On Wed, May 08, 2024 at 11:03:02AM +0200, Josselin Poiret wrote:
> 
> The one thing that we need to do right now is update glibc 2.39 with all
> the fixes from the upstream release/2.39/master branch.  I don't think
> we've done this before significantly, but since we have an occasion this
> time we might as well.  We can't really use git-fetch for glibc, so imo
> the only feasible option is like what Debian does [1], which is keeping
> a diff of the 2.39 tag and the release branch and applying it as a
> patch.  We'll then probably need to add autotools to glibc builds, but
> this is doable even in commencement because we have them already
> available at that point.
> 
> The own downside of this is that the patch name will not include the
> fixed CVEs, so guix lint won't be aware that the CVEs have been patched.
> 
> [1] https://salsa.debian.org/glibc-team/glibc/-/blob/sid/debian/patches/git-updates.diff
> 
> WDYT?
> 
> Best,
> -- 
> Josselin Poiret

I think that's a good idea, and probably something we should do for the
other copies of glibc we have.  We can also use the package-property
lint-hidden-cves to list the CVEs which are covered by the diff, and
that'll hide the CVEs from 'guix lint'.



-- 
Efraim Flashner   <efraim@flashner.co.il>   רנשלפ םירפא
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted