From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id QDXGD/6gvGJk7QAAbAwnHQ (envelope-from ) for ; Wed, 29 Jun 2022 20:59:10 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id YBLKDv6gvGJ+PgEAG6o9tA (envelope-from ) for ; Wed, 29 Jun 2022 20:59:10 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C8FA8D1F5 for ; Wed, 29 Jun 2022 20:59:09 +0200 (CEST) Received: from localhost ([::1]:37368 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1o6cu4-0005Dt-Rb for larch@yhetil.org; Wed, 29 Jun 2022 14:59:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56792) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1o6cty-0005C5-Ax for guix-patches@gnu.org; Wed, 29 Jun 2022 14:59:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:38108) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1o6cty-0001TT-2G for guix-patches@gnu.org; Wed, 29 Jun 2022 14:59:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1o6cty-0008L0-06 for guix-patches@gnu.org; Wed, 29 Jun 2022 14:59:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#56302] [PATCH] gnu: ruby: Update to 2.7.6 [security fixes]. Resent-From: Maxime Devos Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 29 Jun 2022 18:59:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 56302 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Remco van 't Veer , 56302@debbugs.gnu.org Received: via spool by 56302-submit@debbugs.gnu.org id=B56302.165652908231947 (code B ref 56302); Wed, 29 Jun 2022 18:59:01 +0000 Received: (at 56302) by debbugs.gnu.org; 29 Jun 2022 18:58:02 +0000 Received: from localhost ([127.0.0.1]:60232 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1o6cst-0008Im-WA for submit@debbugs.gnu.org; Wed, 29 Jun 2022 14:58:02 -0400 Received: from albert.telenet-ops.be ([195.130.137.90]:48660) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1o6csq-0008Ia-VK for 56302@debbugs.gnu.org; Wed, 29 Jun 2022 14:57:54 -0400 Received: from ptr-bvsjgyhxw7psv60dyze.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:3c5f:2eff:feb0:ba5a]) by albert.telenet-ops.be with bizsmtp id p6xq2700D4UW6Th066xqBT; Wed, 29 Jun 2022 20:57:50 +0200 Message-ID: From: Maxime Devos Date: Wed, 29 Jun 2022 20:57:46 +0200 In-Reply-To: <3edebb176b620a66a47b013a332c9683322e1a8d.camel@telenet.be> References: <20220629155533.5224-1-remco@remworks.net> <3edebb176b620a66a47b013a332c9683322e1a8d.camel@telenet.be> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-x1yhrmrcWK3V8MDW6DPc" User-Agent: Evolution 3.38.3-1 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22; t=1656529070; bh=YkJgOrdulX81vZ0ZzqYErlMCRwGPz/I/+fqkQ5x2VAE=; h=Subject:From:To:Date:In-Reply-To:References; b=lVBURYih4bKf3VqbJdFSeOCEOjYRKAgXavph/lGI6ovlxj4GHfCfV02bo3mbj8xM2 y87Mh73Nn/xY8Tl5cKgp1PkChQ6e3NWaF0IrBv4XN96BxB/HlTvckOs2yGw4fcKoAu F6ggGjQupOcFekZRS7Q8urWB/PMQ7lR3dOV74VlHq2ttHHf7CAiuNAXuSwiC6X6A82 09yy2xeQBG5ivu3tCSApFFs4biJMLJcV92HCDYYbsdw38FO1outEkklMlCA10LMNBL 8jQSc8IG8y6WLueWU/CI/mmm+IeP3GnubOy4zGsQSEwUzMP+y2He2DR8v3UxYIx2ZR +FTg8Ru/WbKbA== X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1656529150; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=YkJgOrdulX81vZ0ZzqYErlMCRwGPz/I/+fqkQ5x2VAE=; b=XCBc/hBHCEcvLIRTQQDAyvjCWiBCgyUr8qNQd1q1Vn6dk0gZ9CZM7f258hrSJ+9SUw0qGX