* nudging patches
@ 2023-05-17 14:30 Remco van 't Veer
2023-05-17 15:40 ` Giovanni Biscuolo
2023-05-19 9:26 ` Andreas Enge
0 siblings, 2 replies; 7+ messages in thread
From: Remco van 't Veer @ 2023-05-17 14:30 UTC (permalink / raw)
To: help-guix
Hi,
What's the preferred / politest way to draw attention to patches (and /
or bugs) which seem to have been overlooked?
And while I have your attention and you're wondering which patches I'd
like to promote.. 😉
- #62557 [guix-patches]
[PATCH] gnu: ruby-2.7-fixed: Upgrade to 2.7.8 [fixes CVE-2023-{28755, 28756}]
- #62558 [guix-patches]
[PATCH] gnu: ruby-3.0: Upgrade to 3.0.6 [fixes CVE-2023-{28755, 28756}].
- #62559 [guix-patches]
[PATCH] gnu: ruby-3.1: Upgrade to 3.1.4 [fixes CVE-2023-{28755, 28756}].
- #62561 [guix-patches]
[PATCH] gnu: ruby-3.2: Upgrade to 3.2.2 [fixes CVE-2023-{28755, 28756}].
They still apply cleanly on master.
But seriously, what is the preferred way to do this?
Cheers,
Remco
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: nudging patches
2023-05-17 14:30 nudging patches Remco van 't Veer
@ 2023-05-17 15:40 ` Giovanni Biscuolo
2023-05-19 9:26 ` Andreas Enge
1 sibling, 0 replies; 7+ messages in thread
From: Giovanni Biscuolo @ 2023-05-17 15:40 UTC (permalink / raw)
To: Remco van 't Veer, help-guix, guix-devel
[-- Attachment #1: Type: text/plain, Size: 1502 bytes --]
Hello Remco,
sorry for cross posting to guix-devel but I think this is more a devel
(committers needing help) discussion than a user (needing help) one :-)
Remco van 't Veer <remco@remworks.net> writes:
> Hi,
>
> What's the preferred / politest way to draw attention to patches (and /
> or bugs) which seem to have been overlooked?
AFAIU send an email ping to the patch/bug, possibly Cc-ing the related
team [1]
> And while I have your attention and you're wondering which patches I'd
> like to promote.. 😉
>
> - #62557 [guix-patches]
> [PATCH] gnu: ruby-2.7-fixed: Upgrade to 2.7.8 [fixes CVE-2023-{28755, 28756}]
> - #62558 [guix-patches]
> [PATCH] gnu: ruby-3.0: Upgrade to 3.0.6 [fixes CVE-2023-{28755, 28756}].
> - #62559 [guix-patches]
> [PATCH] gnu: ruby-3.1: Upgrade to 3.1.4 [fixes CVE-2023-{28755, 28756}].
> - #62561 [guix-patches]
> [PATCH] gnu: ruby-3.2: Upgrade to 3.2.2 [fixes CVE-2023-{28755, 28756}].
>
> They still apply cleanly on master.
This is the current Ruby team:
id: ruby
name: Ruby team
description: <none>
scope: "gnu/packages/ruby.scm" "guix/build/ruby-build-system.scm" "guix/build-system/ruby.scm" "guix/import/gem.scm" "guix/scripts/import/gem.scm" "tests/gem.scm"
members:
+ Christopher Baines <mail@cbaines.net>
> But seriously, what is the preferred way to do this?
HTH! Gio'
[1] https://guix.gnu.org/en/manual/devel/en/html_node/Teams.html#Teams
--
Giovanni Biscuolo
Xelera IT Infrastructures
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 849 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: nudging patches
2023-05-17 14:30 nudging patches Remco van 't Veer
2023-05-17 15:40 ` Giovanni Biscuolo
@ 2023-05-19 9:26 ` Andreas Enge
2023-05-19 9:48 ` Remco van 't Veer
1 sibling, 1 reply; 7+ messages in thread
From: Andreas Enge @ 2023-05-19 9:26 UTC (permalink / raw)
To: Remco van 't Veer; +Cc: guix-devel, Christopher Baines
Am Wed, May 17, 2023 at 04:30:44PM +0200 schrieb Remco van 't Veer:
> What's the preferred / politest way to draw attention to patches (and /
> or bugs) which seem to have been overlooked?
No idea, ideally it should not be necessary ;-)
There is a certain backlog in the QA process so that your patches were not
built out on the build farm. Otherwise I think someone would have applied
(most of) them already.
> And while I have your attention and you're wondering which patches I'd
> like to promote.. 😉
> - #62557 [guix-patches]
> [PATCH] gnu: ruby-2.7-fixed: Upgrade to 2.7.8 [fixes CVE-2023-{28755, 28756}]
> - #62558 [guix-patches]
> [PATCH] gnu: ruby-3.0: Upgrade to 3.0.6 [fixes CVE-2023-{28755, 28756}].
