[PATCH] gnu: ed: Replace with 1.14.1 [fixes security issues].

[PATCH] gnu: ed: Replace with 1.14.1 [fixes security issues].

[Marius Bakke]

* gnu/packages/ed.scm (ed-1.14.1): New variable.
(ed)[replacement]: New field.
---
 gnu/packages/ed.scm | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/gnu/packages/ed.scm b/gnu/packages/ed.scm
index 3668aac19..c51a4b82f 100644
--- a/gnu/packages/ed.scm
+++ b/gnu/packages/ed.scm
@@ -28,6 +28,7 @@
 (define-public ed
   (package
     (name "ed")
+    (replacement ed-1.14.1)
     (version "1.13")
     (source (origin
              (method url-fetch)
@@ -55,3 +56,15 @@ interactively and via shell scripts.  Its method of command input allows
 complex tasks to be performed in an automated way.  GNU ed offers several
 extensions over the standard utility.")
     (license gpl3+)))
+
+(define ed-1.14.1
+  (package (inherit ed)
+           (source
+            (let ((version "1.14.1"))
+              (origin
+                (method url-fetch)
+                (uri (string-append "mirror://gnu/ed/ed-"
+                                    version ".tar.lz"))
+                (sha256
+                 (base32
+                  "0ajm69pma7gigddlrq2qi4dsllz9vhm8gqwpkcdagdd2yaw7xfgz")))))))
-- 
2.11.0

Re: [PATCH] gnu: ed: Replace with 1.14.1 [fixes security issues].

[John Darrington]

[-- Attachment #1: Type: text/plain, Size: 1709 bytes --]

Why bother with the replacement?  Why not just upgrade it?

J'

On Thu, Jan 12, 2017 at 09:13:53PM +0100, Marius Bakke wrote:
     * gnu/packages/ed.scm (ed-1.14.1): New variable.
     (ed)[replacement]: New field.
     ---
      gnu/packages/ed.scm | 13 +++++++++++++
      1 file changed, 13 insertions(+)
     
     diff --git a/gnu/packages/ed.scm b/gnu/packages/ed.scm
     index 3668aac19..c51a4b82f 100644
     --- a/gnu/packages/ed.scm
     +++ b/gnu/packages/ed.scm
     @@ -28,6 +28,7 @@
      (define-public ed
        (package
          (name "ed")
     +    (replacement ed-1.14.1)
          (version "1.13")
          (source (origin
                   (method url-fetch)
     @@ -55,3 +56,15 @@ interactively and via shell scripts.  Its method of command input allows
      complex tasks to be performed in an automated way.  GNU ed offers several
      extensions over the standard utility.")
          (license gpl3+)))
     +
     +(define ed-1.14.1
     +  (package (inherit ed)
     +           (source
     +            (let ((version "1.14.1"))
     +              (origin
     +                (method url-fetch)
     +                (uri (string-append "mirror://gnu/ed/ed-"
     +                                    version ".tar.lz"))
     +                (sha256
     +                 (base32
     +                  "0ajm69pma7gigddlrq2qi4dsllz9vhm8gqwpkcdagdd2yaw7xfgz")))))))
     -- 
     2.11.0
     

-- 
Avoid eavesdropping.  Send strong encrypted email.
PGP Public key ID: 1024D/2DE827B3 
fingerprint = 8797 A26D 0854 2EAB 0285  A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.net or any PGP keyserver for public key.


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [PATCH] gnu: ed: Replace with 1.14.1 [fixes security issues].

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 396 bytes --]

John Darrington <john@darrington.wattle.id.au> writes:

> Why bother with the replacement?  Why not just upgrade it?

It's always a good sign when you update a package, and Guix goes along
and downloads the bootstrap binaries :-)

`guix refresh` seems to have some problems with packages used in early
bootstrap. 'ed' is a native-input for 'patch', which I think causes
"everything" to rebuild.


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: [PATCH] gnu: ed: Replace with 1.14.1 [fixes security issues].

[Leo Famulari]

On Thu, Jan 12, 2017 at 09:13:53PM +0100, Marius Bakke wrote:
> * gnu/packages/ed.scm (ed-1.14.1): New variable.
> (ed)[replacement]: New field.

Can you add a comment with a link to the bug report?

https://lists.gnu.org/archive/html/bug-ed/2017-01/msg00000.html

LGTM!

Re: [PATCH] gnu: ed: Replace with 1.14.1 [fixes security issues].

