* [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]. @ 2023-02-17 18:04 Greg Hogan 2023-02-20 11:44 ` Simon Tournier 2023-03-06 17:23 ` bug#61583: " Leo Famulari 0 siblings, 2 replies; 19+ messages in thread From: Greg Hogan @ 2023-02-17 18:04 UTC (permalink / raw) To: 61583; +Cc: Greg Hogan * gnu/packages/version-control.scm (git): Update to 2.39.2. diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm index 5de344e549..88df2c2aeb 100644 --- a/gnu/packages/version-control.scm +++ b/gnu/packages/version-control.scm @@ -225,14 +225,14 @@ (define git-cross-configure-flags (define-public git (package (name "git") - (version "2.39.1") + (version "2.39.2") (source (origin (method url-fetch) (uri (string-append "mirror://kernel.org/software/scm/git/git-" version ".tar.xz")) (sha256 (base32 - "0qf1wly7zagg23svpv533va5v213y7y3lfw76ldkf35k8w48m8s0")))) + "1mpjvhyw8mv2q941xny4d0gw3mb6b4bqaqbh73jd8b1v6zqpaps7")))) (build-system gnu-build-system) (native-inputs `(("native-perl" ,perl) @@ -252,7 +252,7 @@ (define-public git version ".tar.xz")) (sha256 (base32 - "0xf7ki90xw77nvmnkw50xaivyfi8jddfq0h8crzi7m9zjs7aa8mm")))) + "09cva868qb4705s884dzvbwkm78jlw4q8m6xj7nd7cwxy2i2ff8b")))) ;; For subtree documentation. ("asciidoc" ,asciidoc) ("docbook-xsl" ,docbook-xsl) -- 2.39.2 ^ permalink raw reply related [flat|nested] 19+ messages in thread
* [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]. 2023-02-17 18:04 [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946] Greg Hogan @ 2023-02-20 11:44 ` Simon Tournier 2023-03-03 19:14 ` Simon Tournier 2023-03-03 21:56 ` Leo Famulari 2023-03-06 17:23 ` bug#61583: " Leo Famulari 1 sibling, 2 replies; 19+ messages in thread From: Simon Tournier @ 2023-02-20 11:44 UTC (permalink / raw) To: Greg Hogan, 61583; +Cc: Greg Hogan Hi, On ven., 17 févr. 2023 at 18:04, Greg Hogan <code@greghogan.com> wrote: > * gnu/packages/version-control.scm (git): Update to 2.39.2. As noticed previously for an update of Git, this implies a lot of rebuilds because git-minimal inherits from git. Well, I am checking if git-minimal is used only for the tests by some of the packages. For sure, it is a concern since it is a security fixes. Cheers, simon ^ permalink raw reply [flat|nested] 19+ messages in thread
* [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]. 2023-02-20 11:44 ` Simon Tournier @ 2023-03-03 19:14 ` Simon Tournier 2023-03-03 19:33 ` Tobias Geerinckx-Rice via Guix-patches via 2023-03-04 3:39 ` Maxim Cournoyer 2023-03-03 21:56 ` Leo Famulari 1 sibling, 2 replies; 19+ messages in thread From: Simon Tournier @ 2023-03-03 19:14 UTC (permalink / raw) To: Greg Hogan, 61583, Christopher Baines, Josselin Poiret, Ludovic Courtès, Mathieu Othacehe, Ricardo Wurmus, Simon Tournier, Tobias Geerinckx-Rice Cc: Greg Hogan Hi, CC: core team On Mon, 20 Feb 2023 at 12:44, Simon Tournier <zimon.toutoune@gmail.com> wrote: > On ven., 17 févr. 2023 at 18:04, Greg Hogan <code@greghogan.com> wrote: >> * gnu/packages/version-control.scm (git): Update to 2.39.2. > > As noticed previously for an update of Git, this implies a lot of > rebuilds because git-minimal inherits from git. Well, I locally rebuilt all and maybe a couple of packages break. The rebuild is intensive and I do not know if such update should to master or core-updates and/or use some grafts. For instance, QA is still saying nothing after 12 days. https://qa.guix.gnu.org/issue/61583 > Well, I am checking if git-minimal is used only for the tests by some of > the packages. I have tried to replace the plain ’git’ or ’git-minimal’ by ’git-minimal/pinned’ for some packages. It does not change much. > For sure, it is a concern since it is a security fixes. Hum, we are not very reactive. :-) Cheers, simon ^ permalink raw reply [flat|nested] 19+ messages in thread
