[bug#71024] Update diffoscope to 267 (with xz bonus update)

unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed

From: Vagrant Cascadian <vagrant@reproducible-builds.org>
To: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Cc: 71024@debbugs.gnu.org
Subject: [bug#71024] Update diffoscope to 267 (with xz bonus update)
Date: Mon, 20 May 2024 23:01:52 -0700	[thread overview]
Message-ID: <87bk4zr9db.fsf@wireframe> (raw)
In-Reply-To: <875xv7vq3w.fsf_-_@gmail.com>

[-- Attachment #1: Type: text/plain, Size: 2400 bytes --]

On 2024-05-20, Maxim Cournoyer wrote:
> vagrant@reproducible-builds.org writes:
>
>> From: Vagrant Cascadian <vagrant@reproducible-builds.org>
>>
>> * gnu/packages/compression.scm (xz-5.4): New variable.
>> ---
>>  gnu/packages/compression.scm | 15 +++++++++++++++
>>  1 file changed, 15 insertions(+)
>>
>> diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
>> index dd88fce9ca..d89d72c9b7 100644
>> --- a/gnu/packages/compression.scm
>> +++ b/gnu/packages/compression.scm
>> @@ -573,6 +573,21 @@ (define-public xz
>>     (license (list license:gpl2+ license:lgpl2.1+)) ; bits of both
>>     (home-page "https://tukaani.org/xz/")))
>>  
>> +(define-public xz-5.4
>> +  (package
>> +    (inherit xz)
>> +    (name "xz-5.4")
>> +    (version "5.4.5")
>> +    (source (origin
>> +              (method url-fetch)
>> +              (uri (list (string-append "http://tukaani.org/xz/xz-" version
>> +                                        ".tar.gz")
>> +                         (string-append "http://multiprecision.org/guix/xz-"
>> +                                        version ".tar.gz")))
>> +              (sha256
>> +               (base32
>> +                "1mmpwl4kg1vs6n653gkaldyn43dpbjh8gpk7sk0gps5f6jwr0p0k"))))))
>> +
>
> Any reason not to use the latest, which is v5.6.1 (fetched from git, to
> avoid the xz backdoor issue)?

For one, 5.6.1 was also released by "Jia Tan" according to:

  https://tukaani.org/xz-backdoor/

To fix bugs in the backdoor partly introduced in 5.6.0... e.g. not to
remove the backdoor, but to make it a working backdoor.

In other words, DO NOT USE 5.6.1. :)

There are some concerns about questionable code by "Jia Tan" in earlier
versions too:

  https://bugs.debian.org/1068024

... although even the 5.4.x version I proposed was, admittedly, being a
bit lazy and just picking a version already present in core-updates as
the easiest path forward that was reasonably close to the version
present in Debian which diffoscope was tested against...

Reverting to 5.3.1 might be a more conservative approach, although I
have not tested it with diffoscope.

Or fixing diffoscope to work with the older xz version in master
(5.2.x?) that guix is already using, which, now that I have spelled out
all of the above, seems possibly a much better idea!

live well,
  vagrant

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

next prev parent reply	other threads:[~2024-05-21  6:03 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-05-18  1:46 [bug#71024] Update diffoscope to 267 (with xz bonus update) Vagrant Cascadian
2024-05-18  1:53 ` Vagrant Cascadian
2024-05-18  1:53   ` Vagrant Cascadian
2024-05-18  2:01     ` Vagrant Cascadian
2024-05-21  2:48     ` Maxim Cournoyer
2024-05-18  3:50 ` [bug#71024] [PATCH 1/2] gnu: Add xz-5.4 variant vagrant
2024-05-18  3:50   ` [bug#71024] [PATCH 2/2] gnu: diffoscope: Update to 267 vagrant
2024-05-21  2:46   ` [bug#71024] Update diffoscope to 267 (with xz bonus update) Maxim Cournoyer
2024-05-21  6:01     ` Vagrant Cascadian [this message]
2024-05-21 19:20       ` Vagrant Cascadian
2024-05-22  0:06         ` Maxim Cournoyer
2024-05-24 14:41           ` [bug#71024] Update diffoscope to 268 Vagrant Cascadian
2024-05-26  3:05             ` Maxim Cournoyer
2024-05-28 22:33               ` Vagrant Cascadian
2024-05-30  1:02                 ` Maxim Cournoyer
2024-05-31 17:30                   ` bug#71024: " Vagrant Cascadian

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87bk4zr9db.fsf@wireframe \
    --to=vagrant@reproducible-builds.org \
    --cc=71024@debbugs.gnu.org \
    --cc=maxim.cournoyer@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).