do old packages like Musescore 3.6.2 need updating?

do old packages like Musescore 3.6.2 need updating?

[Gottfried]

[-- Attachment #1.1.1: Type: text/plain, Size: 918 bytes --]

Hi,

1.
I have the old version of Musescore 3.6.2 which I want in one profile.
When I update all profiles at once through a script, it also builds 
locally the old version of Musescore, which needs 1 hour on my laptop.
Firstly, why it always builds it on my laptop?

2.
Do old versions of a package also need to be upgraded?

3.
and why it want to build it always on my laptop locally?

I thought old versions of a package don’t need upgrading, because only 
new packages develop.
May be I am mistaken.
Do old versions of a package also need upgrading because of some 
dependencies?

4.
when I upgrade all profiles at once, but do not want to upgrade 
Musescore 3.6.2
what are the possibilities?

Should I put Musescore 3.6.2 as only package in one profile and
exclude this profile from updating?
or is it better sometimes also to upgrade this old package?

Kind regards

Gottfried


[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3191 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

Re: do old packages like Musescore 3.6.2 need updating?

[Martin Castillo]

Am 28.04.23 um 17:15 schrieb Gottfried:
> Hi,
> 
> 1.
> I have the old version of Musescore 3.6.2 which I want in one profile.
> When I update all profiles at once through a script, it also builds 
> locally the old version of Musescore, which needs 1 hour on my laptop.
> Firstly, why it always builds it on my laptop?

When you update guix, musescores dependencies get updated (like 
libraries it uses). Once that happens, your manifest then implicitly 
defines a new musescore 3.6.2, where it's dependencies are the newer 
ones. Therefore musescore gets rebuild. Since musescore 3.6.2 is not 
packaged by the guix distribution anymore, it won't be build by the 
official substitute servers and your laptop cannot just download the 
built version.
> 
> 2.
> Do old versions of a package also need to be upgraded?

Normally you'd want to have up-to-date software because of three reasons:
1. Security issues get fixed.
2. Other malfunctions/bugs get fixed.
3. New functionality.

1. becomes much less relevant if your software is never exposed to 
untrusted inputs (e.g. has not internet connection). I'd guess musescore 
never connects to the internet. Do you maybe open musescore project 
files that you got from someone you don't trust, like random forums on 
the web? Or do you get soundfont files from similar sources? In that 
case a malicious file opened by musescore might do bad things to your 
system, if it can exploit a vulnerability musescore 3.6.2 (or one of 
it's dependencies) has.

How would you prevent that? You can't update musescore, because version 
3 is any longer supported.
In case 3.6.2 has any security related vulnerability it would be best to 
not open any files with it, that you don't trust to be non-harmful.

Rebuilding with a newer guix version might get rid of vulnerabilities 
from musescore's dependencies, but not any problems in musescore itself.

2. Similar to 1. there might be bugs that make musescore crash, hang or 
something. These may stem from a bug in one of the dependencies. If you 
encounter such a problem, rebuilding musescore might help.

3. Does not apply here, because musescore 3 does not receive any updates.

So in summary, rebuilding musescore 3.6.2 might increase it's stability, 
but you still should not expose musescore to untrusted files.


> 
> 3.
> and why it want to build it always on my laptop locally?
> 
> I thought old versions of a package don’t need upgrading, because only 
> new packages develop.
> May be I am mistaken.
> Do old versions of a package also need upgrading because of some 
> dependencies?
> 
> 4.
> when I upgrade all profiles at once, but do not want to upgrade 
> Musescore 3.6.2
> what are the possibilities?
> 
> Should I put Musescore 3.6.2 as only package in one profile and
> exclude this profile from updating?

That's a simple solution for your problem. If you don't notice any 
stability bugs of musescore, than you don't need to rebuild it.

> or is it better sometimes also to upgrade this old package?
> 
> Kind regards
> 
> Gottfried
> 

Re: do old packages like Musescore 3.6.2 need updating?