> - #62559 [guix-patches]
> [PATCH] gnu: ruby-3.1: Upgrade to 3.1.4 [fixes CVE-2023-{28755, 28756}].
> - #62561 [guix-patches]
> [PATCH] gnu: ruby-3.2: Upgrade to 3.2.2 [fixes CVE-2023-{28755, 28756}].
I applied the last three ones, but not the first one, as it requires a very
big amount of rebuilds (more than 8000 dependent packages).
Maybe this could be an occasion for the ruby team to tidy up the
packages. We currently have five publicly visible ruby versions:
$ ./pre-inst-env guix package -A ^ruby$
ruby 3.1.4 out gnu/packages/ruby.scm:232:2
ruby 2.7.6 out gnu/packages/ruby.scm:163:2
ruby 3.2.2 out gnu/packages/ruby.scm:246:2
ruby 2.6.10 out gnu/packages/ruby.scm:110:2
ruby 3.0.6 out gnu/packages/ruby.scm:215:2
Could the three middle ones be dropped?
Then there is an internal version ruby/fixed, which is very old, but,
strangely, ahead of the public minor ruby version, @2.7.7.
Could the remainder of ruby and other packages be made dependent on @3.2
instead of @2.7?
Andreas
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: nudging patches
2023-05-19 9:26 ` Andreas Enge
@ 2023-05-19 9:48 ` Remco van 't Veer
2023-05-19 10:04 ` Andreas Enge
0 siblings, 1 reply; 7+ messages in thread
From: Remco van 't Veer @ 2023-05-19 9:48 UTC (permalink / raw)
To: Andreas Enge; +Cc: guix-devel, Christopher Baines
Thanks Andreas!
2023/05/19 11:26, Andreas Enge:
>> And while I have your attention and you're wondering which patches I'd
>> like to promote.. 😉
>> - #62557 [guix-patches]
>> [PATCH] gnu: ruby-2.7-fixed: Upgrade to 2.7.8 [fixes CVE-2023-{28755, 28756}]
>> - #62558 [guix-patches]
>> [PATCH] gnu: ruby-3.0: Upgrade to 3.0.6 [fixes CVE-2023-{28755, 28756}].
>> - #62559 [guix-patches]
>> [PATCH] gnu: ruby-3.1: Upgrade to 3.1.4 [fixes CVE-2023-{28755, 28756}].
>> - #62561 [guix-patches]
>> [PATCH] gnu: ruby-3.2: Upgrade to 3.2.2 [fixes CVE-2023-{28755, 28756}].
>
> I applied the last three ones, but not the first one, as it requires a very
> big amount of rebuilds (more than 8000 dependent packages).
>
> Maybe this could be an occasion for the ruby team to tidy up the
> packages. We currently have five publicly visible ruby versions:
> $ ./pre-inst-env guix package -A ^ruby$
> ruby 3.1.4 out gnu/packages/ruby.scm:232:2
> ruby 2.7.6 out gnu/packages/ruby.scm:163:2
> ruby 3.2.2 out gnu/packages/ruby.scm:246:2
> ruby 2.6.10 out gnu/packages/ruby.scm:110:2
> ruby 3.0.6 out gnu/packages/ruby.scm:215:2
>
> Could the three middle ones be dropped?
Ruby 2.6 is EOL and 2.7 got it's "last" release in march
(https://www.ruby-lang.org/en/news/2023/03/30/ruby-2-7-8-released/). So
I guess 2.6 can be dropped and 2.7 may linger for a while?
> Then there is an internal version ruby/fixed, which is very old, but,
> strangely, ahead of the public minor ruby version, @2.7.7.
It seems the ruby-2.7-fixed var has been orphaned by the latest
core-updates merge. It was used for grafting (used as an "replacement"
in the ruby-2.7 var) and my patch was still depending on that. I can
update the patch by reinserting the grafting bit. WDYT?
> Could the remainder of ruby and other packages be made dependent on @3.2
> instead of @2.7?
This will probably me a trail and error path leaning on tests included
in the packages.
Cheers,
Remco
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: nudging patches
2023-05-19 9:48 ` Remco van 't Veer
@ 2023-05-19 10:04 ` Andreas Enge
2023-05-19 11:09 ` [PATCH] gnu: ruby-2.7-fixed: Upgrade to 2.7.8 [fixes CVE-2023-{28755, 28756}] Remco van 't Veer
0 siblings, 1 reply; 7+ messages in thread
From: Andreas Enge @ 2023-05-19 10:04 UTC (permalink / raw)
To: Remco van 't Veer; +Cc: guix-devel, Christopher Baines
Hello Remco,
Am Fri, May 19, 2023 at 11:48:08AM +0200 schrieb Remco van 't Veer:
> Ruby 2.6 is EOL and 2.7 got it's "last" release in march
> (https://www.ruby-lang.org/en/news/2023/03/30/ruby-2-7-8-released/). So
> I guess 2.6 can be dropped and 2.7 may linger for a while?
the announcement states that
"After this release, Ruby 2.7 reaches EOL. In other words, this is expected to be the last release of Ruby 2.7 series. We will not release Ruby 2.7.9 even if a security vulnerability is found"
So it would be best to try to get rid of it as soon as possible;
if security vulnerabilities are not fixed, the working hypothesis is
that the package has security vulnerabilities...
