[bug#66359] [PATCH] gnu: curl: Update to 8.3.0.

[bug#66359] [PATCH] gnu: curl: Update to 8.3.0.

[Liliana Marie Prikler]

According to upstream, the current version has 19 security issues.
See also <https://curl.se/docs/vuln-7.85.0.html>.

* gnu/packages/curl.scm (curl/fixed): New variable.
(curl): Use it as replacement.
---
 gnu/packages/curl.scm | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 4e3c563570..dd612ce356 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -65,6 +65,7 @@ (define-public curl
   (package
     (name "curl")
     (version "7.85.0")
+    (replacement curl/fixed)
     (source (origin
               (method url-fetch)
               (uri (string-append "https://curl.se/download/curl-"
@@ -154,6 +155,20 @@ (define-public curl
                                    "See COPYING in the distribution."))
     (home-page "https://curl.haxx.se/")))
 
+(define curl/fixed
+  (let ((%version "8.3.0"))
+    (package
+      (inherit curl)
+      (version "8.3.0-0")               ; add -0 for grafting
+      (source (origin
+                (method url-fetch)
+                (uri (string-append "https://curl.se/download/curl-"
+                                    %version ".tar.xz"))
+                (sha256
+                 (base32
+                  "0qza6yf20y2l4aaxkn8dfw8p3fls1mxljvdb0m8z1i6ncxvn4v9p"))
+                (patches (search-patches "curl-use-ssl-cert-env.patch")))))))
+
 (define-public curl-ssh
   (package/inherit curl
     (arguments

base-commit: e71864793021051cff35597abd59bb2d5649977d
-- 
2.41.0

[bug#66359] [PATCH] gnu: curl: Update to 8.3.0.

[Efraim Flashner]

[-- Attachment #1: Type: text/plain, Size: 2174 bytes --]

On Thu, Oct 05, 2023 at 08:11:34AM +0200, Liliana Marie Prikler wrote:
> According to upstream, the current version has 19 security issues.
> See also <https://curl.se/docs/vuln-7.85.0.html>.
> 
> * gnu/packages/curl.scm (curl/fixed): New variable.
> (curl): Use it as replacement.
> ---
>  gnu/packages/curl.scm | 15 +++++++++++++++
>  1 file changed, 15 insertions(+)
> 
> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
> index 4e3c563570..dd612ce356 100644
> --- a/gnu/packages/curl.scm
> +++ b/gnu/packages/curl.scm
> @@ -65,6 +65,7 @@ (define-public curl
>    (package
>      (name "curl")
>      (version "7.85.0")
> +    (replacement curl/fixed)
>      (source (origin
>                (method url-fetch)
>                (uri (string-append "https://curl.se/download/curl-"
> @@ -154,6 +155,20 @@ (define-public curl
>                                     "See COPYING in the distribution."))
>      (home-page "https://curl.haxx.se/")))
>  
> +(define curl/fixed
> +  (let ((%version "8.3.0"))
> +    (package
> +      (inherit curl)
> +      (version "8.3.0-0")               ; add -0 for grafting

'7.85.0' is 6 characters, bit '8.3.0-0' is 7 characters. I think I'd go
with '8.3.0A' to keep with previous (tribal knowledge) version mangling
schemes.

> +      (source (origin
> +                (method url-fetch)
> +                (uri (string-append "https://curl.se/download/curl-"
> +                                    %version ".tar.xz"))
> +                (sha256
> +                 (base32
> +                  "0qza6yf20y2l4aaxkn8dfw8p3fls1mxljvdb0m8z1i6ncxvn4v9p"))
> +                (patches (search-patches "curl-use-ssl-cert-env.patch")))))))
> +
>  (define-public curl-ssh
>    (package/inherit curl
>      (arguments
> 
> base-commit: e71864793021051cff35597abd59bb2d5649977d
> -- 
> 2.41.0

Once the version string is the same length (your choice how!) then LGTM!

-- 
Efraim Flashner   <efraim@flashner.co.il>   רנשלפ םירפא
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#66359: [PATCH] gnu: curl: Update to 8.3.0.

