Re: do old packages like Musescore 3.6.2 need updating?

[Martin Castillo <castilma@uni-bremen.de>]

Am 28.04.23 um 17:15 schrieb Gottfried:
> Hi,
> 
> 1.
> I have the old version of Musescore 3.6.2 which I want in one profile.
> When I update all profiles at once through a script, it also builds 
> locally the old version of Musescore, which needs 1 hour on my laptop.
> Firstly, why it always builds it on my laptop?

When you update guix, musescores dependencies get updated (like 
libraries it uses). Once that happens, your manifest then implicitly 
defines a new musescore 3.6.2, where it's dependencies are the newer 
ones. Therefore musescore gets rebuild. Since musescore 3.6.2 is not 
packaged by the guix distribution anymore, it won't be build by the 
official substitute servers and your laptop cannot just download the 
built version.
> 
> 2.
> Do old versions of a package also need to be upgraded?

Normally you'd want to have up-to-date software because of three reasons:
1. Security issues get fixed.
2. Other malfunctions/bugs get fixed.
3. New functionality.

1. becomes much less relevant if your software is never exposed to 
untrusted inputs (e.g. has not internet connection). I'd guess musescore 
never connects to the internet. Do you maybe open musescore project 
files that you got from someone you don't trust, like random forums on 
the web? Or do you get soundfont files from similar sources? In that 
case a malicious file opened by musescore might do bad things to your 
system, if it can exploit a vulnerability musescore 3.6.2 (or one of 
it's dependencies) has.

How would you prevent that? You can't update musescore, because version 
3 is any longer supported.
In case 3.6.2 has any security related vulnerability it would be best to 
not open any files with it, that you don't trust to be non-harmful.

Rebuilding with a newer guix version might get rid of vulnerabilities 
from musescore's dependencies, but not any problems in musescore itself.

2. Similar to 1. there might be bugs that make musescore crash, hang or 
something. These may stem from a bug in one of the dependencies. If you 
encounter such a problem, rebuilding musescore might help.

3. Does not apply here, because musescore 3 does not receive any updates.

So in summary, rebuilding musescore 3.6.2 might increase it's stability, 
but you still should not expose musescore to untrusted files.


> 
> 3.
> and why it want to build it always on my laptop locally?
> 
> I thought old versions of a package don’t need upgrading, because only 
> new packages develop.
> May be I am mistaken.
> Do old versions of a package also need upgrading because of some 
> dependencies?
> 
> 4.
> when I upgrade all profiles at once, but do not want to upgrade 
> Musescore 3.6.2
> what are the possibilities?
> 
> Should I put Musescore 3.6.2 as only package in one profile and
> exclude this profile from updating?

That's a simple solution for your problem. If you don't notice any 
stability bugs of musescore, than you don't need to rebuild it.

> or is it better sometimes also to upgrade this old package?
> 
> Kind regards
> 
> Gottfried
>