[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: do old packages like Musescore 3.6.2 need updating?
From: |
Martin Castillo |
Subject: |
Re: do old packages like Musescore 3.6.2 need updating? |
Date: |
Sat, 29 Apr 2023 15:42:35 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 |
Am 28.04.23 um 17:15 schrieb Gottfried:
Hi,
1.
I have the old version of Musescore 3.6.2 which I want in one profile.
When I update all profiles at once through a script, it also builds
locally the old version of Musescore, which needs 1 hour on my laptop.
Firstly, why it always builds it on my laptop?
When you update guix, musescores dependencies get updated (like
libraries it uses). Once that happens, your manifest then implicitly
defines a new musescore 3.6.2, where it's dependencies are the newer
ones. Therefore musescore gets rebuild. Since musescore 3.6.2 is not
packaged by the guix distribution anymore, it won't be build by the
official substitute servers and your laptop cannot just download the
built version.
2.
Do old versions of a package also need to be upgraded?
Normally you'd want to have up-to-date software because of three reasons:
1. Security issues get fixed.
2. Other malfunctions/bugs get fixed.
3. New functionality.
1. becomes much less relevant if your software is never exposed to
untrusted inputs (e.g. has not internet connection). I'd guess musescore
never connects to the internet. Do you maybe open musescore project
files that you got from someone you don't trust, like random forums on
the web? Or do you get soundfont files from similar sources? In that
case a malicious file opened by musescore might do bad things to your
system, if it can exploit a vulnerability musescore 3.6.2 (or one of
it's dependencies) has.
How would you prevent that? You can't update musescore, because version
3 is any longer supported.
In case 3.6.2 has any security related vulnerability it would be best to
not open any files with it, that you don't trust to be non-harmful.
Rebuilding with a newer guix version might get rid of vulnerabilities
from musescore's dependencies, but not any problems in musescore itself.
2. Similar to 1. there might be bugs that make musescore crash, hang or
something. These may stem from a bug in one of the dependencies. If you
encounter such a problem, rebuilding musescore might help.
3. Does not apply here, because musescore 3 does not receive any updates.
So in summary, rebuilding musescore 3.6.2 might increase it's stability,
but you still should not expose musescore to untrusted files.
3.
and why it want to build it always on my laptop locally?
I thought old versions of a package don’t need upgrading, because only
new packages develop.
May be I am mistaken.
Do old versions of a package also need upgrading because of some
dependencies?
4.
when I upgrade all profiles at once, but do not want to upgrade
Musescore 3.6.2
what are the possibilities?
Should I put Musescore 3.6.2 as only package in one profile and
exclude this profile from updating?
That's a simple solution for your problem. If you don't notice any
stability bugs of musescore, than you don't need to rebuild it.
or is it better sometimes also to upgrade this old package?
Kind regards
Gottfried