From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id wE/XIk3eUGBTKQAA0tVLHw (envelope-from ) for ; Tue, 16 Mar 2021 16:35:25 +0000 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id 0LCSHk3eUGB4RAAAB5/wlQ (envelope-from ) for ; Tue, 16 Mar 2021 16:35:25 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 05E872D637 for ; Tue, 16 Mar 2021 17:35:25 +0100 (CET) Received: from localhost ([::1]:41088 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lMCfE-0003XC-0s for larch@yhetil.org; Tue, 16 Mar 2021 12:35:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45218) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMCee-0003Jw-Ft for guix-devel@gnu.org; Tue, 16 Mar 2021 12:34:48 -0400 Received: from mail-qv1-xf2e.google.com ([2607:f8b0:4864:20::f2e]:37568) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lMCec-0000HA-IO for guix-devel@gnu.org; Tue, 16 Mar 2021 12:34:48 -0400 Received: by mail-qv1-xf2e.google.com with SMTP id l15so9818775qvl.4 for ; Tue, 16 Mar 2021 09:34:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=c/c5b+oVKtQhNgnOikWaMcQjIPaILTmMHMs/99FqvsU=; b=iAlsDGzjNQ56roUkq5IcnqELemRmSUSvgzw0eH2Z+pQn8v7VVhTbItpNXWqkKrpyUg hMXq4507l9DnPAXtMOlmA+3V51SmbbSMQI+uDrRNrtZbu1wumAXV8vOVKi1SQ1HjcYYV wuRbu0CIWbxT1fn1qaMAEhYMkUyVjwcoPROGgepGd7La+MnmFumYE1vOKjLVp5I2A4AA lc1diWGxFW5lsTurDyCntONTAi/1NbXKBay8FRhzSsGVnNalNXtN/mR86WK4E2zM3clE vyWx019nhWUfT6TxEeBfAIe3s0omLYn2PIfwXi/YWrhpE5N7Hj+sjlskHk+bdA+3D9e6 fwZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=c/c5b+oVKtQhNgnOikWaMcQjIPaILTmMHMs/99FqvsU=; b=OMY2+ZHZvOHs7cXy8/O/A5u5t4DZ+7z+RHq0W3tWDXfXsxRRhC8WI/sRbbxsRJcnrh /kV8BXBWR1KcpV4yzZAP7+hnbGOXHFb45V3lNYvFD5Djg/YJ7or9ScS/Cv5B8CW86w0M 80W7hnxfzjDe6y9fwuXosOPdnm6AP21m3/2gGCzp85HnjkeYHGrIXIDOSSWR0GoGlSss FCrPo7XQxZktY/uGNmxXUSyNkntGo8EQnruoBj0ye125Rblc2H6LGpBkLLPP2z1y8tKU rkQmlBYZEnBgsUtk9jkp6MY7vlIfjFBro6xJDnLOysRs/Px/6a4Y2ZlazSgGsxK5pLNr zokw== X-Gm-Message-State: AOAM5318K94vTfIM9nPH/nBCCQvI1lbxUSN4UFBdGTazHiQWRyjveTt+ 6+2W6U0lZIOaqNLa9N5ad4JuMkYqLUrBIqm3/HLC1PrCcao= X-Google-Smtp-Source: ABdhPJwOn9As8R4ZBEtUP4MlhYszQowNM2yfgz8v9+rc+2VnfT5k031xVkLB9Efkb0J/pY16bYAm6NWVKUDXybuNdJg= X-Received: by 2002:a0c:fecd:: with SMTP id z13mr146901qvs.43.1615912485223; Tue, 16 Mar 2021 09:34:45 -0700 (PDT) MIME-Version: 1.0 References: <91998d12df3c4a279f46cf50b15d47c99e064a46.camel@zaclys.net> In-Reply-To: <91998d12df3c4a279f46cf50b15d47c99e064a46.camel@zaclys.net> From: zimoun Date: Tue, 16 Mar 2021 17:34:34 +0100 Message-ID: Subject: Release 1.2.1: zstd 1.4.4 -> 1.4.9: grafting or core-updates? To: =?UTF-8?Q?L=C3=A9o_Le_Bouter?