nudging patches

nudging patches

[Remco van 't Veer]

Hi,

What's the preferred / politest way to draw attention to patches (and /
or bugs) which seem to have been overlooked?

And while I have your attention and you're wondering which patches I'd
like to promote.. 😉

- #62557 [guix-patches]
  [PATCH] gnu: ruby-2.7-fixed: Upgrade to 2.7.8 [fixes CVE-2023-{28755, 28756}]
- #62558 [guix-patches]
  [PATCH] gnu: ruby-3.0: Upgrade to 3.0.6 [fixes CVE-2023-{28755, 28756}].
- #62559 [guix-patches]
  [PATCH] gnu: ruby-3.1: Upgrade to 3.1.4 [fixes CVE-2023-{28755, 28756}].
- #62561 [guix-patches]
  [PATCH] gnu: ruby-3.2: Upgrade to 3.2.2 [fixes CVE-2023-{28755, 28756}].

They still apply cleanly on master.

But seriously, what is the preferred way to do this?

Cheers,
Remco

Re: nudging patches

[Giovanni Biscuolo]

[-- Attachment #1: Type: text/plain, Size: 1502 bytes --]

Hello Remco,

sorry for cross posting to guix-devel but I think this is more a devel
(committers needing help) discussion than a user (needing help) one :-)

Remco van 't Veer <remco@remworks.net> writes:

> Hi,
>
> What's the preferred / politest way to draw attention to patches (and /
> or bugs) which seem to have been overlooked?

AFAIU send an email ping to the patch/bug, possibly Cc-ing the related
team [1]

> And while I have your attention and you're wondering which patches I'd
> like to promote.. 😉
>
> - #62557 [guix-patches]
>   [PATCH] gnu: ruby-2.7-fixed: Upgrade to 2.7.8 [fixes CVE-2023-{28755, 28756}]
> - #62558 [guix-patches]
>   [PATCH] gnu: ruby-3.0: Upgrade to 3.0.6 [fixes CVE-2023-{28755, 28756}].
> - #62559 [guix-patches]
>   [PATCH] gnu: ruby-3.1: Upgrade to 3.1.4 [fixes CVE-2023-{28755, 28756}].
> - #62561 [guix-patches]
>   [PATCH] gnu: ruby-3.2: Upgrade to 3.2.2 [fixes CVE-2023-{28755, 28756}].
>
> They still apply cleanly on master.

This is the current Ruby team:

id: ruby
name: Ruby team
description: <none>
scope: "gnu/packages/ruby.scm" "guix/build/ruby-build-system.scm" "guix/build-system/ruby.scm" "guix/import/gem.scm" "guix/scripts/import/gem.scm" "tests/gem.scm" 
members:
+ Christopher Baines <mail@cbaines.net>

> But seriously, what is the preferred way to do this?

HTH! Gio'

[1] https://guix.gnu.org/en/manual/devel/en/html_node/Teams.html#Teams

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 849 bytes --]

Re: nudging patches

[Andreas Enge]

Am Wed, May 17, 2023 at 04:30:44PM +0200 schrieb Remco van 't Veer:
> What's the preferred / politest way to draw attention to patches (and /
> or bugs) which seem to have been overlooked?

No idea, ideally it should not be necessary ;-)
There is a certain backlog in the QA process so that your patches were not
built out on the build farm. Otherwise I think someone would have applied
(most of) them already.

> And while I have your attention and you're wondering which patches I'd
> like to promote.. 😉
> - #62557 [guix-patches]
>   [PATCH] gnu: ruby-2.7-fixed: Upgrade to 2.7.8 [fixes CVE-2023-{28755, 28756}]
> - #62558 [guix-patches]
>   [PATCH] gnu: ruby-3.0: Upgrade to 3.0.6 [fixes CVE-2023-{28755, 28756}].
> - #62559 [guix-patches]
>   [PATCH] gnu: ruby-3.1: Upgrade to 3.1.4 [fixes CVE-2023-{28755, 28756}].
> - #62561 [guix-patches]
>   [PATCH] gnu: ruby-3.2: Upgrade to 3.2.2 [fixes CVE-2023-{28755, 28756}].

I applied the last three ones, but not the first one, as it requires a very
big amount of rebuilds (more than 8000 dependent packages).

Maybe this could be an occasion for the ruby team to tidy up the
packages. We currently have five publicly visible ruby versions:
$ ./pre-inst-env guix package -A ^ruby$
ruby	3.1.4 	out	gnu/packages/ruby.scm:232:2
ruby	2.7.6 	out	gnu/packages/ruby.scm:163:2
ruby	3.2.2 	out	gnu/packages/ruby.scm:246:2
ruby	2.6.10	out	gnu/packages/ruby.scm:110:2
ruby	3.0.6 	out	gnu/packages/ruby.scm:215:2

Could the three middle ones be dropped?

Then there is an internal version ruby/fixed, which is very old, but,
strangely, ahead of the public minor ruby version, @2.7.7.
Could the remainder of ruby and other packages be made dependent on @3.2
instead of @2.7?

Andreas

Re: nudging patches

[Remco van 't Veer]

Thanks Andreas!


