From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: Handling =?utf-8?B?4oCYZmlsZeKAmQ==?= CVE
Date: Thu, 13 Nov 2014 21:13:03 +0100
Message-ID: <87zjbu6er4.fsf@gnu.org>
References: <87389nl6wi.fsf@gnu.org> <87mw7vhwgz.fsf@gnu.org>
	<87egt7f052.fsf@yeeloong.lan> <87h9y3uee3.fsf@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:51496)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1Xp0lS-0006i8-OX
	for guix-devel@gnu.org; Thu, 13 Nov 2014 15:13:15 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1Xp0lN-0000iG-FP
	for guix-devel@gnu.org; Thu, 13 Nov 2014 15:13:10 -0500
Received: from hera.aquilenet.fr ([2a01:474::1]:55116)
	by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@gnu.org>)
	id 1Xp0lN-0000iA-8e
	for guix-devel@gnu.org; Thu, 13 Nov 2014 15:13:05 -0500
In-Reply-To: <87h9y3uee3.fsf@gmail.com> (Eric Bavier's message of "Thu, 13 Nov
	2014 12:47:00 -0600")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: Eric Bavier <ericbavier@gmail.com>
Cc: Guix-devel <guix-devel@gnu.org>

Eric Bavier <ericbavier@gmail.com> skribis:

> Mark H Weaver writes:
>
>> Finally, 'file' is a propagated-input for 'intltool', which means that
>> if anyone installs 'intltool' in their profile, they will have the buggy
>> 'file' in their PATH.
>
> The attached patch might be enough to fix this.

But =E2=80=98guix refresh -l=E2=80=99 says 142 packages depend on it...

> From fff25ec0451a65ccd5972d16ef96221c85084566 Mon Sep 17 00:00:00 2001
> From: Eric Bavier <bavier@member.fsf.org>
> Date: Thu, 13 Nov 2014 12:46:04 -0600
> Subject: [PATCH] gnu: intltool: Make file a regular input.
>
> * gnu/packages/glib.scm (intltool)[propagated-inputs]: Move file from her=
e...
>   [inputs]: to here.
>   [arguments]: New 'patch-file-references phase.

[...]

> +    (arguments
> +     `(#:phases (alist-cons-after
> +                 'unpack 'patch-file-references
> +                 (lambda _
> +                   (substitute* "intltool-update.in"
> +                     (("`file") (string-append "`" (which "file"))))))))

Should use (string-append (assoc-ref inputs "file") "/bin/file") to work
correctly in a cross-compilation context.

Also, the last argument to =E2=80=98alist-cons-after=E2=80=99 is missing.

Could you push the updated patch to =E2=80=98core-updates=E2=80=99?  We=E2=
=80=99ll see how where
it takes us.

The main limitation here is that it takes almost a week for the MIPS
machine to rebuild everything (~2 days for Intel), and I=E2=80=99d like
everything to be built on the D-day.

Thanks,
Ludo=E2=80=99.