[Gottfried]

[-- Attachment #1.1.1: Type: text/plain, Size: 3434 bytes --]

Hi,

thank you very much.
It helps me to understand Guix.
I am happy to learn day by day.


Kind regards

Gottfried


Am 29.04.23 um 15:42 schrieb Martin Castillo:
> 
> 
> Am 28.04.23 um 17:15 schrieb Gottfried:
>> Hi,
>>
>> 1.
>> I have the old version of Musescore 3.6.2 which I want in one profile.
>> When I update all profiles at once through a script, it also builds 
>> locally the old version of Musescore, which needs 1 hour on my laptop.
>> Firstly, why it always builds it on my laptop?
> 
> When you update guix, musescores dependencies get updated (like 
> libraries it uses). Once that happens, your manifest then implicitly 
> defines a new musescore 3.6.2, where it's dependencies are the newer 
> ones. Therefore musescore gets rebuild. Since musescore 3.6.2 is not 
> packaged by the guix distribution anymore, it won't be build by the 
> official substitute servers and your laptop cannot just download the 
> built version.
>>
>> 2.
>> Do old versions of a package also need to be upgraded?
> 
> Normally you'd want to have up-to-date software because of three reasons:
> 1. Security issues get fixed.
> 2. Other malfunctions/bugs get fixed.
> 3. New functionality.
> 
> 1. becomes much less relevant if your software is never exposed to 
> untrusted inputs (e.g. has not internet connection). I'd guess musescore 
> never connects to the internet. Do you maybe open musescore project 
> files that you got from someone you don't trust, like random forums on 
> the web? Or do you get soundfont files from similar sources? In that 
> case a malicious file opened by musescore might do bad things to your 
> system, if it can exploit a vulnerability musescore 3.6.2 (or one of 
> it's dependencies) has.
> 
> How would you prevent that? You can't update musescore, because version 
> 3 is any longer supported.
> In case 3.6.2 has any security related vulnerability it would be best to 
> not open any files with it, that you don't trust to be non-harmful.
> 
> Rebuilding with a newer guix version might get rid of vulnerabilities 
> from musescore's dependencies, but not any problems in musescore itself.
> 
> 2. Similar to 1. there might be bugs that make musescore crash, hang or 
> something. These may stem from a bug in one of the dependencies. If you 
> encounter such a problem, rebuilding musescore might help.
> 
> 3. Does not apply here, because musescore 3 does not receive any updates.
> 
> So in summary, rebuilding musescore 3.6.2 might increase it's stability, 
> but you still should not expose musescore to untrusted files.
> 
> 
>>
>> 3.
>> and why it want to build it always on my laptop locally?
>>
>> I thought old versions of a package don’t need upgrading, because only 
>> new packages develop.
>> May be I am mistaken.
>> Do old versions of a package also need upgrading because of some 
>> dependencies?
>>
>> 4.
>> when I upgrade all profiles at once, but do not want to upgrade 
>> Musescore 3.6.2
>> what are the possibilities?
>>
>> Should I put Musescore 3.6.2 as only package in one profile and
>> exclude this profile from updating?
> 
> That's a simple solution for your problem. If you don't notice any 
> stability bugs of musescore, than you don't need to rebuild it.
> 
>> or is it better sometimes also to upgrade this old package?
>>
>> Kind regards
>>
>> Gottfried
>>

-- 

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3191 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

Re: do old packages like Musescore 3.6.2 need updating?

[Gottfried]

[-- Attachment #1.1.1: Type: text/plain, Size: 4241 bytes --]

Hi,

I forgot to tell you

>  becomes much less relevant if your software is never exposed to 
>> untrusted inputs (e.g. has not internet connection). I'd guess musescore 
>> never connects to the internet. Do you maybe open musescore project 
>> files that you got from someone you don't trust, like random forums on 
>> the web? Or do you get soundfont files from similar sources? In that 
>> case a malicious file opened by musescore might do bad things to your 
>> system, if it can exploit a vulnerability musescore 3.6.2 (or one of 
>> it's dependencies) has.
>> 

that when I am using Musescore 3.6.2, the old version,
I don’t connect it to the internet, and don’t get something from 
somewhere, also musescore doesn’t connect to the internet.

