Release 1.2.1: zstd 1.4.4 -> 1.4.9: grafting or core-updates?

[zimoun]

Hi,

This commit 6f873731a030dd7ecbd8a5e756b38b26306f6966:

<https://git.savannah.gnu.org/cgit/guix.git/commit/?id=6f873731a030dd7ecbd8a5e756b38b26306f6966>

fixes CVE-2021-24032 which says: "Beginning in v1.4.1 and prior to
v1.4.9, output files were created with default permissions. [...]".

The mentioned commit replaces zstd@1.4.4 by zstd@1.4.9 which seems
more than just grafting.  Well,1.4.4 was released on Nov 2019 and
1.4.9 some days ago.

I agree that security is important but we lived more than one and half
year with 1.4.4 so the upgrade to 1.4.9 should only go to
core-updates, not as a 'replacement' graft.  IMHO.

The consequence of this change was the breakage of "guix pull" on
master for at least i686.  Which leads to the commit
2bcfb944bdd2f476ef8d34802fed436e4fdda0ab disabling the zstd test-suite
for all the architectures.

<https://git.savannah.gnu.org/cgit/guix.git/commit/?id=2bcfb944bdd2f476ef8d34802fed436e4fdda0ab>

Noting that "guix pull" should be still failing for at least i686 on
core-updates because of the test suite of zstd@1.4.9.


The question is: should the next release 1.2.1 contain zstd@1.4.9 as
graft?  Or do we revert the commit and simply fix it on core-updates
and wait for the next core-updates cycle.  Personally, I am in favor
of the latter.  WDYT?

The issue is the test:

    roundTripTest -g8M "19 -T0 --long"

which fails for the value 19 but not other values as 18 or 20 or many
others.  After a quick reading of the doc, I am not sure to understand
the meaning of such value.  Input welcome.

BTW, on my machine the attached patch builds for both x86_64 and i686
(emulated).

   ./pre-inst-env guix build zstd@1.4.9 --system=i686-linux --no-grafts

Depending on the answer of the previous question, the patch should go
to master or core-updates.  And other architectures should be examined
with care.


Cheers,
simon

fix-zstd-i686.patch
Description: Text Data