* purpose of GnuTLS versions
@ 2023-01-26 5:12 Jack Hill
2023-01-26 12:04 ` Simon Tournier
2023-01-30 21:51 ` Ludovic Courtès
0 siblings, 2 replies; 8+ messages in thread
From: Jack Hill @ 2023-01-26 5:12 UTC (permalink / raw)
To: guix-devel
Hi Guix,
We currently have two versions of GnuTLS packaged: 3.7.2 represented by
the `gnutls` variable and 3.7.7 represented by the `gnutls-latest`
variable. `guix refresh -l` reports that changes to the 3.7.2 version
would cause 14770 rebuilds, but only 30 rebuilds for the 3.7.7 version. As
far as I can tell, neither version currently has a replacement (graft).
What is the purpose of these two versions? 3.7.7 is almost the current
release [0], but 3.7.2 is an older release in the same series. GnuTLS does
have two release series [1], stable and next, that correspond to 3.6.x and
3.7.x numbering schemes.
It seems to me that the `gnutls` variable should refer to the latest
"stable" release, and the `gnutls-latest` variable to latest "next"
release. Does that make sense? What am I missing?
It appears that 3.7.2 has some unpatched advisories [2].
[0] https://issues.guix.gnu.org/61064
[1] https://gitlab.com/gnutls/gnutls/-/blob/master/RELEASES.md
[2] https://gnutls.org/security-new.html
Best,
Jack
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: purpose of GnuTLS versions
2023-01-26 5:12 purpose of GnuTLS versions Jack Hill
@ 2023-01-26 12:04 ` Simon Tournier
2023-01-30 20:25 ` Jack Hill
2023-01-30 21:51 ` Ludovic Courtès
1 sibling, 1 reply; 8+ messages in thread
From: Simon Tournier @ 2023-01-26 12:04 UTC (permalink / raw)
To: Jack Hill, guix-devel
Hi,
On Thu, 26 Jan 2023 at 00:12, Jack Hill <jackhill@jackhill.us> wrote:
> It seems to me that the `gnutls` variable should refer to the latest
> "stable" release, and the `gnutls-latest` variable to latest "next"
> release. Does that make sense? What am I missing?
This means a core-updates change – so next core-updates merge cycle? :-)
If I read correctly, core-updates already uses 3.7.7 for the variable
’gnutls’ and note that the variable ’gnutls-latest’ also uses 3.7.7. :-)
Cheers,
simon
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: purpose of GnuTLS versions
2023-01-26 12:04 ` Simon Tournier
@ 2023-01-30 20:25 ` Jack Hill
2023-01-30 21:19 ` Jack Hill
0 siblings, 1 reply; 8+ messages in thread
From: Jack Hill @ 2023-01-30 20:25 UTC (permalink / raw)
To: Simon Tournier; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1248 bytes --]
On Thu, 26 Jan 2023, Simon Tournier wrote:
> Hi,
>
> On Thu, 26 Jan 2023 at 00:12, Jack Hill <jackhill@jackhill.us> wrote:
>
>> It seems to me that the `gnutls` variable should refer to the latest
>> "stable" release, and the `gnutls-latest` variable to latest "next"
>> release. Does that make sense? What am I missing?
>
> This means a core-updates change – so next core-updates merge cycle? :-)
Agreed, a change to the gnutls variable will need to go through
core-updates. However, while the current situation does seem odd to me,
I'm still not sure what the best resolution will be. "Downgrading" gnutls
was only one option. Another option that I can think of is moving to only
having one GnuTLS version, probably 3.7.x, and fixing problems via grafts
in the master branch. In the meantime, we may want to move individual
packages from gnutls to gnutls-latest or patch the known bugs in gnutls
with grafts.
To help us decide, I've asked [0] the GnuTLS developers for their
thoughts.
> If I read correctly, core-updates already uses 3.7.7 for the variable
> ’gnutls’ and note that the variable ’gnutls-latest’ also uses 3.7.7. :-)
:)
[0] https://lists.gnutls.org/pipermail/gnutls-help/2023-January/004813.html
Best,
Jack
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: purpose of GnuTLS versions
2023-01-30 20:25 ` Jack Hill
@ 2023-01-30 21:19 ` Jack Hill
2023-01-31 16:59 ` Ludovic Courtès
0 siblings, 1 reply; 8+ messages in thread
From: Jack Hill @ 2023-01-30 21:19 UTC (permalink / raw)
To: guix-devel; +Cc: Simon Tournier
On Mon, 30 Jan 2023, Jack Hill wrote:
> To help us decide, I've asked [0] the GnuTLS developers for their thoughts.
I was directed to an older thread [0] which provides some more insight.
Having read that, I propose to moving to just one gnutls version in
core-updates. Thoughts?
Then there's the question of what to do in the meantime for master. Grafts
for 3.7.2? Move packages to 3.7.7?
[0] https://lists.gnutls.org/pipermail/gnutls-help/2022-September/004748.html
Best,
Jack
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: purpose of GnuTLS versions
2023-01-26 5:12 purpose of GnuTLS versions Jack Hill
2023-01-26 12:04 ` Simon Tournier
@ 2023-01-30 21:51 ` Ludovic Courtès
1 sibling, 0 replies; 8+ messages in thread
From: Ludovic Courtès @ 2023-01-30 21:51 UTC (permalink / raw)
To: Jack Hill; +Cc: guix-devel
Hi Jack,
Jack Hill <jackhill@jackhill.us> skribis:
> We currently have two versions of GnuTLS packaged: 3.7.2 represented
> by the `gnutls` variable and 3.7.7 represented by the `gnutls-latest`
> variable. `guix refresh -l` reports that changes to the 3.7.2 version
> would cause 14770 rebuilds, but only 30 rebuilds for the 3.7.7
> version. As far as I can tell, neither version currently has a
> replacement (graft).
