From: "Ludovic Courtès" <ludo@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: 48915@debbugs.gnu.org
Subject: [bug#48915] [PATCH] gnu: polkit: Graft a replacement for CVE-2021-3560.
Date: Tue, 08 Jun 2021 23:32:35 +0200 [thread overview]
Message-ID: <87zgw0caa4.fsf_-_@gnu.org> (raw)
In-Reply-To: <YL+uaU2KyAfAB9+X@jasmine.lan> (Leo Famulari's message of "Tue, 8 Jun 2021 13:52:41 -0400")
Leo Famulari <leo@famulari.name> skribis:
> On Tue, Jun 08, 2021 at 10:45:12AM +0200, Ludovic Courtès wrote:
>> +(define-public polkit/fixed
>> + (package
>> + (inherit polkit)
>> + (version "0.11A") ;0.116 + patch
>> + (source (origin
>> + (inherit (package-source polkit))
>> + (patches (search-patches "polkit-CVE-2021-3560.patch"))))))
>
> Typically, we don't change the version when creating replacement
> packages that apply a patch. We only change the version when the
> replacement package actually updates to a new version.
Pushed as 9178566954cc7f34d2d991d31df4565adad93508!
As discussed on IRC, I ended up making ‘polkit/fixed’ private, with the
version string unchanged (inherited from ‘polkit’).
We wondered whether Cuirass would build ‘polkit/fixed’ if it’s private.
Turns out it does, but this comment in (gnu ci) is still valid:
--8<---------------cut here---------------start------------->8---
(define (all-packages)
"Return the list of packages to build."
(define (adjust package result)
(cond ((package-replacement package)
;; XXX: If PACKAGE and its replacement have the same name/version,
;; then both Cuirass jobs will have the same name, which
;; effectively means that the second one will be ignored. Thus,
;; return the replacement first.
(cons* (package-replacement package) ;build both
package
result))
--8<---------------cut here---------------end--------------->8---
IOW, the replacement, and only the replacement, gets built.
The current ‘zstd’ replacement is private
<https://ci.guix.gnu.org/search?query=system%3Ax86_64-linux+spec%3Amaster+zstd>
only shows derivations for the replacement, not for the original one.
That’s okay though because the original one necessarily got built
earlier.
Thanks,
Ludo’.
prev parent reply other threads:[~2021-06-08 21:33 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-08 8:45 [bug#48915] [PATCH] gnu: polkit: Graft a replacement for CVE-2021-3560 Ludovic Courtès
2021-06-08 17:52 ` Leo Famulari
2021-06-08 21:32 ` Ludovic Courtès [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zgw0caa4.fsf_-_@gnu.org \
--to=ludo@gnu.org \
--cc=48915@debbugs.gnu.org \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).