* [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]. 2023-03-03 19:14 ` Simon Tournier @ 2023-03-03 19:33 ` Tobias Geerinckx-Rice via Guix-patches via 2023-03-04 3:39 ` Maxim Cournoyer 1 sibling, 0 replies; 19+ messages in thread From: Tobias Geerinckx-Rice via Guix-patches via @ 2023-03-03 19:33 UTC (permalink / raw) To: Simon Tournier Cc: Josselin Poiret, 61583, Mathieu Othacehe, Ludovic Courtès, Christopher Baines, Greg Hogan, Ricardo Wurmus [-- Attachment #1: Type: text/plain, Size: 580 bytes --] Hi, I'd ask ‘why can we not simply graft this’ but… Simon Tournier 写道: >> As noticed previously for an update of Git, this implies a lot >> of >> rebuilds because git-minimal inherits from git. > > Well, I locally rebuilt all and maybe a couple of packages > break. The > rebuild is intensive and I do not know if such update should to > master > or core-updates and/or use some grafts. Packages that built with .1 break with .2? That's not a very semantic versioning :-/ What broke? Then I can test just those. Kind regards, T G-R [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 247 bytes --] ^ permalink raw reply [flat|nested] 19+ messages in thread
* [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]. 2023-03-03 19:14 ` Simon Tournier 2023-03-03 19:33 ` Tobias Geerinckx-Rice via Guix-patches via @ 2023-03-04 3:39 ` Maxim Cournoyer 2023-03-04 3:44 ` Leo Famulari 1 sibling, 1 reply; 19+ messages in thread From: Maxim Cournoyer @ 2023-03-04 3:39 UTC (permalink / raw) To: Simon Tournier Cc: Josselin Poiret, Tobias Geerinckx-Rice, 61583, Mathieu Othacehe, Ludovic Courtès, Christopher Baines, Greg Hogan, Ricardo Wurmus Hi Simon, Simon Tournier <zimon.toutoune@gmail.com> writes: > Hi, > > CC: core team > > On Mon, 20 Feb 2023 at 12:44, Simon Tournier <zimon.toutoune@gmail.com> wrote: > >> On ven., 17 févr. 2023 at 18:04, Greg Hogan <code@greghogan.com> wrote: > >>> * gnu/packages/version-control.scm (git): Update to 2.39.2. >> >> As noticed previously for an update of Git, this implies a lot of >> rebuilds because git-minimal inherits from git. > > Well, I locally rebuilt all and maybe a couple of packages break. The > rebuild is intensive and I do not know if such update should to master > or core-updates and/or use some grafts. > > For instance, QA is still saying nothing after 12 days. > > https://qa.guix.gnu.org/issue/61583 > > >> Well, I am checking if git-minimal is used only for the tests by some of >> the packages. > > I have tried to replace the plain ’git’ or ’git-minimal’ by > ’git-minimal/pinned’ for some packages. It does not change much. > > >> For sure, it is a concern since it is a security fixes. > > Hum, we are not very reactive. :-) I think the number of rebuilt packages is in the thousands, so that's a core-updates change. On master it should be grafted instead, if that's possible. -- Thanks, Maxim ^ permalink raw reply [flat|nested] 19+ messages in thread
* [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]. 