Re: xwayland security updates, to mesa- or core-updates or ?

[John Kehayias]

Hi Kaelyn and everyone,

On Fri, Dec 15, 2023 at 05:25 PM, Kaelyn wrote:

> On Thursday, December 14th, 2023 at 10:21 PM, John Kehayias
> <john.kehayias@protonmail.com> wrote:
>
>>
>> Hi Guix,
>>
>> In light of (more) CVEs in xwayland, see
>> <https://lists.x.org/archives/xorg-announce/2023-December/003435.html>,
>>
>> with already pending security updates, see
>> <https://issues.guix.gnu.org/67136>, I would like to prioritize
>>
>> getting that fixed in master. The tricky thing is that, according to
>> 67136, the xwayland update needs newer xorgproto, which corresponds to
>> many rebuilds. (The related CVEs in xorg-server have been pushed
>> already as effectively minor version bumps.)
>>
>> Where is the most efficient branch for this, that could take these
>> rebuilds to be merged to master soon (whatever soon is for a scope of
>> something like 22k affected packages)?
>>
>> I was thinking to put that update and mesa, since it had a new stable
>> release after the current one never got updates, on mesa-updates and
>> merge once builds are done assuming no issues. Again, the potential
>> sore spot is xorgproto I would say. I could see about any other
>> pending/urgent related changes, but I'm not aware of any off the top
>> of my head and want to let this move quickly. I also don't want to
>> jump the queue sending other branches to rebuild everything again.
>
> This doesn't seem unreasonable to me, for picking up both the new mesa
> release and the latest xwayland security fixes.
>
>> I'll test things locally in the meantime, but please chime in. If I
>> don't hear anything too urgent I'll update the mesa-updates branch to
>> start builds at least. I've also cc'ed some names I think will be
>> knowledgeable about some current branches.
>>

I've pushed 3 patches (mesa, xorgproto, xorg-server-xwayland) to
mesa-updates after merging in master. The farm is building away.

The request for merging is at <https://issues.guix.gnu.org/67875> with
some details. In short, running into some issues with builds "failing"
because they just die or "missing derivation" errors. I'm restarting
what I see that seems higher impact, but is there anyway to restart
all the failed builds or ones with missing dependencies?

Also, gtk for i686-linux is failing a test and I don't know why. With
a newer version incoming from the gnome team I would just go for
disabling that test if I knew how...

>> And thanks to Kaelyn (also cc'ed) for the pending xwayland patches!
>
> You're welcome! I've been working on updating my patch set to xwayland
> 23.2.3, but it's been taking a while to build the update because most
> of the dependency stack on core-updates apparently needed rebuilding
> locally (presumably from a lack of recent substitutes unrelated to the
> xorgproto-triggered rebuilds, but that's based on my computer churning
> away at the build for the past day or so, and not having checked guix
> weather yet--I even ran into an issue with coreutils-minimal failing a
> test when /tmp was a btrfs partition, that I got past by mounting a
> tmpfs on /tmp).
>
> Cheers,
> Kaelyn
>

Thanks! I saw you had posted the latest version and that's what I
included. On x86_64-linux at least everything has built fine for
those, but the larger world remains to be seen.

Would still like confirmation from other branches about what they want
to do, but we have some time while things build. And builds get
restarted.

Thanks!
John