help-guix
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: do old packages like Musescore 3.6.2 need updating?

From: Martin Castillo
Subject: Re: do old packages like Musescore 3.6.2 need updating?
Date: Sat, 29 Apr 2023 15:42:35 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 


Am 28.04.23 um 17:15 schrieb Gottfried:

Hi,

1.
I have the old version of Musescore 3.6.2 which I want in one profile.
When I update all profiles at once through a script, it also builds locally the old version of Musescore, which needs 1 hour on my laptop. 
Firstly, why it always builds it on my laptop?
When you update guix, musescores dependencies get updated (like libraries it uses). Once that happens, your manifest then implicitly defines a new musescore 3.6.2, where it's dependencies are the newer ones. Therefore musescore gets rebuild. Since musescore 3.6.2 is not packaged by the guix distribution anymore, it won't be build by the official substitute servers and your laptop cannot just download the built version. 

2.
Do old versions of a package also need to be upgraded?


Normally you'd want to have up-to-date software because of three reasons:
1. Security issues get fixed.
2. Other malfunctions/bugs get fixed.
3. New functionality.
1. becomes much less relevant if your software is never exposed to untrusted inputs (e.g. has not internet connection). I'd guess musescore never connects to the internet. Do you maybe open musescore project files that you got from someone you don't trust, like random forums on the web? Or do you get soundfont files from similar sources? In that case a malicious file opened by musescore might do bad things to your system, if it can exploit a vulnerability musescore 3.6.2 (or one of it's dependencies) has.
How would you prevent that? You can't update musescore, because version 3 is any longer supported. In case 3.6.2 has any security related vulnerability it would be best to not open any files with it, that you don't trust to be non-harmful.
Rebuilding with a newer guix version might get rid of vulnerabilities from musescore's dependencies, but not any problems in musescore itself.
2. Similar to 1. there might be bugs that make musescore crash, hang or something. These may stem from a bug in one of the dependencies. If you encounter such a problem, rebuilding musescore might help. 

3. Does not apply here, because musescore 3 does not receive any updates.
So in summary, rebuilding musescore 3.6.2 might increase it's stability, but you still should not expose musescore to untrusted files. 




3.
and why it want to build it always on my laptop locally?
I thought old versions of a package don’t need upgrading, because only new packages develop. 
May be I am mistaken.
Do old versions of a package also need upgrading because of some dependencies? 

4.
when I upgrade all profiles at once, but do not want to upgrade Musescore 3.6.2 
what are the possibilities?

Should I put Musescore 3.6.2 as only package in one profile and
exclude this profile from updating?
That's a simple solution for your problem. If you don't notice any stability bugs of musescore, than you don't need to rebuild it. 


or is it better sometimes also to upgrade this old package?

Kind regards

Gottfried
reply via email to
[Prev in Thread] Current Thread [Next in Thread]