From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-patches-bounces+larch=yhetil.org@gnu.org>
Received: from mp11.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms5.migadu.com with LMTPS
	id +AJIAwTuBGQoSgEAbAwnHQ
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sun, 05 Mar 2023 20:31:16 +0100
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp11.migadu.com with LMTPS
	id CEhDAwTuBGS+WAEA9RJhRA
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sun, 05 Mar 2023 20:31:16 +0100
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 71F292B974
	for <larch@yhetil.org>; Sun,  5 Mar 2023 20:31:15 +0100 (CET)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1pYu4Y-0007mY-1J; Sun, 05 Mar 2023 14:31:06 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1pYu4V-0007mE-6A
 for guix-patches@gnu.org; Sun, 05 Mar 2023 14:31:04 -0500
Received: from debbugs.gnu.org ([209.51.188.43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1pYu4U-0002Y4-PQ
 for guix-patches@gnu.org; Sun, 05 Mar 2023 14:31:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1pYu4U-0001f6-ES
 for guix-patches@gnu.org; Sun, 05 Mar 2023 14:31:02 -0500
X-Loop: help-debbugs@gnu.org
Subject: [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490
 & CVE-2023-23946].
Resent-From: Leo Famulari <leo@famulari.name>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Sun, 05 Mar 2023 19:31:02 +0000
Resent-Message-ID: <handler.61583.B61583.16780446576372@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 61583
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Josselin Poiret <dev@jpoiret.xyz>
Cc: 61583@debbugs.gnu.org, ludo@gnu.org, Greg Hogan <code@greghogan.com>,
 zimoun <zimon.toutoune@gmail.com>
Received: via spool by 61583-submit@debbugs.gnu.org id=B61583.16780446576372
 (code B ref 61583); Sun, 05 Mar 2023 19:31:02 +0000
Received: (at 61583) by debbugs.gnu.org; 5 Mar 2023 19:30:57 +0000
Received: from localhost ([127.0.0.1]:40678 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1pYu4O-0001eh-LJ
 for submit@debbugs.gnu.org; Sun, 05 Mar 2023 14:30:56 -0500
Received: from wout2-smtp.messagingengine.com ([64.147.123.25]:60011)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1pYu4M-0001eV-RM
 for 61583@debbugs.gnu.org; Sun, 05 Mar 2023 14:30:55 -0500
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
 by mailout.west.internal (Postfix) with ESMTP id A46ED32009D2;
 Sun,  5 Mar 2023 14:30:48 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162])
 by compute5.internal (MEProxy); Sun, 05 Mar 2023 14:30:49 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:cc:content-type:content-type:date:date:from:from
 :in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:sender:subject:subject:to:to; s=mesmtp; t=1678044648;
 x=1678131048; bh=7JehIp47OegmcHglAS5RRJ4+kd32JWyT2U2b2tMun3w=; b=
 kIAZTeTXrH70nAglyFA9yP9UumS+nD0IvLt+/1moOoViUBddaYwhcYAl85rIPjqu
 Y9/LNPdFCgj/ek1JRGP75zvVOk1gR9oq0nauqXb/mvqxXdhLAhK7l+ogrxrvcfZk
 GBnuSWpI6g9Bq4C3PfxfIDTW2QONF4TC96jtL+XWiEg=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-type:content-type:date:date
 :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
 :message-id:mime-version:references:reply-to:sender:subject
 :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
 :x-sasl-enc; s=fm1; t=1678044648; x=1678131048; bh=7JehIp47Oegmc
 HglAS5RRJ4+kd32JWyT2U2b2tMun3w=; b=T7g9gPmI1Gf/T5p3BOZbP4EQDwqkf
 BKMtEGWG+GOufTjD5w3FGfe2AkOWbxbGReln2r1axHtS5AEfFNl7OEjDN0lUNbGH
 qUX7O8Lbv+U4dMgo5IIAcjjZQ9G0NAcypVb06cXADVSXhCveqn4AO1uzesaoLRrQ
 qOmjqom0dRfzjqJf++/ks7cHmqDUahk5V5W9N412FMXu1Y7MKANTAl8n0YbIJkgn
