From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:700:3204::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id wFh+OxwliWUVWwAAkFu2QA (envelope-from ) for ; Mon, 25 Dec 2023 07:45:49 +0100 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id cJuaNhwliWXTAgAAe85BDQ (envelope-from ) for ; Mon, 25 Dec 2023 07:45:48 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=EoyPegqD; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1703486748; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=aQIfdmKWJxlV60iUwHxE0mxioaOcbNSV0e3VK0bd83E=; b=h8jH56aHlyCBU7GtHvKx0zOE7P0adGwRPVLMc30RYuEUUCOSbXtRtXjK5Cp2y6H10Ipb7X bNB16YPoQ4fZdsnP8DombGJ+qJA5HZy2P9FzUIPv6OZYKKPwieJYGvpLouyypdwP/V92Po pft9SNpq4hiCDYLWnZRJSs7jyfc3xMJlAf/JsA5ua12aD0+QFpI6zhCLDDdaK29bcHngGn GS15Nb6U1tpNBC8FtZSOukBn7S5idcGBBf8yqaXppCVWT4QhxK26ThsWn/xjHS54xv4EKH Vb2xJz84DkQm0QC7nqHdOo2D8kgP4FTLFBXuyq2saFe3iLoaMCOvSvfr6RIHbg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1703486748; a=rsa-sha256; cv=none; b=AsUO9DXyYuCtOzKBjJv96GPyCIC3z9B2po6bUQHjdr4HEAKn2CJ+kzMx2Wzkbc3wMJVkyk 55M8CI+VRAyl5RxhBu0PGyfADE3noYEk0kw3DfwQW+Ycb4QbDsdu0V5zMmJIMI9mUQyVFU /8Etwa9wKFd4Po6tIevUNWSswaMOZsKTc3dED6FBl3oYYqf1Q7XYG/W3JaKzPtvrsqMKwL rDzX6MFt3vcwrC65kH1VeWyu4ngjicCEHU/oa1Vz1X0GU0T6D4TT9tipeehHB579ejyuTA sSvDvnVe6uymZtmNzqFZ+9fpVAs8eoNUtHl+erAnV1YRN7DtWC3XL8ZVsgz6mw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=EoyPegqD; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=none Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 4D11F59F00 for ; Mon, 25 Dec 2023 07:45:47 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rHehy-0002sq-LJ; Mon, 25 Dec 2023 01:45:02 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rHehx-0002sO-KZ for guix-devel@gnu.org; Mon, 25 Dec 2023 01:45:01 -0500 Received: from mail-wm1-x32f.google.com ([2a00:1450:4864:20::32f]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rHehu-0003IX-JA for guix-devel@gnu.org; Mon, 25 Dec 2023 01:45:01 -0500 Received: by mail-wm1-x32f.google.com with SMTP id 5b1f17b1804b1-40b5155e154so49074045e9.3 for ; Sun, 24 Dec 2023 22:44:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1703486697; x=1704091497; darn=gnu.org; h=in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:to:from:date:sender:from:to:cc :subject:date:message-id:reply-to; bh=aQIfdmKWJxlV60iUwHxE0mxioaOcbNSV0e3VK0bd83E=; b=EoyPegqDHnWqBWZUkx7iGWG030LLxPAS+EKXY/niVB9uUdV/wKZ/SxNKaJ4j5uskWA aAIK4mo2oNBsKtme6yiyQ7x+v+QeZDIk543J3vcIjhUgqJ3uwfcoM4ht50uFn1O3c06r 0oW4kfrxcUkp4IsXYlWWOcLNHiDuxZseQp4LPzh3TrbiuHiUpYFAOBx3ibI4yYEEIQIJ 1BkNmrWS+lDMnyOrKGUVpfOa2k/ngllMryaNy9nzn6wWOrmdbe/rA7U9zeESA+W5xFsT AeJr68RT3Xgcjv4QXidBgnGMrR0trI8ZMSOUrkaxWK1EBFRGdHul+/PK7wUOgEQGLSrp Fehg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1703486697; x=1704091497; h=in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:to:from:date:sender :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=aQIfdmKWJxlV60iUwHxE0mxioaOcbNSV0e3VK0bd83E=; b=DGeg+RnFM0QxksQNaPeo1MWmk5tJklNyv102HRihGBugD4XyLd1j8l/Kl4DTXxw7Wg 8T6UG25yckeIeW5OmlWU2vw9jMQ7mn1LkQZck67zBHuIOAns5DP8cks720lpgdzpqq8C 1wpnauQDPHUYk8G8YktAFgBMkuR+39JptSY+kPE/uERtQWkfQtTE2Z55V+Og0IM0dhKi c+LaKEAVygrViJQbmHgtwJuM9bXiCFnnPz1/daPVg/4R8YvjLg1h09ZzYN1c81ahPOPD Y/Z2NJrQKKL4Gf/CgywFOSJzBS59ocq9mNMkq35NogRROZTPMmNjLBdHmSk6XMeR1Th3 fsiw== X-Gm-Message-State: AOJu0YyajJOFt3yADnB9CsiS3kAu8qx9V8jbCJZ2/XNsk/rlm4N5WDlG Bti5w2Yo12xe9lMARjTuZWVKPIZUer7dXsFf X-Google-Smtp-Source: AGHT+IHeQo/lrHJQmUBAMsIFYBmy12fZT4B3h86fJ3Nb7uo+r7RGQMusyCHroUdBUjohcTiTRH18Vw== X-Received: by 2002:a05:600c:33aa:b0:40c:267e:314c with SMTP id o42-20020a05600c33aa00b0040c267e314cmr2555876wmp.103.1703486696802; Sun, 24 Dec 2023 22:44:56 -0800 (PST) Received: from localhost ([141.226.15.142]) by smtp.gmail.com with ESMTPSA id v8-20020a05600c444800b0040c2c5f5844sm16105507wmn.21.2023.12.24.22.44.