From debbugs-submit-bounces@debbugs.gnu.org Fri Feb 17 13:04:15 2023
Received: (at submit) by debbugs.gnu.org; 17 Feb 2023 18:04:15 +0000
Received: from localhost ([127.0.0.1]:41516 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pT55i-0003ff-Rd
	for submit@debbugs.gnu.org; Fri, 17 Feb 2023 13:04:15 -0500
Received: from lists.gnu.org ([209.51.188.17]:36146)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <code@greghogan.com>) id 1pT55g-0003fW-Jd
 for submit@debbugs.gnu.org; Fri, 17 Feb 2023 13:04:13 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <code@greghogan.com>)
 id 1pT55d-0002gD-Ke
 for guix-patches@gnu.org; Fri, 17 Feb 2023 13:04:09 -0500
Received: from mail-io1-xd2c.google.com ([2607:f8b0:4864:20::d2c])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <code@greghogan.com>)
 id 1pT55b-00077d-5c
 for guix-patches@gnu.org; Fri, 17 Feb 2023 13:04:09 -0500
Received: by mail-io1-xd2c.google.com with SMTP id x3so834790iov.5
 for <guix-patches@gnu.org>; Fri, 17 Feb 2023 10:04:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=greghogan-com.20210112.gappssmtp.com; s=20210112;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=oQPOmdrXJMFki0FjCqeLPJuj5Msb9o693KtjOT3x+rE=;
 b=A1WlVG9lKe3JmDhTcOLBvoijTt+GiOx+hbsdceSzDUjpLgzNjSpfJ6INsTQYmtKydA
 wevddguPZTiBKFaq7+cp3nIaq7mCuWGCLkqgX5htuBt5ra3onFFQW6gj1P9BkXkUJpdR
 UArLaZYXffJeZKGHseSXOfsaXs3+eiSj2mzKsD6Yp4/ZRPCEZUc2VHhDhoSWicof+19x
 dfGta2UMfsFy2dl6XeLbndlOOBfmZPH73H1h/UOA+x+vyJ5hgma4XhOpZQbcf2pKcijf
 oUGZW2iIX3iaxa61/rPvBaJm+6Cn7cDCd9BRkWE2zMwHxXXavfg7nu24lX7JzS9LZtuY
 H27Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=oQPOmdrXJMFki0FjCqeLPJuj5Msb9o693KtjOT3x+rE=;
 b=6hhuY8LvDFRzmoWjinHNhOhKFcAmYuba6UOmk/CwCV/shk5FXYS7JuWQFrPdZYuo53
 5Od1HpT5ewkI8apu0E5KvZvlXAYgh9ds+YrXhhd0L1YnHowJSG/TpIjQdfyqpY+ua8RO
 IE4vlgge4XkHgd3Y31bmi365pmuDvq7DwhaxYVcOYmRIb/a6FNn9fBTBDGUK4RHmAWAF
 EvtuFJfIfg2XpdC42DBSZQOutGUKNQi2kTM8qd3evb908eg6hG1DHkbLfvdnjC36VJIA
 NvVwFkKJiKLEkWqHXSgEc/QWYj/4Le0U6ccOMpGw1DeXpOtk0Nkx9A6A8E0R70fBBQm+
 uiRA==
X-Gm-Message-State: AO0yUKVHNuddXTn+6yB3+J44bKK2r6yDMzY5pAn3/Atlu2g16HsL0gaq
 zfGcLrE1tK37QIUi9tmxV26emXQBJrvMYxSWx8I=
X-Google-Smtp-Source: AK7set9AB+3N4VDDnelDpE24POqDUBac6eCkcparQNUUoA5uysuRqmb74N6P+G/ReoGcgbcMpwh4MA==
X-Received: by 2002:a05:6602:2dcd:b0:723:8cb5:6707 with SMTP id
 l13-20020a0566022dcd00b007238cb56707mr4775670iow.6.1676657045464; 
 Fri, 17 Feb 2023 10:04:05 -0800 (PST)
Received: from ip-172-31-19-121.us-east-2.compute.internal
 (ec2-18-220-33-245.us-east-2.compute.amazonaws.com. [18.220.33.245])
 by smtp.gmail.com with ESMTPSA id
 q4-20020a0566380ec400b003a970f21f9asm1625543jas.78.2023.02.17.10.04.04
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 17 Feb 2023 10:04:05 -0800 (PST)
From: Greg Hogan <code@greghogan.com>
To: guix-patches@gnu.org
Subject: [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 &
 CVE-2023-23946].
Date: Fri, 17 Feb 2023 18:04:02 +0000
Message-Id: <20230217180402.29401-1-code@greghogan.com>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: none client-ip=2607:f8b0:4864:20::d2c;
 envelope-from=code@greghogan.com; helo=mail-io1-xd2c.google.com
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_NONE=0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: submit
Cc: Greg Hogan <code@greghogan.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