‘gnutls-latest’ was initially added to provide up-to-date Guile
bindings, since Guile bindings were part of GnuTLS.
Since a couple of months ago, Guile bindings live in a separate repo,
but the new ‘guile-gnutls’ package depends on ‘gnutls-latest’, which no
longer depends on Guile (whereas ‘gnutls’ still depends on Guile).
> It seems to me that the `gnutls` variable should refer to the latest
> "stable" release, and the `gnutls-latest` variable to latest "next"
> release. Does that make sense? What am I missing?
As Simon pointed out, that’s for ‘core-updates’.
> It appears that 3.7.2 has some unpatched advisories [2].
Ouch, then we probably need a ‘replacement’. Would you like to give it
a try?
Thanks for the heads-up!
Ludo’.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: purpose of GnuTLS versions
2023-01-30 21:19 ` Jack Hill
@ 2023-01-31 16:59 ` Ludovic Courtès
2023-01-31 17:14 ` Jack Hill
0 siblings, 1 reply; 8+ messages in thread
From: Ludovic Courtès @ 2023-01-31 16:59 UTC (permalink / raw)
To: Jack Hill; +Cc: guix-devel, Simon Tournier
Jack Hill <jackhill@jackhill.us> skribis:
> On Mon, 30 Jan 2023, Jack Hill wrote:
>
>> To help us decide, I've asked [0] the GnuTLS developers for their thoughts.
>
> I was directed to an older thread [0] which provides some more
> insight. Having read that, I propose to moving to just one gnutls
> version in core-updates. Thoughts?
Agreed! Make sure Guile is removed from its inputs.
> Then there's the question of what to do in the meantime for
> master. Grafts for 3.7.2? Move packages to 3.7.7?
Graft, after making sure both versions are ABI-compatible (it should be
the case).
Thanks!
Ludo’.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: purpose of GnuTLS versions
2023-01-31 16:59 ` Ludovic Courtès
@ 2023-01-31 17:14 ` Jack Hill
2023-02-08 8:50 ` Ludovic Courtès
0 siblings, 1 reply; 8+ messages in thread
From: Jack Hill @ 2023-01-31 17:14 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel, Simon Tournier
[-- Attachment #1: Type: text/plain, Size: 1153 bytes --]
On Tue, 31 Jan 2023, Ludovic Courtès wrote:
> Jack Hill <jackhill@jackhill.us> skribis:
>
>> Then there's the question of what to do in the meantime for
>> master. Grafts for 3.7.2? Move packages to 3.7.7?
>
> Graft, after making sure both versions are ABI-compatible (it should be
> the case).
Unfortunately, we may not be so lucky. ABI Laboratory* reports that were
some changes in 3.7.3 [0]. Does that look like it would be problem? For
reference, the fixes for the announced security advisories looks small
enough that a backport is feasible (although I haven't tried yet) [1][2].
* I don't know if we have ABI checking tools in Guix. The ones that power
ABI Laboratory look like candidates for packaging though.
[0] https://abi-laboratory.pro/index.php?view=compat_report&l=gnutls&v1=3.7.2&v2=3.7.3&obj=0a750&kind=abi#Symbol_Problems_High
[1] https://gitlab.com/dueno/gnutls/-/commit/22f837ba0bc7d13c3d738a8583566368fc12aee1
[2] https://gitlab.com/gnutls/gnutls/-/merge_requests/1615/diffs
Anyways, I'm of course happy to propose some patches (keeping in mind the
usual competition for my time, so it might be a couple days).
Best,
Jack
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: purpose of GnuTLS versions
2023-01-31 17:14 ` Jack Hill
@ 2023-02-08 8:50 ` Ludovic Courtès
0 siblings, 0 replies; 8+ messages in thread
From: Ludovic Courtès @ 2023-02-08 8:50 UTC (permalink / raw)
To: Jack Hill; +Cc: guix-devel, Simon Tournier
Hello!
Jack Hill <jackhill@jackhill.us> skribis:
> On Tue, 31 Jan 2023, Ludovic Courtès wrote:
>
>> Jack Hill <jackhill@jackhill.us> skribis:
>>
>>> Then there's the question of what to do in the meantime for
>>> master. Grafts for 3.7.2? Move packages to 3.7.7?
>>
>> Graft, after making sure both versions are ABI-compatible (it should be
>> the case).
>
> Unfortunately, we may not be so lucky. ABI Laboratory* reports that
> were some changes in 3.7.3 [0].
I would recommend checking by running ‘abidiff’ (from the ‘libabigail’
package) on our own binaries, to be sure.
If there are only additions (new symbols), which is what I would expect,
then we’re fine. If there were deletions (unlikely), then we may have a
problem.
HTH!
Ludo’.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2023-02-08 8:50 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-01-26 5:12 purpose of GnuTLS versions Jack Hill
2023-01-26 12:04 ` Simon Tournier
2023-01-30 20:25 ` Jack Hill
2023-01-30 21:19 ` Jack Hill
2023-01-31 16:59 ` Ludovic Courtès
2023-01-31 17:14 ` Jack Hill
2023-02-08 8:50 ` Ludovic Courtès
2023-01-30 21:51 ` Ludovic Courtès
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.