From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: Re: IMPORTANT: glibc security update Date: Sat, 20 Feb 2016 20:40:51 -0500 Message-ID: <87lh6esuvw.fsf@netris.org> References: <87povsn7u4.fsf@netris.org> <20160220052036.GA2887@jasmine> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:39003) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aXJ1T-0004Ul-Df for guix-devel@gnu.org; Sat, 20 Feb 2016 20:41:20 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aXJ1Q-0007WT-6m for guix-devel@gnu.org; Sat, 20 Feb 2016 20:41:19 -0500 Received: from world.peace.net ([50.252.239.5]:56002) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aXJ1Q-0007WP-3G for guix-devel@gnu.org; Sat, 20 Feb 2016 20:41:16 -0500 In-Reply-To: <20160220052036.GA2887@jasmine> (Leo Famulari's message of "Sat, 20 Feb 2016 00:20:36 -0500") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Leo Famulari Cc: guix-devel@gnu.org Leo Famulari writes: > On Fri, Feb 19, 2016 at 08:33:07AM -0500, Mark H Weaver wrote: >> Hello Guix! >> >> I've pushed a fix for CVE-2015-7547 to the master branch, although Hydra >> has not fully rebuilt it. I directed Hydra to build the most popular >> packages first, and with greater effort devoted to x86_64, so my hope is >> that most of what typical desktop users need is already built on x86_64. >> Still, it is likely that you'll need to compile some things locally. > > At least two users on #guix (including me) have found that `guix pull` > is not fetching the latest snapshot. That is, the downloaded snapshot > is of some commit before the CVE-2015-7547 patch was applied. > > Can you take a look? Indeed, you are right. The problem is that, by default, "guix pull" downloads the latest source from: http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz and unfortunately, something is currently broken on Savannah, and that snapshot is stuck on the commit before the glibc security update :-( Until that's fixed, here's a workaround: --8<---------------cut here---------------start------------->8--- $ git clone --depth 1 git://git.sv.gnu.org/guix.git master Cloning into 'master'... [...] $ rm -rf master/.git $ tar czf master.tar.gz master --sort=name --mtime=@0 --{owner,group}=root:0 $ guix pull --url=master.tar.gz --8<---------------cut here---------------end--------------->8--- Mark