2023-03-04 3:39 ` Maxim Cournoyer @ 2023-03-04 3:44 ` Leo Famulari 0 siblings, 0 replies; 19+ messages in thread From: Leo Famulari @ 2023-03-04 3:44 UTC (permalink / raw) To: Maxim Cournoyer, zimoun Cc: Josselin Poiret, Christopher Baines, 61583, Mathieu Othacehe, Ludovic Courtès, Tobias Geerinckx-Rice, Greg Hogan, Ricardo Wurmus On Fri, Mar 3, 2023, at 22:39, Maxim Cournoyer wrote: > Hi Simon, > > Simon Tournier <zimon.toutoune@gmail.com> writes: > >> Hi, >> >> CC: core team >> >> On Mon, 20 Feb 2023 at 12:44, Simon Tournier <zimon.toutoune@gmail.com> wrote: >> >>> On ven., 17 févr. 2023 at 18:04, Greg Hogan <code@greghogan.com> wrote: >> >>>> * gnu/packages/version-control.scm (git): Update to 2.39.2. >>> >>> As noticed previously for an update of Git, this implies a lot of >>> rebuilds because git-minimal inherits from git. >> >> Well, I locally rebuilt all and maybe a couple of packages break. The >> rebuild is intensive and I do not know if such update should to master >> or core-updates and/or use some grafts. >> >> For instance, QA is still saying nothing after 12 days. >> >> https://qa.guix.gnu.org/issue/61583 >> >> >>> Well, I am checking if git-minimal is used only for the tests by some of >>> the packages. >> >> I have tried to replace the plain ’git’ or ’git-minimal’ by >> ’git-minimal/pinned’ for some packages. It does not change much. >> >> >>> For sure, it is a concern since it is a security fixes. >> >> Hum, we are not very reactive. :-) > > I think the number of rebuilt packages is in the thousands, so that's a > core-updates change. On master it should be grafted instead, if that's > possible. `guix refresh -l git git-minimal` shows only hundreds of rebuilds. Am I missing something? ^ permalink raw reply [flat|nested] 19+ messages in thread
* [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]. 2023-02-20 11:44 ` Simon Tournier 2023-03-03 19:14 ` Simon Tournier @ 2023-03-03 21:56 ` Leo Famulari 2023-03-04 10:30 ` Josselin Poiret via Guix-patches via 2023-03-04 18:52 ` Simon Tournier 1 sibling, 2 replies; 19+ messages in thread From: Leo Famulari @ 2023-03-03 21:56 UTC (permalink / raw) To: Simon Tournier; +Cc: 61583, Greg Hogan On Mon, Feb 20, 2023 at 12:44:23PM +0100, Simon Tournier wrote: > On ven., 17 févr. 2023 at 18:04, Greg Hogan <code@greghogan.com> wrote: > > * gnu/packages/version-control.scm (git): Update to 2.39.2. > > As noticed previously for an update of Git, this implies a lot of > rebuilds because git-minimal inherits from git. ------ $ guix refresh -l git-minimal Building the following 43 packages would ensure 69 dependent packages are rebuilt: r-biocpkgtools@1.16.0 r-biocthis@1.8.1 r-biocworkflowtools@1.24.0 r-golem@0.3.5 r-megadepth@1.8.0 r-chromunity@0.0.1-1.09fce8b r-rnaseqdtu@2.0-1.5bee1e7 r-spectre@0.5.5-1.f6648ab r-battenberg@2.2.9 r-chemometricswithr@0.1.13 r-adapr@2.0.0 r-activpal@0.1.3 rust-git2-6@0.6.11 rust-git2@0.15.0 rust-git2@0.13.24 rust-git2@0.11.0 rust-git2@0.14.4 rust-git2@0.9.1 emacs-libgit@0.0.1-1.ab1a53a nuspell@3.1.2 kicad-doc@7.0.0 musescore@4.0.1 python-oslosphinx@4.18.0 conan@1.50.0 python-jupytext@1.14.1 snakemake@7.7.0 vorta@0.8.7 clipper@2.0.1 gnome@42.4 mate@1.24.1 r-prereg@0.6.0 python-ipython-documentation@8.2.0 python-numpy-documentation@1.21.6 nototools@0.2.16 python-clorm@1.4.1 python-telingo@2.1.1 python-screenkey@1.4 mbed-tools@7.53.0 snakemake@6.15.5 emacs-ghq@0.1.2 pre-commit@2.20.0 gitless@0.8.8 vlang@0.2.4 ------ That's not a significant number of packages. Overall, git and git-minimal will cause more than 300 rebuilds, but not too many for the current state of the build farm. Concretely, why can't we push this to master immediately? ^ permalink raw reply [flat|nested] 19+ messages in thread