> > Then there is an internal version ruby/fixed, which is very old, but,
> > strangely, ahead of the public minor ruby version, @2.7.7.
> It seems the ruby-2.7-fixed var has been orphaned by the latest
> core-updates merge. It was used for grafting (used as an "replacement"
> in the ruby-2.7 var) and my patch was still depending on that. I can
> update the patch by reinserting the grafting bit. WDYT?
Oh, I see. I am not familiar at all with grafting. But that would be
an option indeed to avoid rebuilding.
> > Could the remainder of ruby and other packages be made dependent on @3.2
> > instead of @2.7?
> This will probably me a trail and error path leaning on tests included
> in the packages.
With your findings above about ruby@2.7, this looks like a worthwhile path!
Andreas
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH] gnu: ruby-2.7-fixed: Upgrade to 2.7.8 [fixes CVE-2023-{28755, 28756}]
2023-05-19 10:04 ` Andreas Enge
@ 2023-05-19 11:09 ` Remco van 't Veer
2023-05-23 15:08 ` bug#62557: " Andreas Enge
0 siblings, 1 reply; 7+ messages in thread
From: Remco van 't Veer @ 2023-05-19 11:09 UTC (permalink / raw)
To: 62557; +Cc: Andreas Enge, guix-devel, Christopher Baines,
Remco van 't Veer
Fixes: CVE-2023-28755 (ReDoS vulnerability in URI), and
CVE-2023-28756 (ReDoS vulnerability in Time).
* gnu/packages/ruby.scm (ruby-2.7-fixed): Update to 2.7.8.
(ruby-2.7)[replacement]: Graft.
---
gnu/packages/ruby.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index dbd4127343..eb84367d15 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -163,6 +163,7 @@ (define-public ruby-2.7
(package
(inherit ruby-2.6)
(version "2.7.6")
+ (replacement ruby-2.7-fixed) ; security fixes
(source
(origin
(inherit (package-source ruby-2.6))
@@ -200,7 +201,7 @@ (define-public ruby-2.7
(define ruby-2.7-fixed
(package
(inherit ruby-2.7)
- (version "2.7.7")
+ (version "2.7.8")
(source
(origin
(inherit (package-source ruby-2.7))
@@ -209,7 +210,7 @@ (define ruby-2.7-fixed
"/ruby-" version ".tar.gz"))
(sha256
(base32
- "143vih5jzmrd2r5h94pa3qzml0ldii0qzs6g09jg6zqxd7djf0g1"))))))
+ "182vni66djmiqagwzfsd0za7x9k3zag43b88c590aalgphybdnn2"))))))
(define-public ruby-3.0
(package
base-commit: 14c03807ba4bc81d42cf869f5b827f7da54ff843
--
2.40.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* bug#62557: [PATCH] gnu: ruby-2.7-fixed: Upgrade to 2.7.8 [fixes CVE-2023-{28755, 28756}]
2023-05-19 11:09 ` [PATCH] gnu: ruby-2.7-fixed: Upgrade to 2.7.8 [fixes CVE-2023-{28755, 28756}] Remco van 't Veer
@ 2023-05-23 15:08 ` Andreas Enge
0 siblings, 0 replies; 7+ messages in thread
From: Andreas Enge @ 2023-05-23 15:08 UTC (permalink / raw)
To: Remco van 't Veer; +Cc: Christopher Baines, 62557-done
Am Fri, May 19, 2023 at 01:09:17PM +0200 schrieb Remco van 't Veer:
> Fixes: CVE-2023-28755 (ReDoS vulnerability in URI), and
> CVE-2023-28756 (ReDoS vulnerability in Time).
> * gnu/packages/ruby.scm (ruby-2.7-fixed): Update to 2.7.8.
> (ruby-2.7)[replacement]: Graft.
Sorry for the delay, I needed to read up on grafts first. Everything looks
good, a dependent package builds, so I have pushed this and am closing
the bug.
Thanks!
Andreas
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2023-05-23 15:10 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-05-17 14:30 nudging patches Remco van 't Veer
2023-05-17 15:40 ` Giovanni Biscuolo
2023-05-19 9:26 ` Andreas Enge
2023-05-19 9:48 ` Remco van 't Veer
2023-05-19 10:04 ` Andreas Enge
2023-05-19 11:09 ` [PATCH] gnu: ruby-2.7-fixed: Upgrade to 2.7.8 [fixes CVE-2023-{28755, 28756}] Remco van 't Veer
2023-05-23 15:08 ` bug#62557: " Andreas Enge
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.