GNU bug report logs - #47144
security patching of 'patch' package

Previous Next

Package: guix;

Reported by: Mark H Weaver <mhw <at> netris.org>

Date: Sun, 14 Mar 2021 21:39:02 UTC

Severity: normal

Tags: security

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #83 received at 47144 <at> debbugs.gnu.org (full text, mbox):

From: Simon Tournier <zimon.toutoune <at> gmail.com>
To: Ludovic Courtès <ludo <at> gnu.org>, Maxim Cournoyer
 <maxim.cournoyer <at> gmail.com>
Cc: Mark H Weaver <mhw <at> netris.org>, Leo Famulari <leo <at> famulari.name>,
 Vivien Kraus <vivien <at> planete-kraus.eu>, 47144 <at> debbugs.gnu.org
Subject: Re: bug#47144: security patching of 'patch' package
Date: Wed, 05 Jun 2024 18:44:40 +0200

Hi,

On Wed, 05 Jun 2024 at 18:04, Ludovic Courtès <ludo <at> gnu.org> wrote:

> What about renaming ‘patch’ to ‘patch/pinned’ and having ‘patch’ point
> to the new version?
>
> Internally, we’d refer to ‘patch/pinned’ in (guix packages), but user
> code etc. would refer to ‘patch’ and thus get the latest version.

I agree; it appears to me “safer” than the graft.

However, the cost is to identify which package needs ’patch/pinned’ and
which needs new ’patch’.  Then once upstream Patch upgrades, there is
also the question to unpin all the packages.

Somehow, your previous suggestion ’patch-latest’ for this new package
appears to me the best solution.  Because it does not require any update
here and there, and since the source field follows the Git upstream
latest instead of the released tarball, this solution of ’patch-latest’
seems appropriated.

Cheers,
simon
This bug report was last modified 333 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.