 DK1HyMm8QJIILh4BQIo4Ao9B7HTxhljapwCO9885E1GFxmmv+lHO5iQl7jlNvPgv
 hByIbYUsZljLjFkZzWe9yXh7oGj4Rg96rAaA7KG3RIcggtBH1rharsJCA==
X-ME-Sender: <xms:6O0EZIN4J6GMYF-aaKWtob-scdrj6cqv14rVq5X1IKGAkkuB_AijOQ>
 <xme:6O0EZO8dzg5HO4J5VCCJ8ZeFbFSD5wAao6HfZUkKfUSYM-uPvUwJ0hlC58Mnsss5R
 SKo8pK5ZtGbaOzrJg>
X-ME-Received: <xmr:6O0EZPTQW05dEC1wwrJWV8dE5zliqOxk5ubBpKBXEE9xHYWW5Ghi0GZccQxDPZ33In47T8_6525Ad9hvrqKhPum8>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrvddtgedguddvhecutefuodetggdotefrod
 ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
 necuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvfevuffkfhggtggujgesth
 dtredttddtvdenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhu
 lhgrrhhirdhnrghmvgeqnecuggftrfgrthhtvghrnhepieetudehfeekueefleegudfhje
 fgleehfeeluefhfeffgfeuudelhedvjeelieetnecuvehluhhsthgvrhfuihiivgeptden
 ucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg
X-ME-Proxy: <xmx:6O0EZAucplj49pHzNh--Md8F4Qos68OWTtN1vvuf2phjGLpgnP4KRQ>
 <xmx:6O0EZAcXig9eYP0piwpYWQFZjng7Ml5toEF9WBcYJQmL0GOeelUE-Q>
 <xmx:6O0EZE201nvQOhKAvX-79-iKHCsCo6vxGF57Ze3ErmnGwnlN-Om3rQ>
 <xmx:6O0EZI52chhRkEcPoVztTRRCcTAsFaVswUQ94IVfRNUwnDN_-iicNA>
Feedback-ID: i819c4023:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sun,
 5 Mar 2023 14:30:47 -0500 (EST)
Date: Sun, 5 Mar 2023 14:30:45 -0500
From: Leo Famulari <leo@famulari.name>
Message-ID: <ZATt5Qs2aEbUArVt@jasmine.lan>
References: <20230217180402.29401-1-code@greghogan.com>
 <87y1os36js.fsf@gmail.com> <ZAJtKtBBc+tZeBlX@jasmine.lan>
 <87ilfgreou.fsf@jpoiret.xyz>
 <18a9b3b3-3dc7-44bf-84a5-74cd4fab8984@app.fastmail.com>
 <87bkl8qu85.fsf@jpoiret.xyz>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <87bkl8qu85.fsf@jpoiret.xyz>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org
Sender: guix-patches-bounces+larch=yhetil.org@gnu.org
X-Migadu-Flow: FLOW_IN
X-Migadu-Country: US
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1678044675;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:resent-cc:resent-from:resent-sender:
	 resent-message-id:in-reply-to:in-reply-to:references:references:
	 list-id:list-help:list-unsubscribe:list-subscribe:list-post:
	 dkim-signature; bh=7JehIp47OegmcHglAS5RRJ4+kd32JWyT2U2b2tMun3w=;
	b=eJc9e/LA00YhU2hQl9N437yMnPjj3DDazAxigN+zBEfzuuZVvt/Qpa31pAoh6Aw+qoKqHa
	Wv/63hxAeo2x7xr4tKgL5OtlDtVfhCzirRFRIB5s0/fIeTm84Xj7YcczTDQpeIKvBOfXCB
	B9hEA3hlT7kAtuKpz7TEICc20999q1Xqge2N+pCxBSAeGfHP5K+2o2evrGyTt+UI0ioS6e
	pcrWWJ2n51oz8+SsstDNQ8+16M20HETTXkZvJjRK5sSu8lhBq/iULpGD2eR4AoTk5DVVh5
	0cD7NsGRTOflKPKwwuqpu+HzW+ybV5OP8RlhwwNtkv7D2xbX+6IGaB7hJReGFA==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=kIAZTeTX;
	dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm1 header.b=T7g9gPmI;
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org";
	dmarc=none
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1678044675; a=rsa-sha256; cv=none;
	b=GHBKiQ83w0/WtTLS13sMxX9ZOduUObcejQ33xeTvAwg1pxM+qG9V8xFtu2GY4vJEGXipa3
	a3X2aBw5glRIEfLC1NiM7pegRr8OSmyoHuWqUpXXsg3nqj4HTyxYyKpFI2TofEMYZgb30M
	BfNAgfmsVNQYNrPbYl9AkSkeifltsxiXVhcePCFhTqICKlZosG+2Po7nwWjAvSjK5cwZSw
	+F4ya3uEUaGl1jzg2MqQU+R41DSoI+1HPM56iQYrGDo0UDTunIPmMtBjY8A+jXbmyUaXli
	1qWGZLIMVG9otq6R9TNz+DwUUkecQ234/v2GybE+I4QlmBgVT3xvofIOT1+DLQ==
X-Migadu-Scanner: scn1.migadu.com
X-Migadu-Spam-Score: -0.81
X-Spam-Score: -0.81
X-Migadu-Queue-Id: 71F292B974
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=kIAZTeTX;
	dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm1 header.b=T7g9gPmI;
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org";
	dmarc=none
X-TUID: CUcpLLNuQds+

