From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id wKuSJC5yVGB9HQAA0tVLHw (envelope-from ) for ; Fri, 19 Mar 2021 09:43:10 +0000 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id +PlWIC5yVGBUZwAAbx9fmQ (envelope-from ) for ; Fri, 19 Mar 2021 09:43:10 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 003F229397 for ; Fri, 19 Mar 2021 10:43:10 +0100 (CET) Received: from localhost ([::1]:43870 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lNBev-0003zX-3p for larch@yhetil.org; Fri, 19 Mar 2021 05:43:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40402) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lNBcl-0002Wl-QG for guix-devel@gnu.org; Fri, 19 Mar 2021 05:40:56 -0400 Received: from mail.zaclys.net ([178.33.93.72]:59057) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lNBci-0006aB-2b for guix-devel@gnu.org; Fri, 19 Mar 2021 05:40:55 -0400 Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12J9en6k018639 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 19 Mar 2021 10:40:49 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12J9en6k018639 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616146849; bh=OESTKnmVTJJ++z7McMsxzZW8Pqfq025UfqDwxd1ufyE=; h=Subject:From:To:Date:From; b=RpdeVko5a4eucgL2yuCu4HvCqvxlQ0h8U0h0TBZiFpWGUl/msw7hV00QrcthzeS/R 7xYEH7hBLQ+ZIh1AcEl9J/3HJGHr5a1HrvdOXvpLPS/oCrBSzUuAFSB962qNxGQRyX brgx1v9RwRac8fSLlZwV7jq4qcJMEW5XUby+A6Qg= Message-ID: Subject: imagemagick@6.9.11-48 to graft or not to graft with 6.9.12-2 From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: guix-devel@gnu.org Date: Fri, 19 Mar 2021 10:40:45 +0100 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-Spg6a4537AndMl9fWkQQ" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616146990; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=OESTKnmVTJJ++z7McMsxzZW8Pqfq025UfqDwxd1ufyE=; b=sNkegmS8QXlvsBAjPobCKOL6pT8P76ATekprbhO5ii3UMu08ymkcpllfBNhSrDFcriH9LB 5kNCVL9J0/8qNPOTNLRYomoy1efDzsAk7aoFdJaBrlX1GzB6EDss5ulzsT88nxY7PFTM88 OzMH76Yxazee6oH5LBcK7TnJngSEPRByYpI0zMY+9WqW4nzEHwjwiDDccrSTKQEhZVaqRu kCU4ju1h83Ke2UuIz+Ca45wj14kvrJoLf3vUu63ri0DP+hgPRsdZKTZNHDP8T4cF5vFsqT Hl4Mq7wnTXxBQqvAxODutz9zls61uIA9Ngd+pwhxK9tvaEoP9o8hCambr5J0lA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616146990; a=rsa-sha256; cv=none; b=Zs5P4/ND1cM1UDGjJfxBzo68Va5CQeP/medR2yN9eUoAzQrFE1s+xB0vWcRJBTnGbc4fBe Ah2QsoMheUudJdhGl7Naoe6eDzSc9hXDHN7gJCa8oZFMZLWiW77ex10yI9gy2RiPnz6AF4 PcUb+rCNzLdrypwq4tKxXtY/AxmTUSJWioDxXvMWfPWpVj7u//XI5MVLdezXzyueq9CEEs xtFwQyUcRs49aILaBMdhgDAGN9sjz8G0WrlFlt82fxgRHt+vYJBwTYHPkhrX+2dgmaFw2w 2ESaOiTg28Ioj3kFubRRBdZ8IVnCBYKZWnhu7cCpkMRkbQAb5dhVRZPtwfLLVg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=RpdeVko5; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -5.21 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=RpdeVko5; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 003F229397 X-Spam-Score: -5.21 X-Migadu-Scanner: scn0.migadu.com X-TUID: NYP1AzwEBOjn --=-Spg6a4537AndMl9fWkQQ Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello! See commit: 82e887ba48c2ba91b17aa9b6b17501e3e0ef4aef Following discussion around whether it is safe to graft and whether we should do so or not, first, I apologize for not doing as rigorous checking on this issue as I should have, and also requesting more peer- review, I initially believed those two ImageMagick version were ABI compatible with unchanged soname so it turns out it would be a rather uncontroversial graft to make but now it turns out we have a changed soname but whether it is binary (backwards) compatible