= Content-Type: multipart/mixed; boundary="000000000000ac2cd105bda9f164" Received-SPF: pass client-ip=2607:f8b0:4864:20::f2e; envelope-from=zimon.toutoune@gmail.com; helo=mail-qv1-xf2e.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Guix Devel Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1615912525; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=c/c5b+oVKtQhNgnOikWaMcQjIPaILTmMHMs/99FqvsU=; b=P4zvbT7wnJ0NCIvkjWUCS4GK/7TeOWA82PV3QjdDtI8Sg/2NeYzuUXrAJO/8eg5UXlhxk2 O6PxS/kLh9KvlMCcftrXSFPQzpStS173jchTDhmf3sJZRpIzyxz/eyZiWIrCZ+4bTrSmA8 nktwVupong9UarsI8cYyyYne30st6V9ctu8fFzGoZgHmbGKEQMBlpmdlxhE5PqxGioiAaU hEZ8yW9o4sg6eNZjcNg1AfujdXcmHFwFxNDUy23Sc/JDyHIkg2I2n5k+or/ojkWoqLbhdc 1t6yfdL+rgu/e6uuu7V9GxgMu3sFjKvm3DGRzt9OBDBMkZmBd/ta0pxM+SajhQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615912525; a=rsa-sha256; cv=none; b=HmFCL2OtQRJetwR0wpBbsxy/I5p7DqCmYGujG5Evd+VNGz0uxQ1g3fV1FnRi92CgqZMIz1 34v4U5WRIdhrygVFDSthr0BcK45qHmBA0a9RnXpKyZyZRTCY/aXZyNjuLGr4sbcDLjRdTB mmcB7s1ZIQTDmdtzobCoznMhfXihskTVIm3zAhn/+255ERgo9OptmP/B1kbHfAekHTMHMC kSBi2ukRd9kdHCEWWUdrFIjmrZ/83U4szbVAOKOU8OHyGi9KVLp5tI0s7XuOjb1CdZxL+d SxQD2gQEMZYVPcGW+ToEzOSSakA8125wqgPp8reqns7NRzbUV0kQkwj1vDWEMg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=iAlsDGzj; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -0.50 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=iAlsDGzj; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 05E872D637 X-Spam-Score: -0.50 X-Migadu-Scanner: scn0.migadu.com X-TUID: McZT5Fa8yIxG --000000000000ac2cd105bda9f164 Content-Type: text/plain; charset="UTF-8" Hi, This commit 6f873731a030dd7ecbd8a5e756b38b26306f6966: fixes CVE-2021-24032 which says: "Beginning in v1.4.1 and prior to v1.4.9, output files were created with default permissions. [...]". The mentioned commit replaces zstd@1.4.4 by zstd@1.4.9 which seems more than just grafting. Well,1.4.4 was released on Nov 2019 and 1.4.9 some days ago. I agree that security is important but we lived more than one and half year with 1.4.4 so the upgrade to 1.4.9 should only go to core-updates, not as a 'replacement' graft. IMHO. The consequence of this change was the breakage of "guix pull" on master for at least i686. Which leads to the commit 2bcfb944bdd2f476ef8d34802fed436e4fdda0ab disabling the zstd test-suite for all the architectures. Noting that "guix pull" should be still failing for at least i686 on core-updates because