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 24 Dec 2023 22:44:56 -0800 (PST) Date: Mon, 25 Dec 2023 08:44:54 +0200 From: Efraim Flashner To: John Kehayias , guix-devel , Kaelyn , Maxim Cournoyer , Liliana Marie Prikler , Vivien Kraus Subject: Re: xwayland security updates, to mesa- or core-updates or ? Message-ID: Mail-Followup-To: John Kehayias , guix-devel , Kaelyn , Maxim Cournoyer , Liliana Marie Prikler , Vivien Kraus References: <878r5nqmod.fsf@protonmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="FoPTog8KuX9J9hgu" Content-Disposition: inline In-Reply-To: X-PGP-Key-ID: 0x41AAE7DCCA3D8351 X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Received-SPF: pass client-ip=2a00:1450:4864:20::32f; envelope-from=efraim.flashner@gmail.com; helo=mail-wm1-x32f.google.com X-Spam_score_int: -14 X-Spam_score: -1.5 X-Spam_bar: - X-Spam_report: (-1.5 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -4.31 X-Spam-Score: -4.31 X-Migadu-Queue-Id: 4D11F59F00 X-Migadu-Scanner: mx11.migadu.com X-TUID: GL/Sk2IB2ND1 --FoPTog8KuX9J9hgu Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Dec 22, 2023 at 09:19:27AM +0200, Efraim Flashner wrote: > On Thu, Dec 21, 2023 at 09:18:50PM +0000, John Kehayias wrote: > > Hi all, > >=20 > > On Mon, Dec 18, 2023 at 12:57 AM, John Kehayias wrote: > >=20 > > > Hi Kaelyn and everyone, > > > > > > On Fri, Dec 15, 2023 at 05:25 PM, Kaelyn wrote: > > > > > >> On Thursday, December 14th, 2023 at 10:21 PM, John Kehayias > > >> wrote: > > >> > > >>> > > >>> Hi Guix, > > >>> > > >>> In light of (more) CVEs in xwayland, see > > >>> , > > >>> > > >>> with already pending security updates, see > > >>> , I would like to prioritize > > >>> > > >>> getting that fixed in master. The tricky thing is that, according to > > >>> 67136, the xwayland update needs newer xorgproto, which corresponds= to > > >>> many rebuilds. (The related CVEs in xorg-server have been pushed > > >>> already as effectively minor version bumps.) > > >>> > >=20 > > I also updated curl as it was going to be rebuilt and had a new > > version out (with some security fixes). I hadn't grafted it on master > > but we could do that if the mesa-updates branch isn't merged to master > > first. > >=20 > > [snip] > >=20 > > > > > > I've pushed 3 patches (mesa, xorgproto, xorg-server-xwayland) to > > > mesa-updates after merging in master. The farm is building away. > > > > >=20 > > I also had to skip a failing test (unknown reasons) of gtk with these > > updates. > >=20 > > Finally, I also enabled the zink driver in Mesa (zink is for OpenGL on > > Vulkan). I remember someone asking about it on #guix recently as well, > > and we should have it enabled in general, to support devices which may > > not be able to use OpenGL without it. > >=20 > > > The request for merging is at with > > > some details. In short, running into some issues with builds "failing" > > > because they just die or "missing derivation" errors. I'm restarting > > > what I see that seems higher impact, but is there anyway to restart > > > all the failed builds or ones with missing dependencies? > > > > >=20 > > This is still true though I've tried to manually restart lots of > > builds on x86_64 and i686, which has removed many of the failures. Any > > idea what is happening to cause this more recently? > >=20 > > [snip] > >=20 > > > Thanks! I saw you had posted the latest version and that's what I > > > included. On x86_64-linux at least everything has built fine for > > > those, but the larger world remains to be seen. > > > > > > Would still like confirmation from other branches about what they want > > > to do, but we have some time while things build. And builds get > > > restarted. > > > > >=20 > > I haven't seen QA process this branch, so I'm just going with what I > > see on Berlin. From the branches overview it shows about 61% last I > > saw, compared to 72% for master. Unfortunately, non x86 architectures > > are usually better covered by Bordeaux, but I don't know where to get > > a sense of that coverage. For what it is worth, Efraim has manually > > built xorgproto and mesa at least on powerpc64le, riscv64, without > > issues. >=20 > I had berlin build for powerpc64le and that went without any problems. > Locally I built for riscv64 and powerpc and those both built fine. I > ran into an issue locally with curl on aarch64 and test 1477(?) which is > weird since it's supposed to be skipped but I'm sending it through > again. Haven't started armhf yet. >=20 > > Coverage on x86_64 and i686 seems good from what I can tell. I also > > don't think there are any other branches ready to merge, and would > > like to give them time to rebuild once these changes hit. > >=20 > > Any thoughts on when to merge? > >=20 > > Thanks everyone! > > John I've been having trouble with curl on aarch64 again. Looking at this snippet from the build log: test 1477...[Verify that error codes in headers and libcurl-errors.3 are in= sync] 1477: stdout FAILED: --- log/1/check-expected 2023-12-22 10:53:51.658667071 +0000 +++ log/1/check-generated 2023-12-22 10:53:51.658667071 +0000 @@ -1 +0,0 @@ -Result[LF] - abort tests test 1475...[-f and 416 with Content-Range: */size] --pd---e--- OK (1247 out of 1472, remaining: 00:45, took 5.310s, duration: = 04:11) test 1474...[HTTP PUT with Expect: 100-continue and 417 response during upl= oad] --pd---e--- OK (1246 out of 1472, remaining: 00:48, took 22.794s, duration:= 04:29) Warning: test1474 result is ignored, but passed! =2E.. TESTFAIL: These test cases failed: 1477 It looks like 1474 is passing locally and the ~1474 is telling the test suite to ignore the result. If that's how ~ is interpreted then I'd suggest that 1477 is failing hard enough that it's taking the test suite with it, not merely ignoring the result. I'll continue poking it but right now I'm starting to like the hurd plan of disabling the test instead of merely ignoring the result. --=20 Efraim Flashner =D7=A8=D7=A0=D7=A9=D7=9C=D7=A4 = =D7=9D=D7=99=D7=A8=D7=A4=D7=90 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --FoPTog8KuX9J9hgu Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmWJJOYACgkQQarn3Mo9 g1ENuw/+PbM2WRcZCkmCeDtJgCnvw1ieIeNQ8npz2rh4FcUilgvDkaKwFfXtyAGu 2nlJWrB3bHSzTEOHRFf49YG0BxnOOb+TL9OEJ4pW5Sh+TQpisk//YJbnO8y2CwjO +kQ1IQo99hE+u3wraJU3Bw06COqDnGxL+BeVwodY380zJOAJVBNmKdrVaH1JKZKv fa1iygxhab++gXY/pjh4w5orsVqO3sFUheVHC++UFEAwBR7sUvPxA3dhXYxkPNCZ ++kFvppcqvZ5AnBHLeiRHCKiz/Yi+1TBvrm19znqzq0gZHXzrC9iHZGgfAccAs65 LItyqo2y7MEgflL8MJUvtnbfWjViW4J/WDskuWpljWRTeKjvUmJE/XnoL3vRgSJ1 sTuOdl8SES4wa6X46aaz/67sHCSF/bJQ0wcpcI8PUGQT+Dh4aFE1oEPnbxD6koJh EiVWRDDCzK8vYEBMtkq+ZdIHyWC6w1xwOrZnUNyzjqViJT4m0casC+EIxpRl7pfD /zdFbHUXF4thPIqEPBybw4hGYd4F65ExZjk0/9aoNeus1nFnUDGA8IOamUnqFUTI aL/jbZ4oMrhGcb05AjWrnvonR682brW+7I+ODGt2Pn/frsjwN3+5JpvqSoVW4ndg OpMbD+rwy/baPzutbxQ0DVy0blcPZfvesj6XgDnqq+Y9DipclQk= =+z3A -----END PGP SIGNATURE----- --FoPTog8KuX9J9hgu--