I simply use it for writing notes for myself.

So there would not be any security problem in case I don’t update it.


Kind regards

Gottfried


Am 29.04.23 um 15:42 schrieb Martin Castillo:
> 
> 
> Am 28.04.23 um 17:15 schrieb Gottfried:
>> Hi,
>>
>> 1.
>> I have the old version of Musescore 3.6.2 which I want in one profile.
>> When I update all profiles at once through a script, it also builds 
>> locally the old version of Musescore, which needs 1 hour on my laptop.
>> Firstly, why it always builds it on my laptop?
> 
> When you update guix, musescores dependencies get updated (like 
> libraries it uses). Once that happens, your manifest then implicitly 
> defines a new musescore 3.6.2, where it's dependencies are the newer 
> ones. Therefore musescore gets rebuild. Since musescore 3.6.2 is not 
> packaged by the guix distribution anymore, it won't be build by the 
> official substitute servers and your laptop cannot just download the 
> built version.
>>
>> 2.
>> Do old versions of a package also need to be upgraded?
> 
> Normally you'd want to have up-to-date software because of three reasons:
> 1. Security issues get fixed.
> 2. Other malfunctions/bugs get fixed.
> 3. New functionality.
> 
> 1. becomes much less relevant if your software is never exposed to 
> untrusted inputs (e.g. has not internet connection). I'd guess musescore 
> never connects to the internet. Do you maybe open musescore project 
> files that you got from someone you don't trust, like random forums on 
> the web? Or do you get soundfont files from similar sources? In that 
> case a malicious file opened by musescore might do bad things to your 
> system, if it can exploit a vulnerability musescore 3.6.2 (or one of 
> it's dependencies) has.
> 
> How would you prevent that? You can't update musescore, because version 
> 3 is any longer supported.
> In case 3.6.2 has any security related vulnerability it would be best to 
> not open any files with it, that you don't trust to be non-harmful.
> 
> Rebuilding with a newer guix version might get rid of vulnerabilities 
> from musescore's dependencies, but not any problems in musescore itself.
> 
> 2. Similar to 1. there might be bugs that make musescore crash, hang or 
> something. These may stem from a bug in one of the dependencies. If you 
> encounter such a problem, rebuilding musescore might help.
> 
> 3. Does not apply here, because musescore 3 does not receive any updates.
> 
> So in summary, rebuilding musescore 3.6.2 might increase it's stability, 
> but you still should not expose musescore to untrusted files.
> 
> 
>>
>> 3.
>> and why it want to build it always on my laptop locally?
>>
>> I thought old versions of a package don’t need upgrading, because only 
>> new packages develop.
>> May be I am mistaken.
>> Do old versions of a package also need upgrading because of some 
>> dependencies?
>>
>> 4.
>> when I upgrade all profiles at once, but do not want to upgrade 
>> Musescore 3.6.2
>> what are the possibilities?
>>
>> Should I put Musescore 3.6.2 as only package in one profile and
>> exclude this profile from updating?
> 
> That's a simple solution for your problem. If you don't notice any 
> stability bugs of musescore, than you don't need to rebuild it.
> 
>> or is it better sometimes also to upgrade this old package?
>>
>> Kind regards
>>
>> Gottfried
>>

-- 



[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3191 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

Re: do old packages like Musescore 3.6.2 need updating?

[Maxim Cournoyer]

Hello,

Gottfried <gottfried@posteo.de> writes:

> Hi,
>
> 1.
> I have the old version of Musescore 3.6.2 which I want in one profile.
> When I update all profiles at once through a script, it also builds
> locally the old version of Musescore, which needs 1 hour on my laptop.
> Firstly, why it always builds it on my laptop?

This suggests your are using an old Guix version, as musescore is
currently at 4.0.2.  Did you run 'guix pull' recently?  That's how
package definitions are updated.  Guix upgrade then use these to update
your profiles.

-- 
Thanks,
Maxim