> "Leo Famulari" <leo@famulari.name> writes:
> > Changing the Git package shouldn't affect fixed-output derivations that fetch from Git. If they do, that's a recent and very serious bug.

Now I have confused myself and I'm unsure. I stepped away from Guix for
a while and forgot a lot of the intimate knowledge I had on this
subject.

I checked, and this patch does change the derivation of packages
fetching from Git, although the output is identical. So, I am confused
about if this will cause >10k rebuilds or not.

Here's how I checked, first by calculating derivations and outputs on
the master branch, and then after applying the patch:

------
$ git rev-parse --abbrev-ref HEAD
master
$ git rev-parse HEAD                                 
cedf97ed6ee4eba8c39bfe6cc0efe33fcb977ccf
$ ./pre-inst-env guix build --no-grafts corefreq -d
/gnu/store/78lhq407x6sjlf3k7jh16ph1pff1y2nw-corefreq-1.95.2.drv    
$ ./pre-inst-env guix build --no-grafts corefreq   
/gnu/store/vva0xljihzmpf4ddbihr168f2ymkh2k0-corefreq-1.95.2-linux-module
/gnu/store/qkwah5gnfqh293i36byhc00cd6xb3jml-corefreq-1.95.2
------

Apply the patch:

------
$ git checkout contrib-security-git                 
Switched to branch 'contrib-security-git'
$ git log --oneline | head -n1         
faeb52692d gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946].
$ ./pre-inst-env guix build --no-grafts corefreq -d
/gnu/store/sw5942gj4f5lm9i9zn6bwj7f0q0dlf7a-corefreq-1.95.2.drv         
$ ./pre-inst-env guix build --no-grafts corefreq   
/gnu/store/vva0xljihzmpf4ddbihr168f2ymkh2k0-corefreq-1.95.2-linux-module
/gnu/store/qkwah5gnfqh293i36byhc00cd6xb3jml-corefreq-1.95.2
------

The package derivation changed, but not the output.

I'm looking for guidance on how to interpret these results.