From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id +8lWLc78BGTu6wAAbAwnHQ (envelope-from ) for ; Sun, 05 Mar 2023 21:34:22 +0100 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id GBP9LM78BGSX4QAAauVa8A (envelope-from ) for ; Sun, 05 Mar 2023 21:34:22 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 92CA51947B for ; Sun, 5 Mar 2023 21:34:22 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pYv3W-0007qK-JR; Sun, 05 Mar 2023 15:34:07 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pYv3U-0007q0-5A for guix-patches@gnu.org; Sun, 05 Mar 2023 15:34:04 -0500 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pYv3S-0003oQ-QJ for guix-patches@gnu.org; Sun, 05 Mar 2023 15:34:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pYv3S-0003Kc-Ct for guix-patches@gnu.org; Sun, 05 Mar 2023 15:34:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]. Resent-From: Simon Tournier Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 05 Mar 2023 20:34:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 61583 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Leo Famulari Cc: 61583@debbugs.gnu.org, Christopher Baines , Greg Hogan Received: via spool by 61583-submit@debbugs.gnu.org id=B61583.167804842112762 (code B ref 61583); Sun, 05 Mar 2023 20:34:02 +0000 Received: (at 61583) by debbugs.gnu.org; 5 Mar 2023 20:33:41 +0000 Received: from localhost ([127.0.0.1]:40737 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pYv37-0003Jk-81 for submit@debbugs.gnu.org; Sun, 05 Mar 2023 15:33:41 -0500 Received: from mail-lf1-f48.google.com ([209.85.167.48]:38829) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pYv35-0003JG-91 for 61583@debbugs.gnu.org; Sun, 05 Mar 2023 15:33:39 -0500 Received: by mail-lf1-f48.google.com with SMTP id m6so10181410lfq.5 for <61583@debbugs.gnu.org>; Sun, 05 Mar 2023 12:33:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678048413; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=9b2maxSR3khHyZmvv59KfLuib4i9L6KZPAXDS4f5opA=; b=kJq4OPYPBPNyF/nC16ynGVCcYP46Iut2cXOAd48Luc91vc6i0GDTdFWjcVKN+9B5KX hZCzieFhyG1ICv5p35/ZCDH11WWsPs9G5JU/kc6SobcSSnE6cwEfDxiBMNqo7QTayIsU e0XE/G2gWyqgwRY1pqXaZWvKgMJ4P3jDS4lalrnonSDs+JJf18Xqq7ZOfcA0Dn0csl4I wOFrvQ331b78kXKDOZX+/J0mP3bcWrEOMi2j6n4iQ9YLn264yjg3G72KLbf8cgfutFBQ B+nvdEBqm9bwJUU5hI/G9PaHlW9smOWynqkzZfwpq4LAz89KDQslhDRPkCDTsh39f7Yv F6dA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678048413; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9b2maxSR3khHyZmvv59KfLuib4i9L6KZPAXDS4f5opA=; b=PNa2ZIYjI8/TIoCVSLQDNtn4GEEuNf/Fa9pR2XpswWbauRZ+zzGg69wuK9sUBJ8gCj RiOGOnjB0uP1jSbVRqKozZVAnc2fF4wL65ty7os2syDd16k17iVxZKKohSeLB3hecHlL ktz4uT5QmV3nKqVFiMRDBbU3W3NHH8sEtqninzVeKEhiAnfw4ESg2rxYvyGzj0Nq6lyp FFpUMXMgG+OZ/PyArjMZJroa2uk/JJ41jypmpysIhEV3mtXqe4zq6K3DPHen2hUr+/jU ufutWEqJlgtGVqFKSr0xbY1h0bMz/FXypn5cZrp8xkylW69LsP1nLAu/WbP/Pu1zQcm6 o51Q== X-Gm-Message-State: AO0yUKWUUpC8rRgMIZ70Hchyt8Lki+s+HRCjsM1MdxVWxsFXRgeueQCs 0u1XPGb/zf6Zusuqh0+Jj5hAKDgUoTUOo+5FR2I= X-Google-Smtp-Source: AK7set8+7RFYLCBzxClEjS3St3p08GfX00KLHqLuC7UiMl01W8TeVxIFcw5byPhMVR0cskqSCQRYMOTacCgiS0huKIU= X-Received: by 2002:ac2:44a3:0:b0:4df:1d72:8e87 with SMTP id c3-20020ac244a3000000b004df1d728e87mr2447161lfm.2.1678048412846; Sun, 05 Mar 2023 12:33:32 -0800 (PST) MIME-Version: 1.0 References: <20230217180402.29401-1-code@greghogan.com> <87y1os36js.fsf@gmail.com> In-Reply-To: From: Simon Tournier Date: Sun, 5 Mar 2023 21:33:20 +0100 Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1678048462; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=9b2maxSR3khHyZmvv59KfLuib4i9L6KZPAXDS4f5opA=; b=ZViWklmo8xJEDAh906myJGt9nFPtDINi7/KhFlCxFyjXeqGw3kaAAR4dmb6Cx5LrMLI1qp VWZ/qcPW5PO4hMIhVXjPNZYyvb+OHR7Bl+RL3nAPVuXuYc4eUETnSZ42KI2mQa5h6eDI7e uimQOxhlnRLYibqehae6+qRQsWLkUKlQ3qOsjQZEQTURCSmefN+pktmsbuT3FWmjWiQ5i/ lo6mPxlGsy/koeHKJvezLhS4juucogl50sxxxWTwoYthoamVSUsK23YlBGpfJM45+aVwGD tBi1rVCcMa5a5+RW7A/XR3qrn7UVHlMmHyvcwnELLPledJLj9exHsPUWElTl0g== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=kJq4OPYP; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none) ARC-Seal: i=1; s=key1; d=yhetil.org; t=1678048462; a=rsa-sha256; cv=none; b=nB70J6h9PUxt2oWzVljL6SQS+EcSaVW70uTE34+fXBXFo4tJFHhMkSpBhxEdiJ74T+zuxt rO8AnKKSM8D7pDi777yebU8pipCIP2fz/Y7vAjIWabKRYfj5KyBVDzGfwI2+V8V69nnWVq DxaEnbZMYKsGs1AYUnYoyvw46Ls7Lz5jAzpgUiFAw0wLx5RRza6L6Ch2rYcWSmkQEYN4qF 965AZB67mSDQhv/bp9s4eivLFYhAvVbag/KYtGGxpQuY8m3f4flSaYFl9FoaMGQ1MLSqgU 7XF9zlujxe5tu7DGLV6dwzZdDtTN0tIey4I/v+tey0z7wHxAkA/SGKMSche4xA== X-Migadu-Scanner: scn1.migadu.com X-Migadu-Spam-Score: -2.11 X-Spam-Score: -2.11 X-Migadu-Queue-Id: 92CA51947B Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=kJq4OPYP; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none) X-TUID: hUXQiacdFlfz Hi Leo, On Sun, 5 Mar 2023 at 19:46, Leo Famulari wrote: > At the Guix Days, it was said that there is a limit to how many builds > the QA server will perform for a change. I don't recall the number, but > maybe 300 builds per change? So, if a change causes too many rebuilds, > the QA server will not perform the builds. Ah thanks! I always forgot that limit. :-) I mean, since it says "not yet processed", I still think the limit is higher. ;-) Anyway. > For the Berlin server, I don't think that 546 builds is too many, at > least for Intel systems. Indeed. Just to note that the last update of Git was by commit: --8<---------------cut here---------------start------------->8--- 51f8a7aced70b7f79037bd99019dddaea07ced25 Author: Tobias Geerinckx-Rice AuthorDate: Sun Jan 15 01:00:03 2023 +0100 Commit: Tobias Geerinckx-Rice CommitDate: Sun Jan 15 01:00:08 2023 +0100 gnu: git: Update to 2.39.1 [fixes CVE-2022-41903 & CVE-2022-23521]. * gnu/packages/version-control.scm (git): Update to 2.39.1. Reported by HexMachina in #guix. --8<---------------cut here---------------end--------------->8--- and all was fine... > > Somehow the guarantee that none of these 546 would not be broken by > > the update. ;-) > > It's certainly possible that something breaks. But we can do a simple > test by trying to update our profiles and Guix System installations, and > checking that our tools still work. I think it's okay to cause a little > breakage in order to deploy important security updates. ...but it was not with the previous, --8<---------------cut here---------------start------------->8--- 83ede5a02e1fc531d912eb92eb0a22a4b897997c Author: Greg Hogan AuthorDate: Wed Oct 19 20:13:15 2022 +0000 Commit: Ludovic Court=C3=A8s CommitDate: Tue Nov 8 14:06:00 2022 +0100 gnu: git: Update to 2.38.1. Fixes CVE-2022-39253 and CVE-2022-39260. * gnu/packages/version-control.scm (git): Update to 2.38.1. Co-authored-by: Ludovic Court=C3=A8s --8<---------------cut here---------------end--------------->8--- which had broken part of the Julia ecosystem; now the same problem cannot arise for Julia. Who knows for the others? Anyway, I did this rebuild and I did not noticed large breaks. > > > Concretely, why can't we push this to master immediately? Since we agree it is fine for master, feel free to push. :-) Cheers, simon