* [bug#69007] diffoscope: Update to 256. [security fixes] @ 2024-02-09 21:27 Vagrant Cascadian 2024-02-09 21:41 ` John Kehayias via Guix-patches via 2024-02-09 22:18 ` bug#69007: " Vagrant Cascadian 0 siblings, 2 replies; 3+ messages in thread From: Vagrant Cascadian @ 2024-02-09 21:27 UTC (permalink / raw) To: 69007 [-- Attachment #1.1: Type: text/plain, Size: 328 bytes --] The attached patch updates diffoscope to 256, which contains a security fix for directory traversals when using gpg. Both diffoscope and it's dependent, reprotest, still build fine! I am not sure what the expedited process for security updates are, but if there is anything I can do, please let me know! live well, vagrant [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #1.2: 0001-gnu-diffoscope-Update-to-256.-security-fixes.patch --] [-- Type: text/x-diff, Size: 1310 bytes --] From 9dcababcf0e94ddab30de91054e04400b263879c Mon Sep 17 00:00:00 2001 From: Vagrant Cascadian <vagrant@debian.org> Date: Fri, 9 Feb 2024 12:58:57 -0800 Subject: [PATCH] gnu: diffoscope: Update to 256. [security fixes] Fixes: https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/361 * gnu/packages/diffoscope.scm (diffoscope): Update to 256. --- gnu/packages/diffoscope.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/diffoscope.scm b/gnu/packages/diffoscope.scm index 626ac00425..f4d271f690 100644 --- a/gnu/packages/diffoscope.scm +++ b/gnu/packages/diffoscope.scm @@ -74,7 +74,7 @@ (define-module (gnu packages diffoscope) (define-public diffoscope (package (name "diffoscope") - (version "255") + (version "256") (source (origin (method git-fetch) @@ -83,7 +83,7 @@ (define-public diffoscope (commit version))) (file-name (git-file-name name version)) (sha256 - (base32 "07mkmwp3ni2dh5w5q2vxkc588l5dabcly3jrd8ic62318si7d400")))) + (base32 "1sdg314a3hp2kv492130p8w7j8mlhymij7h2rndm4q7gqrshp6jf")))) (build-system python-build-system) (arguments (list base-commit: 513755d64debb44096f21e323a5b89a7a597d2ca -- 2.39.2 [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 227 bytes --] ^ permalink raw reply related [flat|nested] 3+ messages in thread
* [bug#69007] diffoscope: Update to 256. [security fixes] 2024-02-09 21:27 [bug#69007] diffoscope: Update to 256. [security fixes] Vagrant Cascadian @ 2024-02-09 21:41 ` John Kehayias via Guix-patches via 2024-02-09 22:18 ` bug#69007: " Vagrant Cascadian 1 sibling, 0 replies; 3+ messages in thread From: John Kehayias via Guix-patches via @ 2024-02-09 21:41 UTC (permalink / raw) To: Vagrant Cascadian; +Cc: 69007 Hi vagrant! On Fri, Feb 09, 2024 at 01:27 PM, Vagrant Cascadian wrote: > The attached patch updates diffoscope to 256, which contains a security > fix for directory traversals when using gpg. > > Both diffoscope and it's dependent, reprotest, still build fine! > Great, thank you! (following up here for posterity; discussed via IRC) > I am not sure what the expedited process for security updates are, but > if there is anything I can do, please let me know! > As we discussed, we should formalize some CC-ing of the security list, or a separate security team for reviewing patches (for public flaws, rather than reporting them). And making sure "[security fixes]" is noted, as you did here, for easy sorting. > live well, > vagrant > > From 9dcababcf0e94ddab30de91054e04400b263879c Mon Sep 17 00:00:00 2001 > From: Vagrant Cascadian <vagrant@debian.org> > Date: Fri, 9 Feb 2024 12:58:57 -0800 > Subject: [PATCH] gnu: diffoscope: Update to 256. [security fixes] > In any event, patch looks good and as a leaf with a pretty trivial patch, I think you would be clear to push directly to begin with. There was some discussion a while back at what is "trivial," but a version update with 1 dependent is about as easy as it gets. Perhaps another thing to make sure we are on the same page about but I doubt anyone would complain if you had pushed this directly. We could also let QA build, since it is back up, but again, very minor concern here if something were to break. Anyway, please do push! I might put "[security fixes]" before the period in the commit message to match previous ones, but that is very minor. Thanks again! John > Fixes: https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/361 > > * gnu/packages/diffoscope.scm (diffoscope): Update to 256. > --- > gnu/packages/diffoscope.scm | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/gnu/packages/diffoscope.scm b/gnu/packages/diffoscope.scm > index 626ac00425..f4d271f690 100644 > --- a/gnu/packages/diffoscope.scm > +++ b/gnu/packages/diffoscope.scm > @@ -74,7 +74,7 @@ (define-module (gnu packages diffoscope) > (define-public diffoscope > (package > (name "diffoscope") > - (version "255") > + (version "256") > (source > (origin > (method git-fetch) > @@ -83,7 +83,7 @@ (define-public diffoscope > (commit version))) > (file-name (git-file-name name version)) > (sha256 > - (base32 "07mkmwp3ni2dh5w5q2vxkc588l5dabcly3jrd8ic62318si7d400")))) > + (base32 "1sdg314a3hp2kv492130p8w7j8mlhymij7h2rndm4q7gqrshp6jf")))) > (build-system python-build-system) > (arguments > (list > > base-commit: 513755d64debb44096f21e323a5b89a7a597d2ca ^ permalink raw reply [flat|nested] 3+ messages in thread
* bug#69007: diffoscope: Update to 256. [security fixes] 2024-02-09 21:27 [bug#69007] diffoscope: Update to 256. [security fixes] Vagrant Cascadian 2024-02-09 21:41 ` John Kehayias via Guix-patches via @ 2024-02-09 22:18 ` Vagrant Cascadian 1 sibling, 0 replies; 3+ messages in thread From: Vagrant Cascadian @ 2024-02-09 22:18 UTC (permalink / raw) To: 69007-done [-- Attachment #1: Type: text/plain, Size: 305 bytes --] On 2024-02-09, Vagrant Cascadian wrote: > The attached patch updates diffoscope to 256, which contains a security > fix for directory traversals when using gpg. > > Both diffoscope and it's dependent, reprotest, still build fine! Pushed as 30196aec07dab8cc0f4a614b160f1857377a6a84. live well, vagrant [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 227 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-02-09 22:20 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-02-09 21:27 [bug#69007] diffoscope: Update to 256. [security fixes] Vagrant Cascadian 2024-02-09 21:41 ` John Kehayias via Guix-patches via 2024-02-09 22:18 ` bug#69007: " Vagrant Cascadian
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.