* [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]. 2023-03-03 21:56 ` Leo Famulari @ 2023-03-04 10:30 ` Josselin Poiret via Guix-patches via 2023-03-04 14:41 ` Leo Famulari 2023-03-04 18:52 ` Simon Tournier 1 sibling, 1 reply; 19+ messages in thread From: Josselin Poiret via Guix-patches via @ 2023-03-04 10:30 UTC (permalink / raw) To: Leo Famulari, Simon Tournier; +Cc: 61583, Greg Hogan [-- Attachment #1: Type: text/plain, Size: 704 bytes --] Hi Leo, Leo Famulari <leo@famulari.name> writes: > That's not a significant number of packages. > > Overall, git and git-minimal will cause more than 300 rebuilds, but not > too many for the current state of the build farm. > > Concretely, why can't we push this to master immediately? `guix refresh` is not great for core packages: it only detects things that depend on other packages through inputs. Here though, git is used indirectly by git-fetch origins, and would affect the dependency graph a lot more. I think this should be grafted to avoid too many rebuilds, and ungrafted on core-updates (maybe now, maybe after the big core-updates merge). Best, -- Josselin Poiret [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 682 bytes --] ^ permalink raw reply [flat|nested] 19+ messages in thread
* [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]. 2023-03-04 10:30 ` Josselin Poiret via Guix-patches via @ 2023-03-04 14:41 ` Leo Famulari 2023-03-04 15:34 ` Tobias Geerinckx-Rice via Guix-patches via 2023-03-04 17:52 ` Josselin Poiret via Guix-patches via 0 siblings, 2 replies; 19+ messages in thread From: Leo Famulari @ 2023-03-04 14:41 UTC (permalink / raw) To: Josselin Poiret, zimoun; +Cc: 61583, Greg Hogan On Sat, Mar 4, 2023, at 05:30, Josselin Poiret wrote: > Hi Leo, > > Leo Famulari <leo@famulari.name> writes: > >> That's not a significant number of packages. >> >> Overall, git and git-minimal will cause more than 300 rebuilds, but not >> too many for the current state of the build farm. >> >> Concretely, why can't we push this to master immediately? > > `guix refresh` is not great for core packages: it only detects things > that depend on other packages through inputs. Here though, git is used > indirectly by git-fetch origins, and would affect the dependency graph a > lot more. I think this should be grafted to avoid too many rebuilds, > and ungrafted on core-updates (maybe now, maybe after the big > core-updates merge). Changing the Git package shouldn't affect fixed-output derivations that fetch from Git. If they do, that's a recent and very serious bug. Git is a security critical package that we've always updated freely. I'm AFK, only have my phone today . But, please try updating Git and check if the fixed-output source derivations change. Leo ^ permalink raw reply [flat|nested] 19+ messages in thread
* [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]. 2023-03-04 14:41 ` Leo Famulari @ 2023-03-04 15:34 ` Tobias Geerinckx-Rice via Guix-patches via 2023-03-06 12:54 ` Maxim Cournoyer 2023-03-04 17:52 ` Josselin Poiret via Guix-patches via 1 sibling, 1 reply; 19+ messages in thread From: Tobias Geerinckx-Rice via Guix-patches via @ 2023-03-04 15:34 UTC (permalink / raw) To: Leo Famulari; +Cc: 61583, dev, code, zimon.toutoune [-- Attachment #1: Type: text/plain, Size: 256 bytes --] Leo Famulari 写道: > I'm AFK, only have my phone today . But, please try updating Git > and check if the fixed-output source derivations change. …and if not, shall we agree to push this? (It's a yes from me, dog.) Kind regards, T G-R [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 247 bytes --] ^ permalink raw reply [flat|nested] 19+ messages in thread