* gnu/packages/version-control.scm (git): Update to 2.39.2.

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 5de344e549..88df2c2aeb 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -225,14 +225,14 @@ (define git-cross-configure-flags
 (define-public git
   (package
    (name "git")
-   (version "2.39.1")
+   (version "2.39.2")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://kernel.org/software/scm/git/git-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "0qf1wly7zagg23svpv533va5v213y7y3lfw76ldkf35k8w48m8s0"))))
+              "1mpjvhyw8mv2q941xny4d0gw3mb6b4bqaqbh73jd8b1v6zqpaps7"))))
    (build-system gnu-build-system)
    (native-inputs
     `(("native-perl" ,perl)
@@ -252,7 +252,7 @@ (define-public git
                 version ".tar.xz"))
           (sha256
            (base32
-            "0xf7ki90xw77nvmnkw50xaivyfi8jddfq0h8crzi7m9zjs7aa8mm"))))
+            "09cva868qb4705s884dzvbwkm78jlw4q8m6xj7nd7cwxy2i2ff8b"))))
       ;; For subtree documentation.
       ("asciidoc" ,asciidoc)
       ("docbook-xsl" ,docbook-xsl)
-- 
2.39.2





From debbugs-submit-bounces@debbugs.gnu.org Mon Feb 20 06:44:42 2023
Received: (at 61583) by debbugs.gnu.org; 20 Feb 2023 11:44:42 +0000
Received: from localhost ([127.0.0.1]:50704 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pU4b4-0005uF-15
	for submit@debbugs.gnu.org; Mon, 20 Feb 2023 06:44:42 -0500
Received: from mail-wr1-f44.google.com ([209.85.221.44]:41937)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zimon.toutoune@gmail.com>) id 1pU4b2-0005tx-0d
 for 61583@debbugs.gnu.org; Mon, 20 Feb 2023 06:44:40 -0500
Received: by mail-wr1-f44.google.com with SMTP id z8so563574wrm.8
 for <61583@debbugs.gnu.org>; Mon, 20 Feb 2023 03:44:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20210112; t=1676893474;
 h=content-transfer-encoding:mime-version:message-id:date:references
 :in-reply-to:subject:cc:to:from:from:to:cc:subject:date:message-id
 :reply-to; bh=d239PAm6f+msN6hlRaDFIph3UqRs0w728ALGwpWmHvo=;
 b=bJFjmdAAwjwAh0bty0b8qFswNjVj41+y16anncnZKeZTH1wi9K7e32o9WN155LFAYG
 yoS36VrZhsOqR2ed9Is1G8jANEP1RLRAOA38r57r01P2I9HbB2vIPtJKCwEP0AcvIqiC
 0id2jZ3zZT8mLk48EVN7yVTRkJgdPS1Tz8D1TTBh14xMHZ2g8hhlvAdTJmYRT5CwhTfo
 /LSydx3khpqPp97M3H2TgAe0C2/DX4Iiju6VeJT7J86MZsFCym05KhVye6N62gG0SLcH
 0ZmzhVmHAGGEe5gdSXaJOi1nU/LAzm4uEzUS1m2acbgGdqHjIkz4kJWoj7B8Y0aldPzk
 rdhA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112; t=1676893474;
 h=content-transfer-encoding:mime-version:message-id:date:references
 :in-reply-to:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=d239PAm6f+msN6hlRaDFIph3UqRs0w728ALGwpWmHvo=;
 b=dcy8mFvILonKTPMzr+PdK40tITYLgQznzkLzFn3ceeGnOMul+NqdQhXd8b2Ib9j823
 swvKjqVtY4Z/vG3xJazTMw4ikrUHTbSqF4B/dbCZuV1NV+uxTPUEptPAxOj/CnAvFtPW
 86qLIwE7e2vsfAQnGHjbbkMkNe+/3Ma/BWqfou3xDLeGj9DZi9Wrn1L19EMWbwtbVf0O
 oCIUGxy90/TG/T4HTiz2C9w+yRP4SvZckjC09pCE8apecdgZExeKNZ54csJ5zB1m6xX7
 aC/G+i7x8m/tSHk/pAdSjxwDVLBCifxKO8iM6myqJHVn5nPrFNspbWSV73/rCiPhUFpm
 0XyQ==
X-Gm-Message-State: AO0yUKUofO3iGHDROMIR7ca3b3UQCfQGw51HKV+tIgOguWSOZ01BIW0Y
 0kwS6RRuUwPXIv9/1GvKGSu5y8M7nl4=
X-Google-Smtp-Source: AK7set/kGwfF81kVhQ2PC4UCqxGPlNhDQWw6SVGZ0FvW/AOo4v1mzuduLqGZhvG1yBbWcEX/9gaEJQ==
X-Received: by 2002:a5d:6392:0:b0:2c5:944d:44d with SMTP id
 p18-20020a5d6392000000b002c5944d044dmr780547wru.2.1676893474013; 
 Mon, 20 Feb 2023 03:44:34 -0800 (PST)
Received: from pfiuh07 ([193.48.40.241]) by smtp.gmail.com with ESMTPSA id
 x15-20020adff64f000000b002c406b357cfsm2150344wrp.86.2023.02.20.03.44.33
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 20 Feb 2023 03:44:33 -0800 (PST)
From: Simon Tournier <zimon.toutoune@gmail.com>
To: Greg Hogan <code@greghogan.com>, 61583@debbugs.gnu.org
Subject: Re: [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes
 CVE-2023-22490 & CVE-2023-23946].
In-Reply-To: <20230217180402.29401-1-code@greghogan.com>
References: <20230217180402.29401-1-code@greghogan.com>
Date: Mon, 20 Feb 2023 12:44:23 +0100
Message-ID: <87y1os36js.fsf@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 61583
Cc: Greg Hogan <code@greghogan.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi,

