From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id QHtZOyacxmVOaQEA62LTzQ:P1 (envelope-from ) for ; Fri, 09 Feb 2024 22:41:59 +0100 Received: from aspmx1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id QHtZOyacxmVOaQEA62LTzQ (envelope-from ) for ; Fri, 09 Feb 2024 22:41:59 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=protonmail.com header.s=protonmail3 header.b=ShZD55zZ; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1707514918; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=SwDFdEfIRdIr4IE5QTpV7roP462D2D1X3J57fLHOKrU=; b=rPjoqQZ5Cj4mAH+WpOixd7DMTNmesOWZ1HD76AhdrgpMVgFwFUiCoP72VifdAGSyLvgdks 8q1mMA7AiJFxx8bv1kb5Xn+CT/J0lManJ6KtlW6r7ip2D1WC/AiZO2dcOacWAGevraHjhZ 4mkecP54wzkfOCRZvSFx0c0yY3BbCa0K2YABGtd3PmlGg6eL9fXLIWk22Cdm6zqS6lcT4r 2228rV6CXXWOLC4iVKjcAjj5D8Op/I0aaKD/A/pG0M7QOouIB6s5sqtdWPqOULTaFQljZ6 VGp1bMyeP56eJawoeb/5+ftVzxzh0VytEEb062MYRt8ZOIHK/nmmtElKKIHGNw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=protonmail.com header.s=protonmail3 header.b=ShZD55zZ; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Seal: i=1; s=key1; d=yhetil.org; t=1707514918; a=rsa-sha256; cv=none; b=mqmhvLPex9xUMs+Wtnv9SdAZFQCG8n0NdtDNWx7jUFvfF/vt6lnknerPOxZymxsdHu28XY gfaTmGHAOTmp7pJHEI2ZG64GPa8C11mgVNjJu5zbtg1MwMC3EmzKsCQHoJdYNtrAGwOs1R IXda6E+2jyn49i9uxKusApPtiNXZtkyzd+Jq5hj5wnDnZaALx80qsZlJ2ke196nFTi2M7q DMUr69AV8fKDUCDhJj46UZaABOq7BrdskRExLTleOqjhOqGZ/RLlcDVB+W0j204NlXGY7+ ujR1B/jFBl5kUuxgyW/+6YMQYCJdaSYHZZC8Jfx4Qu9NrrFzWqnMzt67knLEYg== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 9E7983984E for ; Fri, 9 Feb 2024 22:41:58 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rYYd3-00031C-6t; Fri, 09 Feb 2024 16:41:49 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rYYd1-00030w-LZ for guix-patches@gnu.org; Fri, 09 Feb 2024 16:41:47 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rYYd1-0002pl-CR for guix-patches@gnu.org; Fri, 09 Feb 2024 16:41:47 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rYYdG-0007bG-DJ for guix-patches@gnu.org; Fri, 09 Feb 2024 16:42:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#69007] diffoscope: Update to 256. [security fixes] References: <87r0hl2us9.fsf@wireframe> In-Reply-To: <87r0hl2us9.fsf@wireframe> Resent-From: John Kehayias Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 09 Feb 2024 21:42:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 69007 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Vagrant Cascadian Cc: 69007@debbugs.gnu.org Received: via spool by 69007-submit@debbugs.gnu.org id=B69007.170751491729198 (code B ref 69007); Fri, 09 Feb 2024 21:42:02 +0000 Received: (at 69007) by debbugs.gnu.org; 9 Feb 2024 21:41:57 +0000 Received: from localhost ([127.0.0.1]:40247 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rYYdA-0007ar-PE for submit@debbugs.gnu.org; Fri, 09 Feb 2024 16:41:57 -0500 Received: from mail-40134.protonmail.ch ([185.70.40.134]:26711) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rYYd8-0007aT-Np for 69007@debbugs.gnu.org; Fri, 09 Feb 2024 16:41:55 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1707514892; x=1707774092; bh=SwDFdEfIRdIr4IE5QTpV7roP462D2D1X3J57fLHOKrU=; h=Date:To:From:Cc:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=ShZD55zZR7uTK98hegjmOeA0WJeOUaodywad6XD/K4zbww4oz3epiBV/PopsYyx4S