* [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]. 2023-03-04 15:34 ` Tobias Geerinckx-Rice via Guix-patches via @ 2023-03-06 12:54 ` Maxim Cournoyer 0 siblings, 0 replies; 19+ messages in thread From: Maxim Cournoyer @ 2023-03-06 12:54 UTC (permalink / raw) To: 61583; +Cc: dev, zimon.toutoune, me, code, leo Hi, Tobias Geerinckx-Rice via Guix-patches via <guix-patches@gnu.org> writes: > Leo Famulari 写道: >> I'm AFK, only have my phone today . But, please try updating Git and >> check if the fixed-output source derivations change. > > …and if not, shall we agree to push this? (It's a yes from me, dog.) > > Kind regards, As long as it doesn't touch git-minimal/fixed, we should be OK, otherwise it causes thousands of rebuilds (see the revert of 8a9bf794e184934e1432f25f4954117d4b46f655, where I got bitten by this). I don't recall why it causes so many rebuilds. -- Thanks, Maxim ^ permalink raw reply [flat|nested] 19+ messages in thread
* [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]. 2023-03-04 14:41 ` Leo Famulari 2023-03-04 15:34 ` Tobias Geerinckx-Rice via Guix-patches via @ 2023-03-04 17:52 ` Josselin Poiret via Guix-patches via 2023-03-05 19:30 ` Leo Famulari 1 sibling, 1 reply; 19+ messages in thread From: Josselin Poiret via Guix-patches via @ 2023-03-04 17:52 UTC (permalink / raw) To: Leo Famulari, zimoun; +Cc: 61583, Greg Hogan [-- Attachment #1: Type: text/plain, Size: 353 bytes --] Hi Leo, "Leo Famulari" <leo@famulari.name> writes: > Changing the Git package shouldn't affect fixed-output derivations that fetch from Git. If they do, that's a recent and very serious bug. Whoops, you're right, I completely ignored that. I agree with you and Tobias about pushing to master immediately then! Best, -- Josselin Poiret [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 682 bytes --] ^ permalink raw reply [flat|nested] 19+ messages in thread
* [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]. 2023-03-04 17:52 ` Josselin Poiret via Guix-patches via @ 2023-03-05 19:30 ` Leo Famulari 0 siblings, 0 replies; 19+ messages in thread From: Leo Famulari @ 2023-03-05 19:30 UTC (permalink / raw) To: Josselin Poiret; +Cc: 61583, ludo, Greg Hogan, zimoun > "Leo Famulari" <leo@famulari.name> writes: > > Changing the Git package shouldn't affect fixed-output derivations that fetch from Git. If they do, that's a recent and very serious bug. Now I have confused myself and I'm unsure. I stepped away from Guix for a while and forgot a lot of the intimate knowledge I had on this subject. I checked, and this patch does change the derivation of packages fetching from Git, although the output is identical. So, I am confused about if this will cause >10k rebuilds or not. Here's how I checked, first by calculating derivations and outputs on the master branch, and then after applying the patch: ------ $ git rev-parse --abbrev-ref HEAD master $ git rev-parse HEAD cedf97ed6ee4eba8c39bfe6cc0efe33fcb977ccf $ ./pre-inst-env guix build --no-grafts corefreq -d /gnu/store/78lhq407x6sjlf3k7jh16ph1pff1y2nw-corefreq-1.95.2.drv $ ./pre-inst-env guix build --no-grafts corefreq /gnu/store/vva0xljihzmpf4ddbihr168f2ymkh2k0-corefreq-1.95.2-linux-module /gnu/store/qkwah5gnfqh293i36byhc00cd6xb3jml-corefreq-1.95.2 ------ Apply the patch: ------ $ git checkout contrib-security-git Switched to branch 'contrib-security-git' $ git log --oneline | head -n1 faeb52692d gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]. $ ./pre-inst-env guix build --no-grafts corefreq -d /gnu/store/sw5942gj4f5lm9i9zn6bwj7f0q0dlf7a-corefreq-1.95.2.drv $ ./pre-inst-env guix build --no-grafts corefreq /gnu/store/vva0xljihzmpf4ddbihr168f2ymkh2k0-corefreq-1.95.2-linux-module /gnu/store/qkwah5gnfqh293i36byhc00cd6xb3jml-corefreq-1.95.2 ------ The package derivation changed, but not the output. I'm looking for guidance on how to interpret these results. ^ permalink raw reply [flat|nested] 19+ messages in thread
