GNU bug report logs - #21784
xz-5.0.4.tar.gz is unavailable upstream

Previous Next

Package: guix;

Reported by: "-=}\\*/{=-" <rui.damas <at> gmail.com>

Date: Thu, 29 Oct 2015 12:28:04 UTC

Severity: normal

Merged with 21788

Done: ludo <at> gnu.org (Ludovic Courtès)

Bug is archived. No further changes may be made.

Full log

Message #48 received at 21784 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Efraim Flashner <efraim <at> flashner.co.il>
Cc: 21784 <at> debbugs.gnu.org
Subject: Alternate xz-5.0.4.tar.gz URL
Date: Fri, 30 Oct 2015 18:06:26 +0100

Efraim Flashner <efraim <at> flashner.co.il> skribis:

> It turns out that hydra, the automated build server for guix, has a copy of
> xz that you can download if you authorize hydra to provide substitutions.
> With a copy of hydra.gnu.org.pub, the command is `sudo guix archive
> --authorize hydra.gnu.org.pub`. After that, instead of building everything
> locally, your computer will first check to see if hydra has already built a
> package and you can just download it.

Since we must have an additional URL to fetch it.

I looked for mirrors on the Web for this tarball and couldn’t find one
(fossies.org doesn’t have it, for instance.)

Then I wanted to upload it to ftp://alpha.gnu.org/gnu/guix/mirror, but
that is rejected:

  file rejected: xz-5.0.4.tar.gz contains a vulnerable Makefile.in
  CVE-2012-3386
  Regenerate it with automake 1.11.6 / 1.12.2 or newer.

So we need another solution.  Any suggestions?  Like mirror URLs I might
have missed?

TIA,
Ludo’.
This bug report was last modified 9 years and 204 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.