GNU bug report logs - #47144
security patching of 'patch' package

Previous Next

Package: guix;

Reported by: Mark H Weaver <mhw <at> netris.org>

Date: Sun, 14 Mar 2021 21:39:02 UTC

Severity: normal

Tags: security

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Simon Tournier <zimon.toutoune <at> gmail.com>
Cc: Mark H Weaver <mhw <at> netris.org>, Ludovic Courtès <ludo <at> gnu.org>, Leo Famulari <leo <at> famulari.name>, Vivien Kraus <vivien <at> planete-kraus.eu>, 47144 <at> debbugs.gnu.org
Subject: bug#47144: security patching of 'patch' package
Date: Wed, 05 Jun 2024 20:49:54 -0400

Hi Simon,

Simon Tournier <zimon.toutoune <at> gmail.com> writes:

> Hi,
>
> On Wed, 05 Jun 2024 at 18:04, Ludovic Courtès <ludo <at> gnu.org> wrote:
>
>> What about renaming ‘patch’ to ‘patch/pinned’ and having ‘patch’ point
>> to the new version?
>>
>> Internally, we’d refer to ‘patch/pinned’ in (guix packages), but user
>> code etc. would refer to ‘patch’ and thus get the latest version.
>
> I agree; it appears to me “safer” than the graft.
>
> However, the cost is to identify which package needs ’patch/pinned’ and
> which needs new ’patch’.  Then once upstream Patch upgrades, there is
> also the question to unpin all the packages.

Indeed.  It'll be easy though to grep for 'patch/pinned', which are far
and few in between, compared to grepping for 'patch'...  I've
implemented Ludovic's suggestion in v4, before I actually read this
reply of yours... I think it's OK; it goes a bit further than
'patch-latest' to protect users in case they refer to the 'patch'
package variable directly.

-- 
Thanks,
Maxim
This bug report was last modified 333 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.