* [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]. 2023-03-03 21:56 ` Leo Famulari 2023-03-04 10:30 ` Josselin Poiret via Guix-patches via @ 2023-03-04 18:52 ` Simon Tournier 2023-03-05 18:45 ` Leo Famulari 1 sibling, 1 reply; 19+ messages in thread From: Simon Tournier @ 2023-03-04 18:52 UTC (permalink / raw) To: Leo Famulari; +Cc: 61583, Greg Hogan Hi, On Fri, 3 Mar 2023 at 22:57, Leo Famulari <leo@famulari.name> wrote: > Overall, git and git-minimal will cause more than 300 rebuilds, but not > too many for the current state of the build farm. I get 546 dependent packages for git + git-minimal which need to be re-built. And some are really expensive -- that what I meant by "a lot of rebuilds". :-) Well, I do not know if there is an issue with QA or it is just really expensive but the process is still pending, if I read correctly <https://qa.guix.gnu.org/issue/61583>. > Concretely, why can't we push this to master immediately? Somehow the guarantee that none of these 546 would not be broken by the update. ;-) Anyway, I had locally built them -- it took 3-4 days on my machine, IIRC -- and I do not remember any "big" breakage, maybe a couple of packages -- even maybe not since some are already broken. However, I did not carefully tracked my process thinking to come back later -- well, I ran "guix gc" in the mean for checking stuff with SWH coverage thinking that QA would have finished. I do not have an opinion where or whether to push. Cheers, simon ^ permalink raw reply [flat|nested] 19+ messages in thread
* [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]. 2023-03-04 18:52 ` Simon Tournier @ 2023-03-05 18:45 ` Leo Famulari 2023-03-05 19:27 ` Christopher Baines 2023-03-05 20:33 ` Simon Tournier 0 siblings, 2 replies; 19+ messages in thread From: Leo Famulari @ 2023-03-05 18:45 UTC (permalink / raw) To: Simon Tournier; +Cc: 61583, Christopher Baines, Greg Hogan On Sat, Mar 04, 2023 at 07:52:04PM +0100, Simon Tournier wrote: > I get 546 dependent packages for git + git-minimal which need to be > re-built. And some are really expensive -- that what I meant by "a > lot of rebuilds". :-) > > Well, I do not know if there is an issue with QA or it is just really > expensive but the process is still pending, if I read correctly > <https://qa.guix.gnu.org/issue/61583>. At the Guix Days, it was said that there is a limit to how many builds the QA server will perform for a change. I don't recall the number, but maybe 300 builds per change? So, if a change causes too many rebuilds, the QA server will not perform the builds. Aside: Chris, I'd be happy to add a FAQ page to the QA server that answers this type of question. Let me know if I've missed that one already exists. For the Berlin server, I don't think that 546 builds is too many, at least for Intel systems. > > Concretely, why can't we push this to master immediately? > > Somehow the guarantee that none of these 546 would not be broken by > the update. ;-) It's certainly possible that something breaks. But we can do a simple test by trying to update our profiles and Guix System installations, and checking that our tools still work. I think it's okay to cause a little breakage in order to deploy important security updates. ^ permalink raw reply [flat|nested] 19+ messages in thread
