Maxime Devos schreef op wo 29-06-2022 om 20:29 [+0200]:
> Remco van 't Veer schreef op wo 29-06-2022 om 17:55 [+0200]:
> > +        
> "042xrdk7hsv4072bayz3f8ffqh61i8zlhvck10nfshllq063n877"))))
> 
> This matches with a local
> 
> $ guix download
> https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.6.tar.gz’
> 
> and with all the hashes from
> <https://www.ruby-lang.org/en/news/2022/04/12/ruby-2-7-6-released/>.
> 
> I'll try diffing (*) it with the old tarball for ‘suspiciousness’
> (e.g.: obvious malware, new bundling, ???).

When scrolling through the diff, nothing looked ‘suspect’ at first
glance.  However, I did notice something else: some parts are not 
under the Ruby License, but under 2-clause BSD:

│ ├── +++ ruby-2.7.4/gems/xmlrpc-0.3.0/LICENSE.txt
│ │┄ Files 26% similar despite different names
│ │ @@ -1,13 +1,10 @@
│ │ -test-unit is copyrighted free software by Kouhei Sutou
│ │ -<kou@cozmixng.org>, Ryan Davis <ryand-ruby@zenspider.com>
│ │ -and Nathaniel Talbott <nathaniel@talbott.ws>.
│ │ -
│ │ -You can redistribute it and/or modify it under either the terms of
the GPL
│ │ -version 2 (see the file GPL), or the conditions below:
│ │ +Ruby is copyrighted free software by Yukihiro Matsumoto
<matz@netlab.jp>.
│ │ +You can redistribute it and/or modify it under either the terms of
the
│ │ +2-clause BSDL (see the file BSDL), or the conditions below:

so it maybe be good to add ‘2-clause BSDL’ to the license field as well
(though given that it's an old issue, bringing the new version of ruby
in Guix has priority).

Also, looks like it bundles some autoconf scripts (config.guess), which
is not in line with
<https://lists.gnu.org/archive/html/guix-devel/2022-04/msg00065.html>,
but also not priority given the security fix.

Greetings,
Maxime