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 547 bytes --]

Leo Famulari <leo@famulari.name> writes:

> On Thu, Jan 12, 2017 at 09:13:53PM +0100, Marius Bakke wrote:
>> * gnu/packages/ed.scm (ed-1.14.1): New variable.
>> (ed)[replacement]: New field.
>
> Can you add a comment with a link to the bug report?
>
> https://lists.gnu.org/archive/html/bug-ed/2017-01/msg00000.html

Good find. I wonder, was this issue only present in the unreleased
1.14.0? I can't reproduce it with the current Guix version.

I'll wait and see what the response on oss-sec is. Maybe we can just
push the update to core-updates.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: [PATCH] gnu: ed: Replace with 1.14.1 [fixes security issues].

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 808 bytes --]

On Thu, Jan 12, 2017 at 10:56:51PM +0100, Marius Bakke wrote:
> Leo Famulari <leo@famulari.name> writes:
> 
> > On Thu, Jan 12, 2017 at 09:13:53PM +0100, Marius Bakke wrote:
> >> * gnu/packages/ed.scm (ed-1.14.1): New variable.
> >> (ed)[replacement]: New field.
> >
> > Can you add a comment with a link to the bug report?
> >
> > https://lists.gnu.org/archive/html/bug-ed/2017-01/msg00000.html
> 
> Good find. I wonder, was this issue only present in the unreleased
> 1.14.0? I can't reproduce it with the current Guix version.

Good catch; I can only reproduce it with 1.14, and the ed maintainer
points out that it was introduced in 1.14.

> I'll wait and see what the response on oss-sec is. Maybe we can just
> push the update to core-updates.

I think it's fine for core-updates.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH] gnu: ed: Replace with 1.14.1 [fixes security issues].

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 917 bytes --]

Leo Famulari <leo@famulari.name> writes:

> On Thu, Jan 12, 2017 at 10:56:51PM +0100, Marius Bakke wrote:
>> Leo Famulari <leo@famulari.name> writes:
>> 
>> > On Thu, Jan 12, 2017 at 09:13:53PM +0100, Marius Bakke wrote:
>> >> * gnu/packages/ed.scm (ed-1.14.1): New variable.
>> >> (ed)[replacement]: New field.
>> >
>> > Can you add a comment with a link to the bug report?
>> >
>> > https://lists.gnu.org/archive/html/bug-ed/2017-01/msg00000.html
>> 
>> Good find. I wonder, was this issue only present in the unreleased
>> 1.14.0? I can't reproduce it with the current Guix version.
>
> Good catch; I can only reproduce it with 1.14, and the ed maintainer
> points out that it was introduced in 1.14.
>
>> I'll wait and see what the response on oss-sec is. Maybe we can just
>> push the update to core-updates.
>
> I think it's fine for core-updates.

Me too; pushed. Thanks for checking!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: [PATCH] gnu: ed: Replace with 1.14.1 [fixes security issues].

[Ludovic Courtès]

Leo Famulari <leo@famulari.name> skribis:

> On Thu, Jan 12, 2017 at 10:56:51PM +0100, Marius Bakke wrote:
>> Leo Famulari <leo@famulari.name> writes:
>> 
>> > On Thu, Jan 12, 2017 at 09:13:53PM +0100, Marius Bakke wrote:
>> >> * gnu/packages/ed.scm (ed-1.14.1): New variable.
>> >> (ed)[replacement]: New field.
>> >
>> > Can you add a comment with a link to the bug report?
>> >
>> > https://lists.gnu.org/archive/html/bug-ed/2017-01/msg00000.html
>> 
>> Good find. I wonder, was this issue only present in the unreleased
>> 1.14.0? I can't reproduce it with the current Guix version.
>
> Good catch; I can only reproduce it with 1.14, and the ed maintainer
> points out that it was introduced in 1.14.
>
>> I'll wait and see what the response on oss-sec is. Maybe we can just
>> push the update to core-updates.
>
> I think it's fine for core-updates.

With 200 dependent packages, it could even go to ‘master’.

  https://lists.gnu.org/archive/html/guix-devel/2016-10/msg00933.html

Ludo’.

Re: [PATCH] gnu: ed: Replace with 1.14.1 [fixes security issues].

