On Thu, Nov 09, 2017 at 11:51:48PM +0100, Ludovic Courtès wrote: > Hello, > > Leo Famulari skribis: > > > What do you think of fetching the patches like this, instead of copying > > them into the Guix source tree? > > I think it’s OK. If the Gitweb instance disappears, or if it changes > somehow, hopefully the patch itself will still have the same hash, so we > can always change to different URL or a local file. > > > * gnu/packages/virtualization.scm (qemu-patch): Use HTTPS. > > (qemu)[source]: Use qemu-patch. > > […] > > > + (qemu-patch "7bd92756303f2158a68d5166264dc30139b813b6" > > + "qemu-CVE-2017-15038.patch" > > + (base32 > > + "0wpgf8ivjdbaihf2l7720h1fydh7kdl36wj2nchjd9irfkhw399q")) > > + (qemu-patch "a7b20a8efa28e5f22c26c06cd06c2f12bc863493" > > + "qemu-CVE-2017-15268.patch" > > + (base32 > > + "1adhwj91pmgbmdvyrkvslbfsyz7l00xdrr6vzps6s58q5idvdp79")) > > + (qemu-patch "eb38e1bc3740725ca29a535351de94107ec58d51" > > + "qemu-CVE-2017-15289.patch" > > + (base32 > > + "1zshrlzbwgwrsnimbq8kqr7injd65ncsr8a4lrmgyfv185ma4z8d")))) > > I trust these commits correspond to these CVEs. Okay, I pushed adf7e69cab6180ef75360a1c0731c93f4bff2b18, which uses good ol' annotated patch files instead. Fetching the patches like this is too opaque. There's no *easy* way to view the patches or figure out where they came from. The upstream commits don't mention the CVE ID, and every interested person has to re-do the work of corrolating the patch with the ID'd bug. In practice, I think this extra works means that nobody will ever review the patches or check that they correspond to a particular bug. Making that easy is worth the extra bytes in our source tree. Also I'm not confident that it will be easy to find bit-reproducible patches in the future, whereas I think it will be easy to find the QEMU tarballs and the patches from our Git repo.