From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=)
Subject: bug#21784: Alternate xz-5.0.4.tar.gz URL
Date: Fri, 30 Oct 2015 18:06:26 +0100
Message-ID: <87vb9ocmlp.fsf_-_@gnu.org>
References: <CAE9gquWZM91sBv+tXyqKySGqWX-7P7JpnEyDrW5D8xZnC2L6Mg@mail.gmail.com>
	<20151029212019.6f59107f@debian-netbook>
	<CAE9gquWebqMD=zw-ojUse+XXt6=P+wxvPTTcLGRMi_kmt0pX_w@mail.gmail.com>
	<20151029215102.384751ae@debian-netbook>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:50703)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ZsD8s-0003ca-4I
	for bug-guix@gnu.org; Fri, 30 Oct 2015 13:07:06 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ZsD8o-0004d8-TH
	for bug-guix@gnu.org; Fri, 30 Oct 2015 13:07:06 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:55729)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ZsD8o-0004d4-P4
	for bug-guix@gnu.org; Fri, 30 Oct 2015 13:07:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ZsD8o-00048E-AW
	for bug-guix@gnu.org; Fri, 30 Oct 2015 13:07:02 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.21784.B21784.144622481515867@debbugs.gnu.org>
In-Reply-To: <20151029215102.384751ae@debian-netbook> (Efraim Flashner's
	message of "Thu, 29 Oct 2015 21:51:02 +0200")
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
To: Efraim Flashner <efraim@flashner.co.il>
Cc: 21784@debbugs.gnu.org

Efraim Flashner <efraim@flashner.co.il> skribis:

> It turns out that hydra, the automated build server for guix, has a copy =
of
> xz that you can download if you authorize hydra to provide substitutions.
> With a copy of hydra.gnu.org.pub, the command is `sudo guix archive
> --authorize hydra.gnu.org.pub`. After that, instead of building everything
> locally, your computer will first check to see if hydra has already built=
 a
> package and you can just download it.

Since we must have an additional URL to fetch it.

I looked for mirrors on the Web for this tarball and couldn=E2=80=99t find =
one
(fossies.org doesn=E2=80=99t have it, for instance.)

Then I wanted to upload it to ftp://alpha.gnu.org/gnu/guix/mirror, but
that is rejected:

  file rejected: xz-5.0.4.tar.gz contains a vulnerable Makefile.in
  CVE-2012-3386
  Regenerate it with automake 1.11.6 / 1.12.2 or newer.

So we need another solution.  Any suggestions?  Like mirror URLs I might
have missed?

TIA,
Ludo=E2=80=99.