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 1333 bytes --]

Ludovic Courtès <ludo@gnu.org> writes:

> Leo Famulari <leo@famulari.name> skribis:
>
>> On Thu, Jan 12, 2017 at 10:56:51PM +0100, Marius Bakke wrote:
>>> Leo Famulari <leo@famulari.name> writes:
>>> 
>>> > On Thu, Jan 12, 2017 at 09:13:53PM +0100, Marius Bakke wrote:
>>> >> * gnu/packages/ed.scm (ed-1.14.1): New variable.
>>> >> (ed)[replacement]: New field.
>>> >
>>> > Can you add a comment with a link to the bug report?
>>> >
>>> > https://lists.gnu.org/archive/html/bug-ed/2017-01/msg00000.html
>>> 
>>> Good find. I wonder, was this issue only present in the unreleased
>>> 1.14.0? I can't reproduce it with the current Guix version.
>>
>> Good catch; I can only reproduce it with 1.14, and the ed maintainer
>> points out that it was introduced in 1.14.
>>
>>> I'll wait and see what the response on oss-sec is. Maybe we can just
>>> push the update to core-updates.
>>
>> I think it's fine for core-updates.
>
> With 200 dependent packages, it could even go to ‘master’.
>
>   https://lists.gnu.org/archive/html/guix-devel/2016-10/msg00933.html

When I first built it on 'master', Guix went ahead and downloaded the
bootstrap binaries, so I suspect `guix refresh` fails to recognize the
full scope of this update.

'ed' is used as a native-input for 'patch', could that be related?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: [PATCH] gnu: ed: Replace with 1.14.1 [fixes security issues].

[Mark H Weaver]

ludo@gnu.org (Ludovic Courtès) writes:

> Leo Famulari <leo@famulari.name> skribis:
>
>> On Thu, Jan 12, 2017 at 10:56:51PM +0100, Marius Bakke wrote:
>>> Leo Famulari <leo@famulari.name> writes:
>>> 
>>> > On Thu, Jan 12, 2017 at 09:13:53PM +0100, Marius Bakke wrote:
>>> >> * gnu/packages/ed.scm (ed-1.14.1): New variable.
>>> >> (ed)[replacement]: New field.
>>> >
>>> > Can you add a comment with a link to the bug report?
>>> >
>>> > https://lists.gnu.org/archive/html/bug-ed/2017-01/msg00000.html
>>> 
>>> Good find. I wonder, was this issue only present in the unreleased
>>> 1.14.0? I can't reproduce it with the current Guix version.
>>
>> Good catch; I can only reproduce it with 1.14, and the ed maintainer
>> points out that it was introduced in 1.14.
>>
>>> I'll wait and see what the response on oss-sec is. Maybe we can just
>>> push the update to core-updates.
>>
>> I think it's fine for core-updates.
>
> With 200 dependent packages, it could even go to ‘master’.

"guix refresh -l" is _way_ off in this case.  'ed' is a native-input for
'patch', which is of course entails a full rebuild.

       Mark

Re: [PATCH] gnu: ed: Replace with 1.14.1 [fixes security issues].

[Ludovic Courtès]

Mark H Weaver <mhw@netris.org> skribis:

> ludo@gnu.org (Ludovic Courtès) writes:
>
>> Leo Famulari <leo@famulari.name> skribis:
>>
>>> On Thu, Jan 12, 2017 at 10:56:51PM +0100, Marius Bakke wrote:
>>>> Leo Famulari <leo@famulari.name> writes:
>>>> 
>>>> > On Thu, Jan 12, 2017 at 09:13:53PM +0100, Marius Bakke wrote:
>>>> >> * gnu/packages/ed.scm (ed-1.14.1): New variable.
>>>> >> (ed)[replacement]: New field.
>>>> >
>>>> > Can you add a comment with a link to the bug report?
>>>> >
>>>> > https://lists.gnu.org/archive/html/bug-ed/2017-01/msg00000.html
>>>> 
>>>> Good find. I wonder, was this issue only present in the unreleased
>>>> 1.14.0? I can't reproduce it with the current Guix version.
>>>
>>> Good catch; I can only reproduce it with 1.14, and the ed maintainer
>>> points out that it was introduced in 1.14.
>>>
>>>> I'll wait and see what the response on oss-sec is. Maybe we can just
>>>> push the update to core-updates.
>>>
>>> I think it's fine for core-updates.
>>
>> With 200 dependent packages, it could even go to ‘master’.
>
> "guix refresh -l" is _way_ off in this case.  'ed' is a native-input for
> 'patch', which is of course entails a full rebuild.

Oh indeed, sorry for the confusion!

From the viewpoint of ‘guix refresh -l’, (@ (gnu packages ed) ed) is not
the same package/derivation as the one that ‘patch’ in (@ (gnu packages
commencement) %final-inputs) refers to.

So ‘guix refresh -l’ is not “wrong”, but clearly it fails to capture
something important here.

Ludo’.