or not remains a question. We had a user reporting that Inkscape stopped working after the graft ( https://logs.guix.gnu.org/guix/2021-03-18.log#100200), after which we decided on IRC with rekado we might cheat by symlinking the shared libraries, which I've done in commit 2e0ff59f0cd836b156f1ef2e78791d864ce3cfcd, from a glance it didnt seem the soname change caused backwards incompatible changes but only forward incompatible changes. Let's see some abidiff output now: $ ./pre-inst-env guix environment --ad-hoc libabigail -- abidiff $(./pre-inst-env guix build --no-grafts imagemagick@6.9.11-48 | grep -v doc)/lib/libMagickCore-6.Q16.so.6 $(./pre-inst-env guix build=20 imagemagick@6.9.12-2g | grep -v doc)/lib/libMagickCore-6.Q16.so.7 ELF SONAME changed Functions changes summary: 0 Removed, 0 Changed, 0 Added function Variables changes summary: 0 Removed, 0 Changed, 0 Added variable Function symbols changes summary: 0 Removed, 0 Added function symbol not referenced by debug info Variable symbols changes summary: 0 Removed, 1 Added variable symbol not referenced by debug info SONAME changed from 'libMagickCore-6.Q16.so.6' to 'libMagickCore- 6.Q16.so.7' 1 Added variable symbol not referenced by debug info: [A] .gomp_critical_user_analyzeImage $ ./pre-inst-env guix environment --ad-hoc libabigail -- abidiff $(./pre-inst-env guix build --no-grafts imagemagick@6.9.11-48 | grep -v doc)/lib/libMagick++-6.Q16.so.8 $(./pre-inst-env guix build=20 imagemagick@6.9.12-2g | grep -v doc)/lib/libMagick++-6.Q16.so.9 ELF SONAME changed Functions changes summary: 0 Removed, 0 Changed, 0 Added function Variables changes summary: 0 Removed, 0 Changed, 0 Added variable SONAME changed from 'libMagick++-6.Q16.so.8' to 'libMagick++- 6.Q16.so.9' $ ./pre-inst-env guix environment --ad-hoc libabigail -- abidiff $(./pre-inst-env guix build --no-grafts imagemagick@6.9.11-48 | grep -v doc)/lib/libMagickWand-6.Q16.so.6 $(./pre-inst-env guix build=20 imagemagick@6.9.12-2g | grep -v doc)/lib/libMagickWand-6.Q16.so.7 ELF SONAME changed Functions changes summary: 0 Removed, 0 Changed, 0 Added function Variables changes summary: 0 Removed, 0 Changed, 0 Added variable SONAME changed from 'libMagickWand-6.Q16.so.6' to 'libMagickWand- 6.Q16.so.7' Any more ABI diff-ing/testing, information, etc.. on whether this is safe or not is welcome, it sounds to me it could be fine but there is some amount of doubt still. If we can't graft ImageMagick we shall revert all commits and then it means we would have to apply patches for each and every CVE which can be tedious to create and maintain and to me leaving the package as-is without patching is not really OK :-/ To graft or not to graft? Thank you, L=C3=A9o --=-Spg6a4537AndMl9fWkQQ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBUcZ0ACgkQRaix6GvN EKbyLBAAuH5gS7+3bJAoHoY8k3/3w++3Jk0Xzz+9ZY3RKMbALurGCrHPiiahn9ym g+bR98noLxMq2lRq0t/THSakBwOmIOxPG7NYrcbE70K0Py6iCxkX0SpZ6hvcsTVN ZWKgdqbPbz+mFtnYDESa4SJjfHbsbPt6riVWhoxXx7ulqmyBkPtP8MHCWPM9YTqK cbnO4rZgYjuAgFznH6bcGUzL7TPRy3XdqbL4WM9cRNuDSsjQ/RbPwBFAmIxoWlLd Cj9KEBZRo3d4pFv7By8ut4y74EjOEPXP0x4yTpZOIrqazVG//Wft4m0a85+5RAK3 /aloSN0+GVBcHJIExF+fL5F61l1lhcxkv5OD+tIayKuM1kR5NZbfbAZi4Vu3kcvF 3j3xswJJDsxgIhEs8cYR/8SmRXfc9Z7N3cXRqFkqhL4BL95j//93Ota4YYqzeyoT IZGU534Ch2tsYIXDNGisTK1awIGHvkSdZjVSe7VVc3k5GTLrgcjwkXGlDtdKGMgd LMjz8cJGjLv9JrHEcLJ6qiMU8UsApTzlU+EH/a7neR4FfCAwEDr/QGyJdlbjsr/v fD/QIIbJkdTHP4brRFDxQXdM9mljyj3y5wjvB/4jbZHlDrQ6oWBbN7ZJAZMepi7I 5Ot5NJCZ6HyEmASsLi7JKCC22w0ah8ldMdOaWt1NYQitfV8TSpk= =tdk3 -----END PGP SIGNATURE----- --=-Spg6a4537AndMl9fWkQQ--