* IMPORTANT: glibc security update
@ 2016-02-19 13:33 Mark H Weaver
2016-02-19 18:14 ` Christopher Allan Webber
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Mark H Weaver @ 2016-02-19 13:33 UTC (permalink / raw)
To: guix-devel
Hello Guix!
I've pushed a fix for CVE-2015-7547 to the master branch, although Hydra
has not fully rebuilt it. I directed Hydra to build the most popular
packages first, and with greater effort devoted to x86_64, so my hope is
that most of what typical desktop users need is already built on x86_64.
Still, it is likely that you'll need to compile some things locally.
i686 is not as fully built, so users will probably need to do some more
compiling, but hopefully it is manageable. I was able to fully update
my Xfce desktop system on i686 anyway.
As I write this, the rebuilds of armhf and mips64el are considerably
less advanced, so be prepared for a significant amount of local
recompilation.
We'll prioritize getting grafts working properly soon, so that we can
deploy security updates to core libraries much more quickly in the
future.
Thanks,
Mark
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: IMPORTANT: glibc security update
2016-02-19 13:33 IMPORTANT: glibc security update Mark H Weaver
@ 2016-02-19 18:14 ` Christopher Allan Webber
2016-02-20 5:20 ` Leo Famulari
2016-02-21 22:50 ` Ludovic Courtès
2 siblings, 0 replies; 6+ messages in thread
From: Christopher Allan Webber @ 2016-02-19 18:14 UTC (permalink / raw)
To: Mark H Weaver; +Cc: guix-devel
Mark H Weaver writes:
> Hello Guix!
>
> I've pushed a fix for CVE-2015-7547 to the master branch, although Hydra
> has not fully rebuilt it. I directed Hydra to build the most popular
> packages first, and with greater effort devoted to x86_64, so my hope is
> that most of what typical desktop users need is already built on x86_64.
> Still, it is likely that you'll need to compile some things locally.
>
> i686 is not as fully built, so users will probably need to do some more
> compiling, but hopefully it is manageable. I was able to fully update
> my Xfce desktop system on i686 anyway.
>
> As I write this, the rebuilds of armhf and mips64el are considerably
> less advanced, so be prepared for a significant amount of local
> recompilation.
Thank you Mark, and everyone who works on getting Hydra in order so we
can be safe. We really appreciate your hard work!
> We'll prioritize getting grafts working properly soon, so that we can
> deploy security updates to core libraries much more quickly in the
> future.
Yay!
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: IMPORTANT: glibc security update
2016-02-19 13:33 IMPORTANT: glibc security update Mark H Weaver
2016-02-19 18:14 ` Christopher Allan Webber
@ 2016-02-20 5:20 ` Leo Famulari
2016-02-21 1:40 ` Mark H Weaver
2016-02-21 22:50 ` Ludovic Courtès
2 siblings, 1 reply; 6+ messages in thread
From: Leo Famulari @ 2016-02-20 5:20 UTC (permalink / raw)
To: Mark H Weaver; +Cc: guix-devel
On Fri, Feb 19, 2016 at 08:33:07AM -0500, Mark H Weaver wrote:
> Hello Guix!
>
> I've pushed a fix for CVE-2015-7547 to the master branch, although Hydra
> has not fully rebuilt it. I directed Hydra to build the most popular
> packages first, and with greater effort devoted to x86_64, so my hope is
> that most of what typical desktop users need is already built on x86_64.
> Still, it is likely that you'll need to compile some things locally.
At least two users on #guix (including me) have found that `guix pull`
is not fetching the latest snapshot. That is, the downloaded snapshot
is of some commit before the CVE-2015-7547 patch was applied.
Can you take a look?
>
> i686 is not as fully built, so users will probably need to do some more
> compiling, but hopefully it is manageable. I was able to fully update
> my Xfce desktop system on i686 anyway.
>
> As I write this, the rebuilds of armhf and mips64el are considerably
> less advanced, so be prepared for a significant amount of local
> recompilation.
>
> We'll prioritize getting grafts working properly soon, so that we can
> deploy security updates to core libraries much more quickly in the
> future.