[Liliana Marie Prikler]

Am Donnerstag, dem 05.10.2023 um 10:19 +0300 schrieb Efraim Flashner:
> On Thu, Oct 05, 2023 at 08:11:34AM +0200, Liliana Marie Prikler
> wrote:
> > +(define curl/fixed
> > +  (let ((%version "8.3.0"))
> > +    (package
> > +      (inherit curl)
> > +      (version "8.3.0-0")               ; add -0 for grafting
> 
> '7.85.0' is 6 characters, bit '8.3.0-0' is 7 characters. I think I'd
> go with '8.3.0A' to keep with previous (tribal knowledge) version
> mangling schemes.
D'oh.

> > +      (source (origin
> > +                (method url-fetch)
> > +                (uri (string-append
> > "https://curl.se/download/curl-"
> > +                                    %version ".tar.xz"))
> > +                (sha256
> > +                 (base32
> > +                 
> > "0qza6yf20y2l4aaxkn8dfw8p3fls1mxljvdb0m8z1i6ncxvn4v9p"))
> > +                (patches (search-patches "curl-use-ssl-cert-
> > env.patch")))))))
> > +
> >  (define-public curl-ssh
> >    (package/inherit curl
> >      (arguments
> > 
> > base-commit: e71864793021051cff35597abd59bb2d5649977d
> > -- 
> > 2.41.0
> 
> Once the version string is the same length (your choice how!) then
> LGTM!
I used lowercase 'a' and pushed it.

Chers 

[bug#66359] [PATCH] gnu: curl: Update to 8.3.0.

[Simon Tournier]

Hi,

On Thu, 05 Oct 2023 at 08:11, Liliana Marie Prikler <liliana.prikler@gmail.com> wrote:

> +(define curl/fixed
> +  (let ((%version "8.3.0"))

Naive question, why %version and not version?

> +    (package
> +      (inherit curl)
> +      (version "8.3.0-0")               ; add -0 for grafting
> +      (source (origin
> +                (method url-fetch)
> +                (uri (string-append "https://curl.se/download/curl-"
> +                                    %version ".tar.xz"))

Cheers,
simon

[bug#66359] [PATCH] gnu: curl: Update to 8.3.0.

[Liliana Marie Prikler]

Am Donnerstag, dem 05.10.2023 um 18:26 +0200 schrieb Simon Tournier:
> Hi,
> 
> On Thu, 05 Oct 2023 at 08:11, Liliana Marie Prikler
> <liliana.prikler@gmail.com> wrote:
> 
> > +(define curl/fixed
> > +  (let ((%version "8.3.0"))
> 
> Naive question, why %version and not version?
Because version gets shadowed by (package …).  I could reorder the
fields in a non-standard way, but that'd be even less readable,
therefore the extra variable.

> 
Cheers,

Liliana

[bug#66359] [PATCH] gnu: curl: Update to 8.3.0.

[Simon Tournier]

Hi Liliana,

On Fri, 6 Oct 2023 at 10:54, Liliana Marie Prikler
<liliana.prikler@gmail.com> wrote:

> > Naive question, why %version and not version?
>
> Because version gets shadowed by (package …).  I could reorder the
> fields in a non-standard way, but that'd be even less readable,
> therefore the extra variable.

Ah, I see.  Thanks for explaining.

Well, %something is usually for "global" parameters.  At least, that
the convention with Guix.  Therefore, I would suggest to not use it in
order to avoid confusion.

Why not "this-version"?

Cheers,
simon

[bug#66359] [PATCH] gnu: curl: Update to 8.3.0.

[Liliana Marie Prikler]

Am Freitag, dem 06.10.2023 um 11:09 +0200 schrieb Simon Tournier:
> Hi Liliana,
> 
> On Fri, 6 Oct 2023 at 10:54, Liliana Marie Prikler
> <liliana.prikler@gmail.com> wrote:
> 
> > > Naive question, why %version and not version?
> > 
> > Because version gets shadowed by (package …).  I could reorder the
> > fields in a non-standard way, but that'd be even less readable,
> > therefore the extra variable.
> 
> Ah, I see.  Thanks for explaining.
> 
> Well, %something is usually for "global" parameters.  At least, that
> the convention with Guix.  Therefore, I would suggest to not use it
> in order to avoid confusion.
As far as I understand %something means "implementation detail" and
*something* means global, important something, but I might be mistaken
about that.