2023/05/19 11:26, Andreas Enge:

>> And while I have your attention and you're wondering which patches I'd
>> like to promote.. 😉
>> - #62557 [guix-patches]
>>   [PATCH] gnu: ruby-2.7-fixed: Upgrade to 2.7.8 [fixes CVE-2023-{28755, 28756}]
>> - #62558 [guix-patches]
>>   [PATCH] gnu: ruby-3.0: Upgrade to 3.0.6 [fixes CVE-2023-{28755, 28756}].
>> - #62559 [guix-patches]
>>   [PATCH] gnu: ruby-3.1: Upgrade to 3.1.4 [fixes CVE-2023-{28755, 28756}].
>> - #62561 [guix-patches]
>>   [PATCH] gnu: ruby-3.2: Upgrade to 3.2.2 [fixes CVE-2023-{28755, 28756}].
>
> I applied the last three ones, but not the first one, as it requires a very
> big amount of rebuilds (more than 8000 dependent packages).
>
> Maybe this could be an occasion for the ruby team to tidy up the
> packages. We currently have five publicly visible ruby versions:
> $ ./pre-inst-env guix package -A ^ruby$
> ruby	3.1.4 	out	gnu/packages/ruby.scm:232:2
> ruby	2.7.6 	out	gnu/packages/ruby.scm:163:2
> ruby	3.2.2 	out	gnu/packages/ruby.scm:246:2
> ruby	2.6.10	out	gnu/packages/ruby.scm:110:2
> ruby	3.0.6 	out	gnu/packages/ruby.scm:215:2
>
> Could the three middle ones be dropped?

Ruby 2.6 is EOL and 2.7 got it's "last" release in march
(https://www.ruby-lang.org/en/news/2023/03/30/ruby-2-7-8-released/).  So
I guess 2.6 can be dropped and 2.7 may linger for a while?

> Then there is an internal version ruby/fixed, which is very old, but,
> strangely, ahead of the public minor ruby version, @2.7.7.

It seems the ruby-2.7-fixed var has been orphaned by the latest
core-updates merge.  It was used for grafting (used as an "replacement"
in the ruby-2.7 var) and my patch was still depending on that.  I can
update the patch by reinserting the grafting bit.  WDYT?

> Could the remainder of ruby and other packages be made dependent on @3.2
> instead of @2.7?

This will probably me a trail and error path leaning on tests included
in the packages.

Cheers,
Remco

Re: nudging patches

[Andreas Enge]

Hello Remco,

Am Fri, May 19, 2023 at 11:48:08AM +0200 schrieb Remco van 't Veer:
> Ruby 2.6 is EOL and 2.7 got it's "last" release in march
> (https://www.ruby-lang.org/en/news/2023/03/30/ruby-2-7-8-released/).  So
> I guess 2.6 can be dropped and 2.7 may linger for a while?

the announcement states that
"After this release, Ruby 2.7 reaches EOL. In other words, this is expected to be the last release of Ruby 2.7 series. We will not release Ruby 2.7.9 even if a security vulnerability is found"

So it would be best to try to get rid of it as soon as possible;
if security vulnerabilities are not fixed, the working hypothesis is
that the package has security vulnerabilities...

> > Then there is an internal version ruby/fixed, which is very old, but,
> > strangely, ahead of the public minor ruby version, @2.7.7.
> It seems the ruby-2.7-fixed var has been orphaned by the latest
> core-updates merge.  It was used for grafting (used as an "replacement"
> in the ruby-2.7 var) and my patch was still depending on that.  I can
> update the patch by reinserting the grafting bit.  WDYT?

Oh, I see. I am not familiar at all with grafting. But that would be
an option indeed to avoid rebuilding.

> > Could the remainder of ruby and other packages be made dependent on @3.2
> > instead of @2.7?
> This will probably me a trail and error path leaning on tests included
> in the packages.

With your findings above about ruby@2.7, this looks like a worthwhile path!

Andreas

[PATCH] gnu: ruby-2.7-fixed: Upgrade to 2.7.8 [fixes CVE-2023-{28755, 28756}]

[Remco van 't Veer]

Fixes: CVE-2023-28755 (ReDoS vulnerability in URI), and
CVE-2023-28756 (ReDoS vulnerability in Time).

* gnu/packages/ruby.scm (ruby-2.7-fixed): Update to 2.7.8.
(ruby-2.7)[replacement]: Graft.
---
 gnu/packages/ruby.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index dbd4127343..eb84367d15 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -163,6 +163,7 @@ (define-public ruby-2.7
   (package
     (inherit ruby-2.6)
     (version "2.7.6")
+    (replacement ruby-2.7-fixed) ; security fixes
     (source
      (origin
        (inherit (package-source ruby-2.6))
@@ -200,7 +201,7 @@ (define-public ruby-2.7
 (define ruby-2.7-fixed
   (package
     (inherit ruby-2.7)
-    (version "2.7.7")
+    (version "2.7.8")
     (source
      (origin
        (inherit (package-source ruby-2.7))
@@ -209,7 +210,7 @@ (define ruby-2.7-fixed
                            "/ruby-" version ".tar.gz"))
        (sha256
         (base32
-         "143vih5jzmrd2r5h94pa3qzml0ldii0qzs6g09jg6zqxd7djf0g1"))))))
+         "182vni66djmiqagwzfsd0za7x9k3zag43b88c590aalgphybdnn2"))))))
 
 (define-public ruby-3.0
   (package

base-commit: 14c03807ba4bc81d42cf869f5b827f7da54ff843
-- 
2.40.1

bug#62557: [PATCH] gnu: ruby-2.7-fixed: Upgrade to 2.7.8 [fixes CVE-2023-{28755, 28756}]

[Andreas Enge]

Am Fri, May 19, 2023 at 01:09:17PM +0200 schrieb Remco van 't Veer:
> Fixes: CVE-2023-28755 (ReDoS vulnerability in URI), and
> CVE-2023-28756 (ReDoS vulnerability in Time).
> * gnu/packages/ruby.scm (ruby-2.7-fixed): Update to 2.7.8.
> (ruby-2.7)[replacement]: Graft.

Sorry for the delay, I needed to read up on grafts first. Everything looks
good, a dependent package builds, so I have pushed this and am closing
the bug.

Thanks!

Andreas