From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: 01/01: gnu: glibc/linux: Add patches for CVE-2017-1000366. Date: Sat, 01 Jul 2017 17:59:10 +0200 Message-ID: <87h8ywb12p.fsf@gnu.org> References: <20170629200450.17825.10767@vcs0.savannah.gnu.org> <20170629200450.E946620FFF@vcs0.savannah.gnu.org> <87k23tpk4d.fsf@netris.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:45533) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dRKnm-00023T-01 for guix-devel@gnu.org; Sat, 01 Jul 2017 11:59:22 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dRKnh-0002BU-J9 for guix-devel@gnu.org; Sat, 01 Jul 2017 11:59:18 -0400 In-Reply-To: <87k23tpk4d.fsf@netris.org> (Mark H. Weaver's message of "Fri, 30 Jun 2017 11:31:46 -0400") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Mark H Weaver Cc: guix-devel@gnu.org Hi Mark, Mark H Weaver skribis: > ludo@gnu.org (Ludovic Court=C3=A8s) writes: > >> civodul pushed a commit to branch core-updates >> in repository guix. >> >> commit 503a4df904b8d4b82caebdb17db9c5f76a952418 >> Author: Ludovic Court=C3=A8s >> Date: Thu Jun 29 12:53:14 2017 +0200 >> >> gnu: glibc/linux: Add patches for CVE-2017-1000366. >>=20=20=20=20=20 >> * gnu/packages/patches/glibc-CVE-2017-1000366-pt1.patch, >> gnu/packages/patches/glibc-CVE-2017-1000366-pt2.patch, >> gnu/packages/patches/glibc-CVE-2017-1000366-pt3.patch: New files. >> * gnu/local.mk (dist_patch_DATA): Add them. >> * gnu/packages/base.scm (glibc/linux)[source](patches): Add them. >> [replacement]: Remove. >> (glibc-2.25-patched): Remove. >> (glibc-2.24, glibc-2.23, glibc-2.22, glibc-2.21) >> (glibc-locales): Remove 'replacement' field. > > Why did you remove the (replacement #f) fields from glibc-2.24, > glibc-2.23, glibc-2.22, and glibc-2.21? Simply to remove redundant lines. > Keeping the inherited replacements will never do the right thing here, > because the inherited replacement will always be for a newer version > of glibc. > > It would be nice to have things arranged in such a way that we can > simply add a replacement for 'glibc/linux', when needed. We did that > work for CVE-2017-1000366. It would be good not to revert that work, > to facilitate future security updates. OK, I agree. > More generally, I think we need to give more thought to how to handle > 'replacement' fields when we inherit packages, in order to do the right > thing when the inherited package is grafted. One way is to override > (replacement #f). Another is to use the 'package/inherit' macro from > (guix packages), which applies the same overrides to the replacement. > I can't think of a case where it's proper to leave the 'replacement' > unchanged when inheriting a package. > > What do you think? First, we could mark the =E2=80=98replacement=E2=80=99 field as =E2=80=9Cin= nate=E2=80=9D, which means it will never be inherited (like the =E2=80=98location=E2=80=99 field.) Like = you, I can=E2=80=99t think of a situation where inheriting the replacement makes sense. Then =E2=80=98package/inherit=E2=80=99 seems to be doing the rest of the jo= b correctly. The bad thing is that it=E2=80=99s easy to forget to use it. If we=E2=80= =99re motivated, we could hack this feature (let=E2=80=99s call it =E2=80=9Crecur= sive inheritance=E2=80=9D) right into (guix records). Thoughts? Thanks, Ludo=E2=80=99.