> Why not "this-version"?
Ain't nobody got time to type that.

[bug#66359] [PATCH] gnu: curl: Update to 8.3.0.

[Simon Tournier]

Re,

On Fri, 6 Oct 2023 at 11:55, Liliana Marie Prikler
<liliana.prikler@gmail.com> wrote:

> > Well, %something is usually for "global" parameters.  At least, that
> > the convention with Guix.  Therefore, I would suggest to not use it
> > in order to avoid confusion.
>
> As far as I understand %something means "implementation detail" and
> *something* means global, important something, but I might be mistaken
> about that.

It is not my understanding.  I mean, %something is not for symbol in
'let' binding.

Can we ask on #guix? :-)


> > Why not "this-version"?
>
> Ain't nobody got time to type that.

So pick the single letter 'v' ;-)

Cheers,
simon

[bug#66359] meaning of %something? (was Re: [bug#66359] [PATCH] gnu: curl: Update to 8.3.0.)

[Simon Tournier]

Hi Liliana,

On Fri, 06 Oct 2023 at 11:55, Liliana Marie Prikler <liliana.prikler@gmail.com> wrote:

>> Well, %something is usually for "global" parameters.  At least, that
>> the convention with Guix.  Therefore, I would suggest to not use it
>> in order to avoid confusion.
>
> As far as I understand %something means "implementation detail" and
> *something* means global, important something, but I might be mistaken
> about that.

For your information, what the Cookbook says about %something:

        The percentage % is typically used for read-only global
        variables in the build stage. Note that it is merely a
        convention, like _ in C. Scheme treats % exactly the same as any
        other letter.

        https://guix.gnu.org/cookbook/en/guix-cookbook.html#A-Scheme-Crash-Course

I think your change using ’%version’ in some let-binding is not
consistent with the rest.

Well, I have seen you already pushed this change.  Not an issue at all,
I can easily live with it. :-)

My aim with this message is only to communicate on some practises.
Maybe something should be raised on guix-devel.  Well, if you and I,
both spending some time working on Guix do not have the same
understanding for %something, then it means something is poorly
documented somewhere. :-)

WDYT about adding a paragraph about %something under,

    https://guix.gnu.org/manual/devel/en/guix.html#Coding-Style

?

Cheers,
simon

[bug#66359] meaning of %something? (was Re: [bug#66359] [PATCH] gnu: curl: Update to 8.3.0.)

[Liliana Marie Prikler]

Am Montag, dem 09.10.2023 um 14:33 +0200 schrieb Simon Tournier:
> Hi Liliana,
> 
> On Fri, 06 Oct 2023 at 11:55, Liliana Marie Prikler
> <liliana.prikler@gmail.com> wrote:
> 
> > > Well, %something is usually for "global" parameters.  At least,
> > > that the convention with Guix.  Therefore, I would suggest to not
> > > use it in order to avoid confusion.
> > 
> > As far as I understand %something means "implementation detail" and
> > *something* means global, important something, but I might be
> > mistaken about that.
> 
> For your information, what the Cookbook says about %something:
> 
>         The percentage % is typically used for read-only global
>         variables in the build stage. Note that it is merely a
>         convention, like _ in C. Scheme treats % exactly the same as
> any
>         other letter.
> 
>        
> https://guix.gnu.org/cookbook/en/guix-cookbook.html#A-Scheme-Crash-Course
> 
> I think your change using ’%version’ in some let-binding is not
> consistent with the rest.
I don't think my usage of the percent style changes the meaning of
"typically".  Our implementation details are typically, but not
exclusively, global variables in the build stage.

> My aim with this message is only to communicate on some practises.
> Maybe something should be raised on guix-devel.  Well, if you and I,
> both spending some time working on Guix do not have the same
> understanding for %something, then it means something is poorly
> documented somewhere. :-)
> 
> WDYT about adding a paragraph about %something under,
> 
>     https://guix.gnu.org/manual/devel/en/guix.html#Coding-Style
> 
> ?
I'll consider it, but perhaps explaining this within the same cookbook
entry might be a better idea.  Regardless of the outcome in Guix Devel,
I don't think that constraining variable names *too* hard is helpful,
though.

Cheers