guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCHES] ImageMagick security updates without grafting

From: Mark H Weaver
Subject: Re: [PATCHES] ImageMagick security updates without grafting
Date: Tue, 30 Mar 2021 18:23:00 -0400 
Mark H Weaver <mhw@netris.org> writes:

> Maxime Devos <maximedevos@telenet.be> writes:
>
>> guix build $PACKAGES
>> # maybe guix build $PACKAGES --no-grafts?
>> guix graph --type=references $PACKAGES
>> # ^ look in output for "imagemagick".
>
> For the record, it seems that this command gives false positives.

Sorry, I was mistaken here.  That command appears to be reliable for
this purpose.

> As pointed out in <https://bugs.gnu.org/47479>, the output of that
> command suggests that 'inkscape' retains references to 'imagemagick',
> but that turns out to be false, at least on my system.

It turns out we were talking about two different versions of 'inkscape'.
I was confused by the fact that our 'inkscape' variable points to an
older version of inkscape than "inkscape" selects on the command line.

Anyway, it turns out that inkscape@1.0.2 improperly retains a reference
to its native-input 'imagemagick', but inkscape@0.92.4 does not.
See <https://bugs.gnu.org/47479> for more.

> I suppose the behavior of "guix graph" here makes sense, and is likely
> _not_ a bug, because IIUC "guix graph" does its work without requiring
> 'imagemagick' to be built,

What I wrote is true for many of the graph types supported by "guix
graph", but not when "--type=references" is passed.
Sorry for the confusion.

       Mark
reply via email to
[Prev in Thread] Current Thread [Next in Thread]