>
> Thanks,
> Mark
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: IMPORTANT: glibc security update
2016-02-20 5:20 ` Leo Famulari
@ 2016-02-21 1:40 ` Mark H Weaver
2016-02-21 23:14 ` Mark H Weaver
0 siblings, 1 reply; 6+ messages in thread
From: Mark H Weaver @ 2016-02-21 1:40 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
Leo Famulari <leo@famulari.name> writes:
> On Fri, Feb 19, 2016 at 08:33:07AM -0500, Mark H Weaver wrote:
>> Hello Guix!
>>
>> I've pushed a fix for CVE-2015-7547 to the master branch, although Hydra
>> has not fully rebuilt it. I directed Hydra to build the most popular
>> packages first, and with greater effort devoted to x86_64, so my hope is
>> that most of what typical desktop users need is already built on x86_64.
>> Still, it is likely that you'll need to compile some things locally.
>
> At least two users on #guix (including me) have found that `guix pull`
> is not fetching the latest snapshot. That is, the downloaded snapshot
> is of some commit before the CVE-2015-7547 patch was applied.
>
> Can you take a look?
Indeed, you are right. The problem is that, by default, "guix pull"
downloads the latest source from:
http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz
and unfortunately, something is currently broken on Savannah, and that
snapshot is stuck on the commit before the glibc security update :-(
Until that's fixed, here's a workaround:
--8<---------------cut here---------------start------------->8---
$ git clone --depth 1 git://git.sv.gnu.org/guix.git master
Cloning into 'master'...
[...]
$ rm -rf master/.git
$ tar czf master.tar.gz master --sort=name --mtime=@0 --{owner,group}=root:0
$ guix pull --url=master.tar.gz
--8<---------------cut here---------------end--------------->8---
Mark
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: IMPORTANT: glibc security update
2016-02-21 1:40 ` Mark H Weaver
@ 2016-02-21 23:14 ` Mark H Weaver
0 siblings, 0 replies; 6+ messages in thread
From: Mark H Weaver @ 2016-02-21 23:14 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
Mark H Weaver <mhw@netris.org> writes:
> Leo Famulari <leo@famulari.name> writes:
>
>> At least two users on #guix (including me) have found that `guix pull`
>> is not fetching the latest snapshot. That is, the downloaded snapshot
>> is of some commit before the CVE-2015-7547 patch was applied.
>>
>> Can you take a look?
>
> Indeed, you are right. The problem is that, by default, "guix pull"
> downloads the latest source from:
>
> http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz
>
> and unfortunately, something is currently broken on Savannah, and that
> snapshot is stuck on the commit before the glibc security update :-(
It appears that this problem is now fixed, so the workaround should no
longer be needed.
Mark
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: IMPORTANT: glibc security update
2016-02-19 13:33 IMPORTANT: glibc security update Mark H Weaver
2016-02-19 18:14 ` Christopher Allan Webber
2016-02-20 5:20 ` Leo Famulari
@ 2016-02-21 22:50 ` Ludovic Courtès
2 siblings, 0 replies; 6+ messages in thread
From: Ludovic Courtès @ 2016-02-21 22:50 UTC (permalink / raw)
To: Mark H Weaver; +Cc: guix-devel
Mark H Weaver <mhw@netris.org> skribis:
> I've pushed a fix for CVE-2015-7547 to the master branch, although Hydra
> has not fully rebuilt it. I directed Hydra to build the most popular
> packages first, and with greater effort devoted to x86_64, so my hope is
> that most of what typical desktop users need is already built on x86_64.
> Still, it is likely that you'll need to compile some things locally.
Thanks, Mark!
Ludo’.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2016-02-21 23:15 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-02-19 13:33 IMPORTANT: glibc security update Mark H Weaver
2016-02-19 18:14 ` Christopher Allan Webber
2016-02-20 5:20 ` Leo Famulari
2016-02-21 1:40 ` Mark H Weaver
2016-02-21 23:14 ` Mark H Weaver
2016-02-21 22:50 ` Ludovic Courtès
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.