[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Release 1.2.1: zstd 1.4.4 -> 1.4.9: grafting or core-updates?
From: |
zimoun |
Subject: |
Release 1.2.1: zstd 1.4.4 -> 1.4.9: grafting or core-updates? |
Date: |
Tue, 16 Mar 2021 17:34:34 +0100 |
Hi,
This commit 6f873731a030dd7ecbd8a5e756b38b26306f6966:
<https://git.savannah.gnu.org/cgit/guix.git/commit/?id=6f873731a030dd7ecbd8a5e756b38b26306f6966>
fixes CVE-2021-24032 which says: "Beginning in v1.4.1 and prior to
v1.4.9, output files were created with default permissions. [...]".
The mentioned commit replaces zstd@1.4.4 by zstd@1.4.9 which seems
more than just grafting. Well,1.4.4 was released on Nov 2019 and
1.4.9 some days ago.
I agree that security is important but we lived more than one and half
year with 1.4.4 so the upgrade to 1.4.9 should only go to
core-updates, not as a 'replacement' graft. IMHO.
The consequence of this change was the breakage of "guix pull" on
master for at least i686. Which leads to the commit
2bcfb944bdd2f476ef8d34802fed436e4fdda0ab disabling the zstd test-suite
for all the architectures.
<https://git.savannah.gnu.org/cgit/guix.git/commit/?id=2bcfb944bdd2f476ef8d34802fed436e4fdda0ab>
Noting that "guix pull" should be still failing for at least i686 on
core-updates because of the test suite of zstd@1.4.9.
The question is: should the next release 1.2.1 contain zstd@1.4.9 as
graft? Or do we revert the commit and simply fix it on core-updates
and wait for the next core-updates cycle. Personally, I am in favor
of the latter. WDYT?
The issue is the test:
roundTripTest -g8M "19 -T0 --long"
which fails for the value 19 but not other values as 18 or 20 or many
others. After a quick reading of the doc, I am not sure to understand
the meaning of such value. Input welcome.
BTW, on my machine the attached patch builds for both x86_64 and i686
(emulated).
./pre-inst-env guix build zstd@1.4.9 --system=i686-linux --no-grafts
Depending on the answer of the previous question, the patch should go
to master or core-updates. And other architectures should be examined
with care.
Cheers,
simon
fix-zstd-i686.patch
Description: Text Data
Release 1.2.1: zstd 1.4.4 -> 1.4.9: grafting or core-updates?,
zimoun <=
Re: Release 1.2.1: zstd 1.4.4 -> 1.4.9: grafting or core-updates?, Leo Famulari, 2021/03/16
Re: Release 1.2.1: zstd 1.4.4 -> 1.4.9: grafting or core-updates?, zimoun, 2021/03/16