fwyFjYOzMUG7FktJoQAR7UpJmEvcXBfuRkkS2pe0iuEQYN6wo9+5JZTEYWs2N0LLj3 c0Dugyk0Kr/sj0DYNcomQ3+ONPBdKpNFolAHFow0qW4jyqfxEyDCuDAIXZSu3CkdvJ Y49T8K07kCgV/vyTjweiggC++KD2HyXAkhoOTtxaPMbKg/nhuxcFhk841giUtWW+uT yxvY3O8RILR9aDAB+nUVaJnjgnYUXqp2T5qeY2wEkTqTghv4B8sGQED1x9ddGVMT0Q eb+wJNB5StR5g== Date: Fri, 09 Feb 2024 21:41:27 +0000 Message-ID: <87mss98ge4.fsf@protonmail.com> Feedback-ID: 7805494:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: John Kehayias X-ACL-Warn: , John Kehayias via Guix-patches From: John Kehayias via Guix-patches via Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -7.17 X-Migadu-Scanner: mx13.migadu.com X-Spam-Score: -7.17 X-Migadu-Queue-Id: 9E7983984E X-TUID: OT16pQTUD+5j Hi vagrant! On Fri, Feb 09, 2024 at 01:27 PM, Vagrant Cascadian wrote: > The attached patch updates diffoscope to 256, which contains a security > fix for directory traversals when using gpg. > > Both diffoscope and it's dependent, reprotest, still build fine! > Great, thank you! (following up here for posterity; discussed via IRC) > I am not sure what the expedited process for security updates are, but > if there is anything I can do, please let me know! > As we discussed, we should formalize some CC-ing of the security list, or a separate security team for reviewing patches (for public flaws, rather than reporting them). And making sure "[security fixes]" is noted, as you did here, for easy sorting. > live well, > vagrant > > From 9dcababcf0e94ddab30de91054e04400b263879c Mon Sep 17 00:00:00 2001 > From: Vagrant Cascadian > Date: Fri, 9 Feb 2024 12:58:57 -0800 > Subject: [PATCH] gnu: diffoscope: Update to 256. [security fixes] > In any event, patch looks good and as a leaf with a pretty trivial patch, I think you would be clear to push directly to begin with. There was some discussion a while back at what is "trivial," but a version update with 1 dependent is about as easy as it gets. Perhaps another thing to make sure we are on the same page about but I doubt anyone would complain if you had pushed this directly. We could also let QA build, since it is back up, but again, very minor concern here if something were to break. Anyway, please do push! I might put "[security fixes]" before the period in the commit message to match previous ones, but that is very minor. Thanks again! John > Fixes: https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/3= 61 > > * gnu/packages/diffoscope.scm (diffoscope): Update to 256. > --- > gnu/packages/diffoscope.scm | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/gnu/packages/diffoscope.scm b/gnu/packages/diffoscope.scm > index 626ac00425..f4d271f690 100644 > --- a/gnu/packages/diffoscope.scm > +++ b/gnu/packages/diffoscope.scm > @@ -74,7 +74,7 @@ (define-module (gnu packages diffoscope) > (define-public diffoscope > (package > (name "diffoscope") > - (version "255") > + (version "256") > (source > (origin > (method git-fetch) > @@ -83,7 +83,7 @@ (define-public diffoscope > (commit version))) > (file-name (git-file-name name version)) > (sha256 > - (base32 "07mkmwp3ni2dh5w5q2vxkc588l5dabcly3jrd8ic62318si7d400"))= )) > + (base32 "1sdg314a3hp2kv492130p8w7j8mlhymij7h2rndm4q7gqrshp6jf"))= )) > (build-system python-build-system) > (arguments > (list > > base-commit: 513755d64debb44096f21e323a5b89a7a597d2ca