[bug#29000] [PATCH] gnu: glibc: Ungraft fix for CVE-2017-15670, CVE-2017-15671.

[bug#29000] [PATCH] gnu: glibc: Ungraft fix for CVE-2017-15670, CVE-2017-15671.

[Leo Famulari]

* gnu/packages/base.scm (glibc)[replacement]: Remove field.
[source]: Add 'glibc-CVE-2017-15670-15671.patch'.
(glibc/fixed): Remove variable.
---
 gnu/packages/base.scm | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 9cb628d8d..e1826f57b 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -528,7 +528,6 @@ store.")
   (package
    (name "glibc")
    (version "2.25")
-   (replacement glibc/fixed)
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/glibc/glibc-"
@@ -549,6 +548,7 @@ store.")
                                      "glibc-o-largefile.patch"
                                      "glibc-memchr-overflow-i686.patch"
                                      "glibc-vectorized-strcspn-guards.patch"
+                                     "glibc-CVE-2017-15670-15671.patch"
                                      "glibc-CVE-2017-1000366-pt1.patch"
                                      "glibc-CVE-2017-1000366-pt2.patch"
                                      "glibc-CVE-2017-1000366-pt3.patch"))))
@@ -787,15 +787,6 @@ GLIBC/HURD for a Hurd host"
 (define-syntax glibc
   (identifier-syntax (glibc-for-target)))
 
-(define glibc/fixed
-  (package
-    (inherit glibc)
-    (source (origin
-              (inherit (package-source glibc))
-              (patches (append
-                        (origin-patches (package-source glibc))
-                        (search-patches "glibc-CVE-2017-15670-15671.patch")))))))
-
 ;; Below are old libc versions, which we use mostly to build locale data in
 ;; the old format (which the new libc cannot cope with.)
 
-- 
2.14.3

[bug#29000] Ungrafting glibc?

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 637 bytes --]

It would be nice to ungraft glibc soon, in my opinion.

Grafting the entire distribution causes some user experience issues that
many of us are used to, but that are not really that great, especially
for new users.

The issue is build farm capacity.

I wonder how long it takes to rebuild everything for Intel-compatible
systems on berlin.guixsd.org?

Maybe fast enough that rebuilding the world for this change would not
disrupt Guix development too much... except that rebuilding the world
for armhf would take a very long time, during which we could not be
building the other regular changes for armhf.

Ideas and discussion welcome!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#29000] Ungrafting glibc?

[Ludovic Courtès]

Hello!

Leo Famulari <leo@famulari.name> skribis:

> It would be nice to ungraft glibc soon, in my opinion.

Yes.  I think if you do that in ‘core-updates’, we can start building
it; it’s long overdue anyway.  How does that sound?

> Grafting the entire distribution causes some user experience issues that
> many of us are used to, but that are not really that great, especially
> for new users.

Honestly, I feel that this bad user experience is a shame, and fixing it
is among my priorities.  It should be possible to have grafts without
their current negative effects on the UI.

> The issue is build farm capacity.

Yes, though even with infinite build farm capacity, we wouldn’t want to
force people to rebuild/redownload the world too often.

That said…

> I wonder how long it takes to rebuild everything for Intel-compatible
> systems on berlin.guixsd.org?

Good question.  An interesting project would be to measure latency
between push date and substitute availability date, for instance.

berlin is pretty powerful now, so now we should see whether ‘guix
offload’ incurs too much overhead.

> Maybe fast enough that rebuilding the world for this change would not
> disrupt Guix development too much... except that rebuilding the world
> for armhf would take a very long time, during which we could not be
> building the other regular changes for armhf.

Yes, that’s another problem, but I hope we’ll alleviate it soon by
buying ARM machines.

Ludo’.

[bug#29000] [PATCH] gnu: glibc: Ungraft fix for CVE-2017-15670, CVE-2017-15671.

[Ludovic Courtès]

Leo Famulari <leo@famulari.name> skribis:

> * gnu/packages/base.scm (glibc)[replacement]: Remove field.
> [source]: Add 'glibc-CVE-2017-15670-15671.patch'.
> (glibc/fixed): Remove variable.

OK for core-updates, thanks!