[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & C
From: |
Leo Famulari |
Subject: |
[bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]. |
Date: |
Sun, 5 Mar 2023 13:45:58 -0500 |
On Sat, Mar 04, 2023 at 07:52:04PM +0100, Simon Tournier wrote:
> I get 546 dependent packages for git + git-minimal which need to be
> re-built. And some are really expensive -- that what I meant by "a
> lot of rebuilds". :-)
>
> Well, I do not know if there is an issue with QA or it is just really
> expensive but the process is still pending, if I read correctly
> <https://qa.guix.gnu.org/issue/61583>.
At the Guix Days, it was said that there is a limit to how many builds
the QA server will perform for a change. I don't recall the number, but
maybe 300 builds per change? So, if a change causes too many rebuilds,
the QA server will not perform the builds.
Aside: Chris, I'd be happy to add a FAQ page to the QA server that
answers this type of question. Let me know if I've missed that one
already exists.
For the Berlin server, I don't think that 546 builds is too many, at
least for Intel systems.
> > Concretely, why can't we push this to master immediately?
>
> Somehow the guarantee that none of these 546 would not be broken by
> the update. ;-)
It's certainly possible that something breaks. But we can do a simple
test by trying to update our profiles and Guix System installations, and
checking that our tools still work. I think it's okay to cause a little
breakage in order to deploy important security updates.
- [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]., (continued)
[bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]., Simon Tournier, 2023/03/04