of the test suite of zstd@1.4.9. The question is: should the next release 1.2.1 contain zstd@1.4.9 as graft? Or do we revert the commit and simply fix it on core-updates and wait for the next core-updates cycle. Personally, I am in favor of the latter. WDYT? The issue is the test: roundTripTest -g8M "19 -T0 --long" which fails for the value 19 but not other values as 18 or 20 or many others. After a quick reading of the doc, I am not sure to understand the meaning of such value. Input welcome. BTW, on my machine the attached patch builds for both x86_64 and i686 (emulated). ./pre-inst-env guix build zstd@1.4.9 --system=i686-linux --no-grafts Depending on the answer of the previous question, the patch should go to master or core-updates. And other architectures should be examined with care. Cheers, simon --000000000000ac2cd105bda9f164 Content-Type: text/x-patch; charset="UTF-8"; name="fix-zstd-i686.patch" Content-Disposition: attachment; filename="fix-zstd-i686.patch" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_kmc8gi970 ZGlmZiAtLWdpdCBhL2dudS9wYWNrYWdlcy9jb21wcmVzc2lvbi5zY20gYi9nbnUvcGFja2FnZXMv Y29tcHJlc3Npb24uc2NtCmluZGV4IDgyN2FkNDNkYzIuLjg2Y2UzYTY5N2QgMTAwNjQ0Ci0tLSBh L2dudS9wYWNrYWdlcy9jb21wcmVzc2lvbi5zY20KKysrIGIvZ251L3BhY2thZ2VzL2NvbXByZXNz aW9uLnNjbQpAQCAtMzIsNiArMzIsNyBAQAogOzs7IENvcHlyaWdodCDCqSAyMDIwIEzDqW8gTGUg Qm91dGVyIDxsbGUtYm91dEB6YWNseXMubmV0PgogOzs7IENvcHlyaWdodCDCqSAyMDIxIEFudG9p bmUgQ8O0dMOpIDxhbnRvaW5lLmNvdGVAcG9zdGVvLm5ldD4KIDs7OyBDb3B5cmlnaHQgwqkgMjAy MSBWaW5jZW50IExlZ29sbCA8dmluY2VudC5sZWdvbGxAZ21haWwuY29tPgorOzs7IENvcHlyaWdo dCDCqSAyMDIxIFNpbW9uIFRvdXJuaWVyIDx6aW1vbi50b3V0b3VuZUBnbWFpbC5jb20+CiA7OzsK IDs7OyBUaGlzIGZpbGUgaXMgcGFydCBvZiBHTlUgR3VpeC4KIDs7OwpAQCAtMTQ4Myw3ICsxNDg0 LDEzIEBAIHNwZWVkLiIpCiAgICAgICAgIChiYXNlMzIgIjE0eWo3MzA5Z3N2ZzM5cmtpNHhxbmQ2 dzVpZG1xaTA2NTV2MWZjMG1rMW0ya3ZocDliMTkiKSkpKQogICAgIChhcmd1bWVudHMKICAgICAg KHN1YnN0aXR1dGUta2V5d29yZC1hcmd1bWVudHMgKHBhY2thZ2UtYXJndW1lbnRzIHpzdGQpCi0g ICAgICAgKCgjOnRlc3RzPyBfICN0KSAjZikpKSkpCisgICAgICAgKCgjOnBoYXNlcyBwaGFzZXMp CisgICAgICAgIGAobW9kaWZ5LXBoYXNlcyAscGhhc2VzCisgICAgICAgICAgIChhZGQtYWZ0ZXIg J3VucGFjayAnZml4LXRlc3QtaTY4NgorICAgICAgICAgICAgIChsYW1iZGEgXworICAgICAgICAg ICAgICAgKHN1YnN0aXR1dGUqICJ0ZXN0cy9wbGF5VGVzdHMuc2giCisgICAgICAgICAgICAgICAg ICgoInJvdW5kVHJpcFRlc3QgLWc4TSBcIjE5IC1UMCAtLWxvbmdcIiIpCisgICAgICAgICAgICAg ICAgICAicm91bmRUcmlwVGVzdCAtZzhNIFwiMjIgLVQwIC0tbG9uZ1wiIikpKSkpKSkpKSkKIAog KGRlZmluZS1wdWJsaWMgcHpzdGQKICAgKHBhY2thZ2UK --000000000000ac2cd105bda9f164--