From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id WOTTNVC8WmA5cgAA0tVLHw (envelope-from ) for ; Wed, 24 Mar 2021 04:13:04 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id YLvBMVC8WmAEQQAAB5/wlQ (envelope-from ) for ; Wed, 24 Mar 2021 04:13:04 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 7955012C29 for ; Wed, 24 Mar 2021 05:13:04 +0100 (CET) Received: from localhost ([::1]:40794 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lOutD-0002cQ-9e for larch@yhetil.org; Wed, 24 Mar 2021 00:13:03 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41590) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lOusv-0002bS-7Q for guix-devel@gnu.org; Wed, 24 Mar 2021 00:12:45 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:33787) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lOusr-00035G-8F for guix-devel@gnu.org; Wed, 24 Mar 2021 00:12:45 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 7BCBC5C00E2; Wed, 24 Mar 2021 00:12:40 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Wed, 24 Mar 2021 00:12:40 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=Ed9GYybFwoonSHNuMMSr1lWX 2QqUD7BWKDOjo30I+dk=; b=WDpaBuLrVKmn8PNol6tHC/Wx5qD96j7wtdo31UB8 B92j9jE9iQFjpMpjTaQmZxwFgRRYlnf/YdEk0KqSm4VTLwW1AKQuVG1FAkqyKEaB 083LvEyyUqBiND6p/J0gg+FVQ4Fc6BCnuvlTdyxca78kyuzNPjbwfJeg5hRP85hH 4UM= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=Ed9GYy bFwoonSHNuMMSr1lWX2QqUD7BWKDOjo30I+dk=; b=DdqqY8NaTXXPq0TUG5b/Pv qxyvsg9zID4jQOGHkDywdW9HGAQh0lB/1orbBPEkgufr2ovNz+13J0TUvtocQYEb 2wb9B+9uRk197wKCcImL/mSxubzTfH3fZXYFen81De5Jndbfck/VUo2Dru6RSolC gkQcIfzrld2cr4J+s4cZKyeG8Rb7hTYkhaNq2kKdZUHimJ+y/UH9PzcuaYhxxi5N d0ufIHD3ysuMwXQynGSxHYr7iyOVaZ6gBZOXUq9+V4sfNfroT/Z6eOQvRWNCh4Xw eqP/j/9ml7yfdEuhdCk7QNC9lfou09V9eV/BB8kkBe2n4Djz/TNCJaPSHh8ZsL/w == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudegjedgieekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtuggjsehttdertddttddvnecuhfhrohhmpefnvghoucfh rghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrghtth gvrhhnpeeukeektdffvddtudegjeegtdevhfeufeeivdejiedtieegtdevjedvjeehffev gfenucfkphepuddttddruddurdduieelrdduudeknecuvehluhhsthgvrhfuihiivgeptd enucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id 6073D24033F; Wed, 24 Mar 2021 00:12:39 -0400 (EDT) Date: Wed, 24 Mar 2021 00:12:38 -0400 From: Leo Famulari To: Mark H Weaver Subject: Re: imagemagick@6.9.11-48 to graft or not to graft with 6.9.12-2 Message-ID: References: <87v99iki3l.fsf@netris.org> <5654415cbd9800ee9349a70a3252b3952248f5b7.camel@zaclys.net> <877dlxjwri.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <877dlxjwri.fsf@netris.org> Received-SPF: pass client-ip=66.111.4.25; envelope-from=leo@famulari.name; helo=out1-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616559184; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=Ed9GYybFwoonSHNuMMSr1lWX2QqUD7BWKDOjo30I+dk=; b=j1xYAZPrG66HyLzNopIHGeCjpbLqL8W0HWK5pmnNGFxWrvcs7UuR4JeX/p6vj62ntgKmNB 4Sh/MFhz8f/QX6UW5afNarSnZ39XFfqWAr1sxRJk5u2f3WNXY7svHdPsEAT9GxThRTnpec RAvqA99sL423nkev+zIpvKtzI0uSyZbWea31tjJm0CgAAyGmK20crZxWf+AlkOkE6Lac/U Lc9EDEldSbfTJXjbgpcckFdknrRmIJLza23Z7j/p2melTXAXjSAIW2KiYQV+NfNnSKPAAs +FmB4UVWsu6jhrBtFfCi1xT4SMvOt7CpJdu0tgJdLh/NF7Vm24fVvfvelqiCjA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616559184; a=rsa-sha256; cv=none; b=HfecBH4irbHgeimvk5aGqyKilEWoRr9Pp1jdjGiQGeFXij/GIhDnQHm2/PLu4og2LXQkKD R2XimxIVIP7BsAaqrjS7HgXOih0jpnZc532bdMdOQ5QCUth5E66LGOw1aalzCjrhBX1Axp NWaTvacbH6oeSgkU4/X9CEMZ9pirDV79qLUcu2oUiGVMm0VdwWsADrecDVh6JnaSno38HH QlgK9ARK5EkTm6DypRz87H4ZMG3NGlAkCqaPFmKvjbPrOdn2g8eg18QIA4sc7ZEscu/9vu 2Dp2ctKZHp7XeweccArAmaJiTBlRIvMDVZ0ymkOhif4b8S+s0ODg9mSfKEeibw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=WDpaBuLr; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=DdqqY8Na; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -1.42 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=WDpaBuLr; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=DdqqY8Na; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 7955012C29 X-Spam-Score: -1.42 X-Migadu-Scanner: scn0.migadu.com X-TUID: 1rhOLn9dzthI On Tue, Mar 23, 2021 at 07:05:42PM -0400, Mark H Weaver wrote: > Also, I'm not sure why you qualify your suggestion with "in this case". > What is it that distinguishes ImageMagick from, e.g. glib, for purposes > of this question? Would it be any less bad for "guix install glib" to > install a glib with security flaws? I forgot the reason that end-user applications should have public replacements, and why it's less important for the replacements of libraries to be public. It's about the Guix user interface, that is, `guix show` and `guix search`. `guix show gnutls` won't show a meaningful result for a gnutls/fixed replacement that cherry-picks some patches. Everything is the same about the replacement package, except some very narrow bug fixing. But `guix show imagemagick` will show the new version, available as a replacement, in its results, and users should see it in the UI. > It would be good to reach agreement on whether replacement packages > should be made public. I haven't thought much about it, so I don't know > what the relevant issues are. Based on those examples, I'd suggest that replacements that update the package's version should be public. It's been suggested before that all the package variables should be publicly exported, but using the hidden-package procedure. I don't remember the exact reason. Sorry for the unreliable communication!