GNU bug report logs - #56302
[PATCH] gnu: ruby: Update to 2.7.6 [security fixes].

Previous Next

Package: guix-patches;

Reported by: Remco van 't Veer <remco <at> remworks.net>

Date: Wed, 29 Jun 2022 15:56:02 UTC

Severity: normal

Tags: patch

Done: Marius Bakke <marius <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Maxime Devos <maximedevos <at> telenet.be>
To: Remco van 't Veer <remco <at> remworks.net>, 56302 <at> debbugs.gnu.org
Subject: [bug#56302] Acknowledgement ([PATCH] gnu: ruby: Update to 2.7.6 [security fixes].)
Date: Wed, 29 Jun 2022 18:04:37 +0200

[Message part 1 (text/plain, inline)]
Remco van 't Veer schreef op wo 29-06-2022 om 17:58 [+0200]:
> Please note:
> 
>   $ guix refresh --list-dependent ruby <at> 2.7
>   Building the following 2346 packages would ensure 6612 dependent packages are rebuilt: ...
> 
> So this goes into core-updates.

core-updates probably won't be merged for a long time, so a graft might
be needed in the meantime.

Basically, what you need to do is:

  * keep the old ruby <at> 2.7.4 package definition
  * add a ruby <at> 2.7.6 package (as (define-public ruby-2.7-fixed [...]))
  * in ruby <at> 2.7.4, add a field
    (replacement ruby-2.7-fixed) ; security fixes

and verify that some Ruby-using dependents still seem to work.

That way, we can use a fixed ruby <at> 2.7.6 on master.

(This assumes that ruby is graftable -- this assumes that ruby is
ABI-compatible, otherwise the grafted dependents won't work.)

Greetings,
Maxime

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 2 years and 268 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.