:11:6 -> libexpatso.1.6.11 (GUIX today)
> >>   2.2.10 = 7:12:6 -> libexpatso.1.6.12
> >>   2.3. 0 = 8: 0:7 -> libexpatso.1.7.0 (GUIX W.I.P.)
> >>   2.4. 0 = 9: 0:8 -> libexpatso.1.8.0 (upcoming)
> > 
> > Alright, in this case we'll need to cherry-pick the relevant bug fixes.
> > 
> > See the manual section Security Updates for this note:
> > 
> > "Other restrictions may apply: for instance, when adding a graft to a
> > package providing a shared library, the original shared library and its
> > replacement must have the same SONAME and be binary-compatible."
> 
> The soname is the same: it's libexpatso.1 for all of them — no?
> 
>   # objdump -p libexpat.so.1.7.0 | grep SONAME
>     SONAME               libexpat.so.1
> 
> They are binary-compatible.  So I think there may be a misunderstanding
> here.

Ah, I misunderstood. It should be fine then to do the full update.


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Expat 2.3.0 has been released
  2021-05-08 16:00 ` Sebastian Pipping
  2021-05-09  9:12   ` Maxime Devos
@ 2021-05-09 22:07   ` Marius Bakke
  2021-05-09 22:23     ` Sebastian Pipping
  1 sibling, 1 reply; 11+ messages in thread
From: Marius Bakke @ 2021-05-09 22:07 UTC (permalink / raw)
  To: Sebastian Pipping; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 951 bytes --]

Sebastian Pipping <sebastian@pipping.org> skriver:

> Hello everyone,
>
>
> just a quick heads up that there will be a new release of libexpat with
> security fix in a few weeks.  Unless I looked in the wrong place, I
> noticed that your distro has not updated to libexpat 2.3.0 as of today.
>  If you ran into any issues with packaging 2.3.0, please let me know now
> so that I can fix things upstream for you and everyone while there is
> still a window before next releases to do so.  Thank you!

Hi Sebastian,

I have updated expat on our "core-updates" branch, since it entails a
full rebuild:

  https://git.savannah.gnu.org/cgit/guix.git/commit/?h=core-updates&id=831c6d84e1bcff4b68dfd0f6e299f2c0bb60d0b8

I notice 2.3.0 does not have any ABI changes from 2.2.9.  In that case
the security fix/version can be "grafted" in place without rebuilding
the world.  So count us ready, we'll test 2.3.0 meanwhile.  :-)

Thanks for the heads-up,
Marius

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Expat 2.3.0 has been released
  2021-05-09 22:07   ` Marius Bakke
@ 2021-05-09 22:23     ` Sebastian Pipping
  0 siblings, 0 replies; 11+ messages in thread
From: Sebastian Pipping @ 2021-05-09 22:23 UTC (permalink / raw)
  To: Marius Bakke; +Cc: guix-devel

Hi Marius,


On 10.05.21 00:07, Marius Bakke wrote:
> Sebastian Pipping <sebastian@pipping.org> skriver:
> 
>> Hello everyone,
>>
>>
>> just a quick heads up that there will be a new release of libexpat with
>> security fix in a few weeks.  Unless I looked in the wrong place, I
>> noticed that your distro has not updated to libexpat 2.3.0 as of today.
>>  If you ran into any issues with packaging 2.3.0, please let me know now
>> so that I can fix things upstream for you and everyone while there is
>> still a window before next releases to do so.  Thank you!
> 
> Hi Sebastian,
> 
> I have updated expat on our "core-updates" branch, since it entails a
> full rebuild:
> 
>   https://git.savannah.gnu.org/cgit/guix.git/commit/?h=core-updates&id=831c6d84e1bcff4b68dfd0f6e299f2c0bb60d0b8
> 
> I notice 2.3.0 does not have any ABI changes from 2.2.9.  In that case
> the security fix/version can be "grafted" in place without rebuilding
> the world.  So count us ready, we'll test 2.3.0 meanwhile.  :-)

Thank you!

Best



Sebastian


^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2021-05-09 22:23 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-25 20:27 Expat 2.3.0 has been released Sebastian Pipping
2021-05-08 16:00 ` Sebastian Pipping
2021-05-09  9:12   ` Maxime Devos
2021-05-09  9:17     ` Maxime Devos
2021-05-09 12:53     ` Sebastian Pipping
2021-05-09 14:07       ` Leo Famulari
2021-05-09 14:23         ` Sebastian Pipping
2021-05-09 14:32           ` Leo Famulari
2021-05-09 14:25         ` Maxime Devos
2021-05-09 22:07   ` Marius Bakke
2021-05-09 22:23     ` Sebastian Pipping

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).