On ven., 17 f=C3=A9vr. 2023 at 18:04, Greg Hogan <code@greghogan.com> wrote:
> * gnu/packages/version-control.scm (git): Update to 2.39.2.

As noticed previously for an update of Git, this implies a lot of
rebuilds because git-minimal inherits from git.

Well, I am checking if git-minimal is used only for the tests by some of
the packages.

For sure, it is a concern since it is a security fixes.

Cheers,
simon




From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 03 14:14:18 2023
Received: (at 61583) by debbugs.gnu.org; 3 Mar 2023 19:14:18 +0000
Received: from localhost ([127.0.0.1]:34001 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pYArC-0003Xn-EW
	for submit@debbugs.gnu.org; Fri, 03 Mar 2023 14:14:18 -0500
Received: from mail-wr1-f44.google.com ([209.85.221.44]:40824)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zimon.toutoune@gmail.com>) id 1pYAr9-0003XZ-SQ
 for 61583@debbugs.gnu.org; Fri, 03 Mar 2023 14:14:16 -0500
Received: by mail-wr1-f44.google.com with SMTP id t15so3277203wrz.7
 for <61583@debbugs.gnu.org>; Fri, 03 Mar 2023 11:14:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20210112; t=1677870850;
 h=content-transfer-encoding:mime-version:message-id:date:references
 :in-reply-to:subject:cc:to:from:from:to:cc:subject:date:message-id
 :reply-to; bh=Zb/9yrxbNdkFpZt9EHJ4Bd00lp5y/n8zQHNGnNn0FfM=;
 b=HCZRhpOO2LBreglereiERwy3CaBP1Zy+wKt0CiSURAHvm99zuzV4UK7yScSejThT9W
 HwmwlfkoGBEQBfxybBvUI2Vmp3sUq8fwAgT69KxxZVRLTnYH9m1YCEY9PrZgGe6tRIux
 gWL+C+kWMibTMJ34SNRguLcgU6OjlAgqgcXpA6DHLq5cw9rjs83qM3Jl1ciYCmk6iwim
 LnEmILgxYJNCL5GdgDY7Cc1o5VkDGktpO0Sn67uanS7/h7pKCCpxTdwn3bzmCkJlNkAK
 K1R1warm/L5g8KogpErIQ7ubW6sDNo5dR5ySjxuBL9QE9G2xfbkune15xbNEHn1LlpVs
 ONPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112; t=1677870850;
 h=content-transfer-encoding:mime-version:message-id:date:references
 :in-reply-to:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=Zb/9yrxbNdkFpZt9EHJ4Bd00lp5y/n8zQHNGnNn0FfM=;
 b=655Qch3EFPVNqlGe/kZpqJaIy/zwy2BF1t4N0+l70/IYGhhxTkx4kE+3Rxwre5/qt6
 XwKTvFPx7Iq3t+Jn+yD6rQJl/AH0cLcHbO/4VTM5uIgOnvDXl8Zc4yf/Of/B+8T4PG8+
 I3YyguqPN6nkWLYEWpPCT7ub5v1yBgHU7zl3UlVtiWnqfxR48afo4XYOg+80vDAoyBR+
