From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp2 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id WOTTNVC8WmA5cgAA0tVLHw
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 24 Mar 2021 04:13:04 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp2 with LMTPS
	id YLvBMVC8WmAEQQAAB5/wlQ
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 24 Mar 2021 04:13:04 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 7955012C29
	for <larch@yhetil.org>; Wed, 24 Mar 2021 05:13:04 +0100 (CET)
Received: from localhost ([::1]:40794 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1lOutD-0002cQ-9e
	for larch@yhetil.org; Wed, 24 Mar 2021 00:13:03 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:41590)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@famulari.name>) id 1lOusv-0002bS-7Q
 for guix-devel@gnu.org; Wed, 24 Mar 2021 00:12:45 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:33787)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@famulari.name>) id 1lOusr-00035G-8F
 for guix-devel@gnu.org; Wed, 24 Mar 2021 00:12:45 -0400
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.nyi.internal (Postfix) with ESMTP id 7BCBC5C00E2;
 Wed, 24 Mar 2021 00:12:40 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute3.internal (MEProxy); Wed, 24 Mar 2021 00:12:40 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-type:in-reply-to; s=mesmtp; bh=Ed9GYybFwoonSHNuMMSr1lWX
 2QqUD7BWKDOjo30I+dk=; b=WDpaBuLrVKmn8PNol6tHC/Wx5qD96j7wtdo31UB8
 B92j9jE9iQFjpMpjTaQmZxwFgRRYlnf/YdEk0KqSm4VTLwW1AKQuVG1FAkqyKEaB
 083LvEyyUqBiND6p/J0gg+FVQ4Fc6BCnuvlTdyxca78kyuzNPjbwfJeg5hRP85hH
 4UM=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=Ed9GYy
 bFwoonSHNuMMSr1lWX2QqUD7BWKDOjo30I+dk=; b=DdqqY8NaTXXPq0TUG5b/Pv
 qxyvsg9zID4jQOGHkDywdW9HGAQh0lB/1orbBPEkgufr2ovNz+13J0TUvtocQYEb
 2wb9B+9uRk197wKCcImL/mSxubzTfH3fZXYFen81De5Jndbfck/VUo2Dru6RSolC
 gkQcIfzrld2cr4J+s4cZKyeG8Rb7hTYkhaNq2kKdZUHimJ+y/UH9PzcuaYhxxi5N
 d0ufIHD3ysuMwXQynGSxHYr7iyOVaZ6gBZOXUq9+V4sfNfroT/Z6eOQvRWNCh4Xw
 eqP/j/9ml7yfdEuhdCk7QNC9lfou09V9eV/BB8kkBe2n4Djz/TNCJaPSHh8ZsL/w
 ==
X-ME-Sender: <xms:N7xaYK4POnje70h8q2NNKfTWwnZR7LsrORmq3xzAJCZiQNSJClmKCg>
 <xme:N7xaYD4dLfvhuAMmuu14ojNuRjB7yYZL7EADtdXLo6btjoFU8BLiJ_C705SQzOKDP
 JmbM8bCv-4zhehHpQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudegjedgieekucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
 cujfgurhepfffhvffukfhfgggtuggjsehttdertddttddvnecuhfhrohhmpefnvghoucfh
 rghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrghtth
 gvrhhnpeeukeektdffvddtudegjeegtdevhfeufeeivdejiedtieegtdevjedvjeehffev
 gfenucfkphepuddttddruddurdduieelrdduudeknecuvehluhhsthgvrhfuihiivgeptd
 enucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg
X-ME-Proxy: <xmx:N7xaYJd_AyuAgqbduZd_AKQcx6c6jSKqjIsdeuJAJcQLpwUDuwDLpQ>
 <xmx:N7xaYHJpNkuDuBjcX6JK-_bEfxqefvVLiNJ5T5fCuoyFXBJhglj__Q>
 <xmx:N7xaYOIVQzbwkWa-mepOQmcy9PYeBTHu1f_MN2_egPHngky1YmL_Tw>
 <xmx:OLxaYAhxUqRvd_MY7jR2jVsAteorbaxY-WKX7JEXm0yn51aL1SGOvA>
Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net
 [100.11.169.118])
 by mail.messagingengine.com (Postfix) with ESMTPA id 6073D24033F;
 Wed, 24 Mar 2021 00:12:39 -0400 (EDT)
Date: Wed, 24 Mar 2021 00:12:38 -0400
From: Leo Famulari <leo@famulari.name>
To: Mark H Weaver <mhw@netris.org>
Subject: Re: imagemagick@6.9.11-48 to graft or not to graft with 6.9.12-2