vE8VZPyYuWGa/21UGCbqR8GltcKJhEuT7Oc0by+U5CXcyn4GVrMP+EgSYCiXuhgQ7LghLl glFzOql8p8l7U4vmYjc+8kq5FG+p6Kab+nnFLNlR6vmM/Uh+bHcN9FgDHD3+/EocJyoTDI lbrXC+hcuyR9X8nySaI/DAwg5eBtOftrls/AEY25uA7RTP67ycV18RNsml3pM3MLPzxPdG oVAmquo33K6xXPgU0jAAz5aO8ndk7nZVrBpHyYy+0Vi4M+2vRv43rw4GckfnDw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1656529150; a=rsa-sha256; cv=none; b=tdtV+hOrIP1guI2cA8ECcElhPU2lnAPBd495JF8TY+Z2DAkgCgwcx6kCmxspi4hGOSyTkY eciMb8o8t7b//F49HgMuQsQkBPbiCzwcANP7BgTt6HWML5exw9W+X6OQMIvJL5vsurtdPD FDh9jrz7mDfTJmgj8DflXsf+YTdmrMGAHQKWSqjWg5UPSN6i3J6qeWhRqcQ8n78GVSP4tm HhEDvGcOjuslpnzHAOaMOZ4ek/rLKWTHqR8qgwmBk3luyiKHShxBzwQ7OEbFc9rMejf+uV Vg8a/C5hfO2OjUAPIgmo60ON0lOYYgNwLfPPsP3HgS1nciGpPLYtN7gi7ZFLJw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r22 header.b=lVBURYih; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 3.94 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r22 header.b=lVBURYih; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: C8FA8D1F5 X-Spam-Score: 3.94 X-Migadu-Scanner: scn1.migadu.com X-TUID: tK64X+UmTt2H --=-x1yhrmrcWK3V8MDW6DPc Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Maxime Devos schreef op wo 29-06-2022 om 20:29 [+0200]: > Remco van 't Veer schreef op wo 29-06-2022 om 17:55 [+0200]: > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 > "042xrdk7hsv4072bayz3f8ffqh61i8zlhvck10nfshllq063n877")))) >=20 > This matches with a local >=20 > $ guix download > https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.6.tar.gz=E2=80=99 >=20 > and with all the hashes from > . >=20 > I'll try diffing (*) it with the old tarball for =E2=80=98suspiciousness= =E2=80=99 > (e.g.: obvious malware, new bundling, ???). When scrolling through the diff, nothing looked =E2=80=98suspect=E2=80=99 a= t first glance. However, I did notice something else: some parts are not=20 under the Ruby License, but under 2-clause BSD: =E2=94=82 =E2=94=9C=E2=94=80=E2=94=80 +++ ruby-2.7.4/gems/xmlrpc-0.3.0/LICE= NSE.txt =E2=94=82 =E2=94=82=E2=94=84 Files 26% similar despite different names =E2=94=82 =E2=94=82 @@ -1,13 +1,10 @@ =E2=94=82 =E2=94=82 -test-unit is copyrighted free software by Kouhei Sutou =E2=94=82 =E2=94=82 -, Ryan Davis =E2=94=82 =E2=94=82 -and Nathaniel Talbott . =E2=94=82 =E2=94=82 - =E2=94=82 =E2=94=82 -You can redistribute it and/or modify it under either = the terms of the GPL =E2=94=82 =E2=94=82 -version 2 (see the file GPL), or the conditions below: =E2=94=82 =E2=94=82 +Ruby is copyrighted free software by Yukihiro Matsumot= o . =E2=94=82 =E2=94=82 +You can redistribute it and/or modify it under either = the terms of the =E2=94=82 =E2=94=82 +2-clause BSDL (see the file BSDL), or the conditions b= elow: so it maybe be good to add =E2=80=982-clause BSDL=E2=80=99 to the license f= ield as well (though given that it's an old issue, bringing the new version of ruby in Guix has priority). Also, looks like it bundles some autoconf scripts (config.guess), which is not in line with , but also not priority given the security fix. Greetings, Maxime --=-x1yhrmrcWK3V8MDW6DPc Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYrygqhccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7j9OAQDduKt3FLpWZ75WJJgk4UI/8a9m P6F02FvopBGaZmEh+wEA+Co9x/lVo9VQZzM2QFtZZ/W81PR8RBY66M1kn5qdvAU= =qXke -----END PGP SIGNATURE----- --=-x1yhrmrcWK3V8MDW6DPc--