* [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]. 2023-03-05 18:45 ` Leo Famulari @ 2023-03-05 19:27 ` Christopher Baines 2023-03-05 20:33 ` Simon Tournier 1 sibling, 0 replies; 19+ messages in thread From: Christopher Baines @ 2023-03-05 19:27 UTC (permalink / raw) To: Leo Famulari; +Cc: 61583, Greg Hogan, Simon Tournier [-- Attachment #1: Type: text/plain, Size: 1688 bytes --] Leo Famulari <leo@famulari.name> writes: > On Sat, Mar 04, 2023 at 07:52:04PM +0100, Simon Tournier wrote: >> I get 546 dependent packages for git + git-minimal which need to be >> re-built. And some are really expensive -- that what I meant by "a >> lot of rebuilds". :-) >> >> Well, I do not know if there is an issue with QA or it is just really >> expensive but the process is still pending, if I read correctly >> <https://qa.guix.gnu.org/issue/61583>. > > At the Guix Days, it was said that there is a limit to how many builds > the QA server will perform for a change. I don't recall the number, but > maybe 300 builds per change? So, if a change causes too many rebuilds, > the QA server will not perform the builds. Currently the limit is 200 builds per system. https://git.cbaines.net/guix/qa-frontpage/tree/guix-qa-frontpage/manage-builds.scm#n99 > Aside: Chris, I'd be happy to add a FAQ page to the QA server that > answers this type of question. Let me know if I've missed that one > already exists. Contributions are very welcome, there's no documentation yet. >> > Concretely, why can't we push this to master immediately? >> >> Somehow the guarantee that none of these 546 would not be broken by >> the update. ;-) > > It's certainly possible that something breaks. But we can do a simple > test by trying to update our profiles and Guix System installations, and > checking that our tools still work. I think it's okay to cause a little > breakage in order to deploy important security updates. The backlog of revisions to be processed by data.qa.guix.gnu.org is being processed faster now, so hopefully the impact of this change will be visible there shortly. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 987 bytes --] ^ permalink raw reply [flat|nested] 19+ messages in thread
* [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]. 2023-03-05 18:45 ` Leo Famulari 2023-03-05 19:27 ` Christopher Baines @ 2023-03-05 20:33 ` Simon Tournier 1 sibling, 0 replies; 19+ messages in thread From: Simon Tournier @ 2023-03-05 20:33 UTC (permalink / raw) To: Leo Famulari; +Cc: 61583, Christopher Baines, Greg Hogan Hi Leo, On Sun, 5 Mar 2023 at 19:46, Leo Famulari <leo@famulari.name> wrote: > At the Guix Days, it was said that there is a limit to how many builds > the QA server will perform for a change. I don't recall the number, but > maybe 300 builds per change? So, if a change causes too many rebuilds, > the QA server will not perform the builds. Ah thanks! I always forgot that limit. :-) I mean, since it says "not yet processed", I still think the limit is higher. ;-) Anyway. > For the Berlin server, I don't think that 546 builds is too many, at > least for Intel systems. Indeed. Just to note that the last update of Git was by commit: --8<---------------cut here---------------start------------->8--- 51f8a7aced70b7f79037bd99019dddaea07ced25 Author: Tobias Geerinckx-Rice <me@tobias.gr> AuthorDate: Sun Jan 15 01:00:03 2023 +0100 Commit: Tobias Geerinckx-Rice <me@tobias.gr> CommitDate: Sun Jan 15 01:00:08 2023 +0100 gnu: git: Update to 2.39.1 [fixes CVE-2022-41903 & CVE-2022-23521]. * gnu/packages/version-control.scm (git): Update to 2.39.1. Reported by HexMachina in #guix. --8<---------------cut here---------------end--------------->8--- and all was fine... > > Somehow the guarantee that none of these 546 would not be broken by > > the update. ;-) > > It's certainly possible that something breaks. But we can do a simple > test by trying to update our profiles and Guix System installations, and > checking that our tools still work. I think it's okay to cause a little > breakage in order to deploy important security updates. ...but it was not with the