Message-ID: <YFq8NlACoRTfQf9P@jasmine.lan>
References: <d84349e57bc20d554ba0590b0a433dd6986199f6.camel@zaclys.net>
 <YFhxcOGC2iSbUwNz@jurong> <87v99iki3l.fsf@netris.org>
 <YFn5r6xUyy34kwMm@jurong>
 <5654415cbd9800ee9349a70a3252b3952248f5b7.camel@zaclys.net>
 <YFopKL1qeVhA7iQI@jasmine.lan> <877dlxjwri.fsf@netris.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <877dlxjwri.fsf@netris.org>
Received-SPF: pass client-ip=66.111.4.25; envelope-from=leo@famulari.name;
 helo=out1-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Cc: guix-devel@gnu.org
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1616559184;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=Ed9GYybFwoonSHNuMMSr1lWX2QqUD7BWKDOjo30I+dk=;
	b=j1xYAZPrG66HyLzNopIHGeCjpbLqL8W0HWK5pmnNGFxWrvcs7UuR4JeX/p6vj62ntgKmNB
	4Sh/MFhz8f/QX6UW5afNarSnZ39XFfqWAr1sxRJk5u2f3WNXY7svHdPsEAT9GxThRTnpec
	RAvqA99sL423nkev+zIpvKtzI0uSyZbWea31tjJm0CgAAyGmK20crZxWf+AlkOkE6Lac/U
	Lc9EDEldSbfTJXjbgpcckFdknrRmIJLza23Z7j/p2melTXAXjSAIW2KiYQV+NfNnSKPAAs
	+FmB4UVWsu6jhrBtFfCi1xT4SMvOt7CpJdu0tgJdLh/NF7Vm24fVvfvelqiCjA==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616559184; a=rsa-sha256; cv=none;
	b=HfecBH4irbHgeimvk5aGqyKilEWoRr9Pp1jdjGiQGeFXij/GIhDnQHm2/PLu4og2LXQkKD
	R2XimxIVIP7BsAaqrjS7HgXOih0jpnZc532bdMdOQ5QCUth5E66LGOw1aalzCjrhBX1Axp
	NWaTvacbH6oeSgkU4/X9CEMZ9pirDV79qLUcu2oUiGVMm0VdwWsADrecDVh6JnaSno38HH
	QlgK9ARK5EkTm6DypRz87H4ZMG3NGlAkCqaPFmKvjbPrOdn2g8eg18QIA4sc7ZEscu/9vu
	2Dp2ctKZHp7XeweccArAmaJiTBlRIvMDVZ0ymkOhif4b8S+s0ODg9mSfKEeibw==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=WDpaBuLr;
	dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=DdqqY8Na;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Spam-Score: -1.42
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=WDpaBuLr;
	dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=DdqqY8Na;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Queue-Id: 7955012C29
X-Spam-Score: -1.42
X-Migadu-Scanner: scn0.migadu.com
X-TUID: 1rhOLn9dzthI

On Tue, Mar 23, 2021 at 07:05:42PM -0400, Mark H Weaver wrote:
> Also, I'm not sure why you qualify your suggestion with "in this case".
> What is it that distinguishes ImageMagick from, e.g. glib, for purposes
> of this question?  Would it be any less bad for "guix install glib" to
> install a glib with security flaws?

I forgot the reason that end-user applications should have public
replacements, and why it's less important for the replacements of
libraries to be public.

It's about the Guix user interface, that is, `guix show` and `guix
search`.

`guix show gnutls` won't show a meaningful result for a gnutls/fixed
replacement that cherry-picks some patches. Everything is the same about
the replacement package, except some very narrow bug fixing.

But `guix show imagemagick` will show the new version, available as a
replacement, in its results, and users should see it in the UI.

> It would be good to reach agreement on whether replacement packages
> should be made public.  I haven't thought much about it, so I don't know
> what the relevant issues are.

Based on those examples, I'd suggest that replacements that update the
package's version should be public.

It's been suggested before that all the package variables should be
publicly exported, but using the hidden-package procedure. I don't
remember the exact reason.

Sorry for the unreliable communication!