unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Security patching and the branching workflow: a new security-updates branch
@ 2021-03-26 20:10 Léo Le Bouter
  2021-03-26 22:13 ` Christopher Baines
  2021-03-27 12:29 ` zimoun
  0 siblings, 2 replies; 15+ messages in thread
From: Léo Le Bouter @ 2021-03-26 20:10 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 1592 bytes --]

Hello!

There is two ways to ship security fixes to packages:

1. Update to a patched version if upstream provides one
2. Apply or backport individual patches to fix the issues in the
shipped version

Grafts are most reliable for 2. but there's cases where using 2. is
lots of work and we can't afford that right now. An example is
ImageMagick where not all security issues get a CVE so essentially the
only way of getting security fixes is to fetch master or get the latest
release.

There's also some types of packages where we are not sure whether we
can use grafting or not, such as Python ones.

For these reasons, I would like to propose a new branch called
security-updates that would be based on master where we queue security
fixes that introduce any arbitrary number of rebuilds without using
grafts.

We would merge the security-updates branch as soon as there is complete
substitute availability for the branch and it's future merged version
within master.

The downsides of this approach are that:

1. Substitutes availability does not mean we can ship the updates
quickly because this might mean hundreds of megabytes if not gigabytes
of new substitutes to fetch to actually get the update.
2. Users that don't use substitutes will suffer big rebuilds on each
security update shipped through this branch.

For these reasons, grafting should still be preferred when possible,
but there are cases where it cannot be used for technical reasons or
lack of resources reasons but we still must provide a fix quickly.

What do you think?

Léo

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 15+ messages in thread

end of thread, other threads:[~2021-04-01 15:42 UTC | newest]

Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-26 20:10 Security patching and the branching workflow: a new security-updates branch Léo Le Bouter
2021-03-26 22:13 ` Christopher Baines
2021-03-26 22:30   ` Léo Le Bouter
2021-03-27  8:56     ` Christopher Baines
2021-03-27 12:29 ` zimoun
2021-03-27 12:42   ` Léo Le Bouter
2021-03-27 13:56     ` zimoun
2021-03-27 14:14       ` Léo Le Bouter
2021-03-30 11:48         ` zimoun
2021-03-31  0:01           ` Léo Le Bouter
2021-03-31 21:29             ` Ludovic Courtès
2021-04-01 12:44               ` Léo Le Bouter
2021-04-01 14:58                 ` Ricardo Wurmus
2021-04-01 15:10                   ` Léo Le Bouter
2021-04-01 15:42                   ` Léo Le Bouter

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).