previous, --8<---------------cut here---------------start------------->8--- 83ede5a02e1fc531d912eb92eb0a22a4b897997c Author: Greg Hogan <code@greghogan.com> AuthorDate: Wed Oct 19 20:13:15 2022 +0000 Commit: Ludovic Courtès <ludo@gnu.org> CommitDate: Tue Nov 8 14:06:00 2022 +0100 gnu: git: Update to 2.38.1. Fixes CVE-2022-39253 and CVE-2022-39260. * gnu/packages/version-control.scm (git): Update to 2.38.1. Co-authored-by: Ludovic Courtès <ludo@gnu.org> --8<---------------cut here---------------end--------------->8--- which had broken part of the Julia ecosystem; now the same problem cannot arise for Julia. Who knows for the others? Anyway, I did this rebuild and I did not noticed large breaks. > > > Concretely, why can't we push this to master immediately? Since we agree it is fine for master, feel free to push. :-) Cheers, simon ^ permalink raw reply [flat|nested] 19+ messages in thread
* bug#61583: [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]. 2023-02-17 18:04 [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946] Greg Hogan 2023-02-20 11:44 ` Simon Tournier @ 2023-03-06 17:23 ` Leo Famulari 2023-03-08 9:50 ` [bug#61583] " Simon Tournier 1 sibling, 1 reply; 19+ messages in thread From: Leo Famulari @ 2023-03-06 17:23 UTC (permalink / raw) To: Greg Hogan; +Cc: 61583-done On Fri, Feb 17, 2023 at 06:04:02PM +0000, Greg Hogan wrote: > * gnu/packages/version-control.scm (git): Update to 2.39.2. Thank you! Pushed as a0d22c41989e529859c813fb64a78250bde76991 Some more discussion on the subject on #guix IRC: http://logs.guix.gnu.org/guix/2023-03-06.log#175418 ^ permalink raw reply [flat|nested] 19+ messages in thread
* [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]. 2023-03-06 17:23 ` bug#61583: " Leo Famulari @ 2023-03-08 9:50 ` Simon Tournier 0 siblings, 0 replies; 19+ messages in thread From: Simon Tournier @ 2023-03-08 9:50 UTC (permalink / raw) To: Leo Famulari, Greg Hogan; +Cc: 61583-done Hi Leo, On Mon, 06 Mar 2023 at 12:23, Leo Famulari <leo@famulari.name> wrote: > Some more discussion on the subject on #guix IRC: > > http://logs.guix.gnu.org/guix/2023-03-06.log#175418 There is mentioned git-minimal/fixed and git-minimal/pinned. + git-minimal/fixed = grafted + git-minimal/pinned = that does not change Basically, the aim of git-minimal/pinned is to avoid “world rebuild” when updating git-minimal. It is mainly used by some tests and it is safe to make few upgrades. See more details here: https://issues.guix.gnu.org/issue/61078 or the discussion starting here: https://issues.guix.gnu.org/issue/60042#msgid-c811d75e30752a591d9777368672dbdf801675b4 Cheers, simon ^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2023-03-08 10:18 UTC | newest] Thread overview: 19+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2023-02-17 18:04 [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946] Greg Hogan 2023-02-20 11:44 ` Simon Tournier 2023-03-03 19:14 ` Simon Tournier 2023-03-03 19:33 ` Tobias Geerinckx-Rice via Guix-patches via 2023-03-04 3:39 ` Maxim Cournoyer 2023-03-04 3:44 ` Leo Famulari 2023-03-03 21:56 ` Leo Famulari 2023-03-04 10:30 ` Josselin Poiret via Guix-patches via 2023-03-04 14:41 ` Leo Famulari 2023-03-04 15:34 ` Tobias Geerinckx-Rice via Guix-patches via 2023-03-06 12:54 ` Maxim Cournoyer 2023-03-04 17:52 ` Josselin Poiret via Guix-patches via 2023-03-05 19:30 ` Leo Famulari 2023-03-04 18:52 ` Simon Tournier 2023-03-05 18:45 ` Leo Famulari 2023-03-05 19:27 ` Christopher Baines 2023-03-05 20:33 ` Simon Tournier 2023-03-06 17:23 ` bug#61583: " Leo Famulari 2023-03-08 9:50 ` [bug#61583] " Simon Tournier
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.