[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Release 1.2.1: zstd 1.4.4 -> 1.4.9: grafting or core-updates?

From: Tobias Geerinckx-Rice
Subject: Re: Release 1.2.1: zstd 1.4.4 -> 1.4.9: grafting or core-updates?
Date: Tue, 16 Mar 2021 21:53:01 +0100

Hi L[ée]o,

Wow, Léo. You've done some seriously impressive CVE squashing in such a short timespan, and I'm very grateful to have you on board.

Leo Famulari 写道:
I do agree that updating this program 5 versions in a graft was perhaps
too much.

We should always try to cherry-pick bug-fix patches when grafting.
Otherwise the risk of breakage is too high.

I agree. Whilst grafts are indispensible for timely deployment of security patches, they're also a dirty hack composed entirely of rough edges.

They exist for one purpose: patch out known vulnerabilities. Every extra change not strictly required for security is a liability.

We sometimes get away with grafting entire releases (OpenSSL comes to mind), but this is not an ideal to emulate.

At least, these types of patches should be reviewed on guix-patches.
Léo, can you send them to guix-patches in the future?

I have the same request :-) Please submit non-trivial patches for review (and, unfortunately, grafts are hardly ever trivial). This isn't a comment on your work; it's our standard way of doing things.

I know we're not the #1 bestest project when it comes to the swift review of patches. I understand the sense of urgency in fixing things that one feels should have been fixed long ago. Thank you for helping us to improve on both points.

Kind regards,


Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]