From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id HH+SEsd0WmBhDgAA0tVLHw (envelope-from ) for ; Tue, 23 Mar 2021 23:07:51 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id oITXDcd0WmAyYAAAB5/wlQ (envelope-from ) for ; Tue, 23 Mar 2021 23:07:51 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id F3E8E10093 for ; Wed, 24 Mar 2021 00:07:50 +0100 (CET) Received: from localhost ([::1]:47368 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lOq7q-0000aw-5N for larch@yhetil.org; Tue, 23 Mar 2021 19:07:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:37114) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lOq7g-0000YH-GW for guix-devel@gnu.org; Tue, 23 Mar 2021 19:07:40 -0400 Received: from world.peace.net ([64.112.178.59]:50932) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lOq7e-0001mu-Jx for guix-devel@gnu.org; Tue, 23 Mar 2021 19:07:40 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lOq7R-0005X2-LC; Tue, 23 Mar 2021 19:07:25 -0400 From: Mark H Weaver To: Leo Famulari , =?utf-8?Q?L=C3=A9o?= Le Bouter Subject: Re: imagemagick@6.9.11-48 to graft or not to graft with 6.9.12-2 In-Reply-To: References: <87v99iki3l.fsf@netris.org> <5654415cbd9800ee9349a70a3252b3952248f5b7.camel@zaclys.net> Date: Tue, 23 Mar 2021 19:05:42 -0400 Message-ID: <877dlxjwri.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=64.112.178.59; envelope-from=mhw@netris.org; helo=world.peace.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616540871; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=yihWydhUHRKL8z7FL11aCILbMI6XvL9qkqzhqA+DdwM=; b=R+fKMsR26SfH3OzwK0LZN+RSETxItirOk9UzsTpkayIxlALP4a369UQ4Bz4mEBf19M3uer BKYV6e2ASQEB5jCAdInZk5T8nUc5TxcV664d+36P0mA2LYQXThADwfGrv2oLe1+J0IBbHF JBJ+1pepa07KGdAb91R8gnpALaj6zdKqhxUtwPQGAHlgtQKfheAbOeM4akCj1+88xQNRe8 UmIzxHMd8SLBMysYTh34OHIhgh19jfZmTHaVATWK8JbUhgLAO4RA4Go2kWrg/jWfSXDBE1 PG3odSXCh8ak2JTtZwGqKQz5TUOUdtAkUEoLRnRu3dB2aSh9Pv49DJyJW1rwlQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616540871; a=rsa-sha256; cv=none; b=muih5kpBFVXzoSJ/y2Gjr5CJqnwW0aMRvJHc5lgSa94VoS7tHldbZRkZ6FhGotnAeZauAm XzHKCYbnmHUWgtM4btMykNvO/VvYTtpbNKYPD6R2GFH7jVxPF8V1k8a+99Y3d59ErU1vRq +PlvAiXlKV7XemJ5Kngu/eWzi9WwB1In1N6OBubV8XzTW9ECNlH1gEPko5jxoaY2+MMqAp FlE0hJvK/DzahTIHmFFcP0IhailhbQEambxqBrOEg8i4a0FwYRSsa1uv0iCwPXHUh7hY46 5goFu8W4j+g72Y+qQmngCgW9A+N0O3MobJjd/JaYrlJVeHI8NX88bxBA87xz8Q== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -2.42 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: F3E8E10093 X-Spam-Score: -2.42 X-Migadu-Scanner: scn0.migadu.com X-TUID: VYvPoL2kDS0j Hi Leo, Leo Famulari writes: > On Tue, Mar 23, 2021 at 03:38:02PM +0100, L=C3=A9o Le Bouter wrote: >> For this, the problem is not grafting but that the replacement package >> definition has been made public, this is an "issue" (?) that is known >> and I try to not make replacement package definitions public now. > > The replacement should be public in this case. We want people to get the > updated ImageMagick when they do `guix install imagemagick`. That should happen anyway, even without making the replacement package public. I certainly *hope* that's what happens. If not, that's a serious security flaw in Guix. Also, I'm not sure why you qualify your suggestion with "in this case". What is it that distinguishes ImageMagick from, e.g. glib, for purposes of this question? Would it be any less bad for "guix install glib" to install a glib with security flaws? It would be good to reach agreement on whether replacement packages should be made public. I haven't thought much about it, so I don't know what the relevant issues are. Regards, Mark