GNU bug report logs - #48304
[PATCH] gnu: expat: Update via graft.

Previous Next

Package: guix-patches;

Reported by: Leo Prikler <leo.prikler <at> student.tugraz.at>

Date: Sat, 8 May 2021 23:29:01 UTC

Severity: normal

Tags: patch, security

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

Message #25 received at 48304 <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <marius <at> gnu.org>
To: Leo Famulari <leo <at> famulari.name>, Leo Prikler
 <leo.prikler <at> student.tugraz.at>
Cc: Maxime Devos <maximedevos <at> telenet.be>, 48304 <at> debbugs.gnu.org
Subject: Re: [bug#48304] [PATCH] gnu: expat: Update via graft.
Date: Sun, 23 May 2021 17:33:05 +0200

[Message part 1 (text/plain, inline)]
merge 48304 48612
thanks

Leo Famulari <leo <at> famulari.name> skriver:

> On Sun, May 09, 2021 at 04:37:39PM +0200, Leo Prikler wrote:
>> Indeed, the mail they dropped over at guix-devel made it seem as though
>> not being on 2.3.0 was a security risk already.  The ChangeLog does
>> mention some items worth fuzzing over.
>
> In general, all updates are security updates. But we shouldn't / can't
> update all core packages with grafts just because. Grafting is a kludge
> that doesn't always work as expected (and the problems are hidden), and
> it has a high I/O performance cost.
>
> So, let's wait for a security advisory.

I opened a similar discussion about the security fix in Expat 2.4.0
recently and am merging with this issue (which I had not seen):

  https://issues.guix.gnu.org/48612

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 3 years and 356 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.