From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id zEuGCBHMWGBsYQAA0tVLHw (envelope-from ) for ; Mon, 22 Mar 2021 16:55:45 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id gIbcAxHMWGBRSAAAB5/wlQ (envelope-from ) for ; Mon, 22 Mar 2021 16:55:45 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 9BA1A112C8 for ; Mon, 22 Mar 2021 17:55:44 +0100 (CET) Received: from localhost ([::1]:50236 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lONqB-0006EY-2x for larch@yhetil.org; Mon, 22 Mar 2021 12:55:43 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60088) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lONpw-0006DM-TE for guix-devel@gnu.org; Mon, 22 Mar 2021 12:55:28 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:34442) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lONpw-0005WI-5w; Mon, 22 Mar 2021 12:55:28 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=43064 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lONpd-0007bf-8T; Mon, 22 Mar 2021 12:55:21 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: =?utf-8?Q?L=C3=A9o?= Le Bouter Subject: Re: imagemagick@6.9.11-48 to graft or not to graft with 6.9.12-2 References: <87blbc38oa.fsf@gnu.org> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 2 Germinal an 229 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 22 Mar 2021 17:55:07 +0100 In-Reply-To: <87blbc38oa.fsf@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?= =?utf-8?Q?s?= message of "Sun, 21 Mar 2021 15:04:05 +0100") Message-ID: <87wntzw2l0.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616432144; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=xtaCYRt2qeLEAwbb2vNLyYaLLqa3Ejf4YLLOGEAmge0=; b=QltsV5rrTfInl6tTASzjqlxJiGI6HmNANGp29HuacWQ1zcdnyGnZb1zn598tGpMTuemTWN g2Sg0qZca7E2jXbCpEOc77rGBPXLqOIYjVk1ll+9oTjIRtzKUIq2bv17uOn5Due/LG0WHH apcJKhDgGxwL9h7bC34kj/WA1F8vXPzbVxCSe9vmoBSwc5jDu82ltrxL9T/VAFuQW85GzG Pv0FvJXyEQhC0VjvZvFSvgcxOFNHijd6OJfZxOQ0aA0wMqOHonK+nVb7SUJbAaNLx9Mtb2 VDZq2QplTjJ7M/MCjpetTShrdYui059EJWXJcLaqnbhfTAKm9rs4EHqw7exjSg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616432144; a=rsa-sha256; cv=none; b=g4hxXscYV4eL/ARqEnweTA7BUF6JWjsYr+Yff0imZrxTBnuwkctFoPIN+RP0Oj3+aeEoda otJ84v5fXdDeAgZntVFmG+uwj0D6HMN/rirAT3L2SqSFTFB2fbZ6LHoEeZFj5f3MoWxmgj VfSjKPXjk8QuY7OB/bf9CtyQyPdr/lft4Xra6MmaktDs4phMK2AA4oXfscE/tf5wGEu3rT NtZSEpjhQk7DQDTW6o6eEhbt4HzgOYSpDBBt21gxp+QHmSIzYJb9gaIoyK+4QvAWNR1JAW mBSTpnBJxRMZlMwDpXAutxloHijJZf1CZw9gMZYHzxYVSnVcH6SR/vx/57un2Q== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -2.92 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 9BA1A112C8 X-Spam-Score: -2.92 X-Migadu-Scanner: scn0.migadu.com X-TUID: me2AeZxb9k6l Hi again! Ludovic Court=C3=A8s skribis: > It=E2=80=99s also unclear to me that ImageMagick can be meaningfully graf= ted. > Are there users of libMagick*.so in external packages? That seems > unlikely. > > On berlin, I see this: > > $ guix graph -t referrers /gnu/store/7iwx7rj1ipsbgb9wgimrrflniyxpilw3-ima= gemagick-6.9.12-2g=20 > digraph "Guix referrers" { > "/gnu/store/7iwx7rj1ipsbgb9wgimrrflniyxpilw3-imagemagick-6.9.12-2g" [la= bel =3D "imagemagick-6.9.12-2g", shape =3D box, fontname =3D sans]; > "/gnu/store/7iwx7rj1ipsbgb9wgimrrflniyxpilw3-imagemagick-6.9.12-2g" -> = "/gnu/store/7iwx7rj1ipsbgb9wgimrrflniyxpilw3-imagemagick-6.9.12-2g" [color = =3D darkviolet]; > "/gnu/store/7iwx7rj1ipsbgb9wgimrrflniyxpilw3-imagemagick-6.9.12-2g" -> = "/gnu/store/wsw9an4lsnqxalwkvycxaa3y0ybp8rxp-ecl-ltk-0.992" [color =3D dark= violet]; > "/gnu/store/wsw9an4lsnqxalwkvycxaa3y0ybp8rxp-ecl-ltk-0.992" [label =3D = "ecl-ltk-0.992", shape =3D box, fontname =3D sans]; > "/gnu/store/wsw9an4lsnqxalwkvycxaa3y0ybp8rxp-ecl-ltk-0.992" -> "/gnu/st= ore/wsw9an4lsnqxalwkvycxaa3y0ybp8rxp-ecl-ltk-0.992" [color =3D peachpuff4]; > > } > > That means =E2=80=98ecl-ltk=E2=80=99 is the only package that keeps a ref= erence to > ImageMagick, and thus, it=E2=80=99s the only one that would benefit from = the > graft. The graft is useless. I was plain wrong=E2=80=94apologies for the confusion! Running: guix graph -t referrers /gnu/store/cnyiwi6mn53jwmjh7kdvnlmagf3frsa3-image= magick-6.9.12-2g | xdot - on my laptop, I see at least emacs-w3m, pstoedit, skribilo, and (of course) inkscape. So grafting makes sense. Consequently, the way forward IMO is to get a 6.9.11 backport of whatever CVEs it is we are patching and to use such a patched 6.9.11 variant as the replacement. Does that make sense? Ludo=E2=80=99.