 4/oq1Ae5CXCrZtwUpU9PlpON3ZfZPBeWbVxmASVVsyFYd5DD6032nPhEf78dTG8RJiNC
 P7eZ4TbKT2Y4DSxpFN1Soy26i3MWM64QJPMzK1vhUORlViTV0O7trQu4NQ8KICC1FIoP
 2vcg==
X-Gm-Message-State: AO0yUKWFDy1k8tddBSYxhnHn60tSCI5v1tv1+uyMB+3XbC1SEl1AnNCv
 YSU1j+oha0GfEjB8yka3ysA=
X-Google-Smtp-Source: AK7set9Qh3CI66u2T53HajJ528aG2WXjol/yREZUmpHEc1s5zKu9G3bhBq64MK58lcNl3Jyqe9ooXQ==
X-Received: by 2002:adf:e5cf:0:b0:2c7:940c:26f8 with SMTP id
 a15-20020adfe5cf000000b002c7940c26f8mr1869130wrn.5.1677870849978; 
 Fri, 03 Mar 2023 11:14:09 -0800 (PST)
Received: from lili (roam-nat-fw-prg-194-254-61-42.net.univ-paris-diderot.fr.
 [194.254.61.42]) by smtp.gmail.com with ESMTPSA id
 z11-20020a5d654b000000b002c70f5627d5sm2859420wrv.63.2023.03.03.11.14.09
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 03 Mar 2023 11:14:09 -0800 (PST)
From: Simon Tournier <zimon.toutoune@gmail.com>
To: Greg Hogan <code@greghogan.com>, 61583@debbugs.gnu.org,  Christopher
 Baines <mail@cbaines.net>, Josselin Poiret <dev@jpoiret.xyz>, Ludovic
 =?utf-8?Q?Court=C3=A8s?= <ludo@gnu.org>, Mathieu Othacehe
 <othacehe@gnu.org>, Ricardo
 Wurmus <rekado@elephly.net>, Simon Tournier <zimon.toutoune@gmail.com>,
 Tobias Geerinckx-Rice <me@tobias.gr>
Subject: Re: [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes
 CVE-2023-22490 & CVE-2023-23946].
In-Reply-To: <87y1os36js.fsf@gmail.com>
References: <20230217180402.29401-1-code@greghogan.com>
 <87y1os36js.fsf@gmail.com>
Date: Fri, 03 Mar 2023 20:14:07 +0100
Message-ID: <867cvxzlz4.fsf@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 61583
Cc: Greg Hogan <code@greghogan.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi,

CC: core team

On Mon, 20 Feb 2023 at 12:44, Simon Tournier <zimon.toutoune@gmail.com> wro=
te:

> On ven., 17 f=C3=A9vr. 2023 at 18:04, Greg Hogan <code@greghogan.com> wro=
te:

>> * gnu/packages/version-control.scm (git): Update to 2.39.2.
>
> As noticed previously for an update of Git, this implies a lot of
> rebuilds because git-minimal inherits from git.

Well, I locally rebuilt all and maybe a couple of packages break.  The
rebuild is intensive and I do not know if such update should to master
or core-updates and/or use some grafts.

For instance, QA is still saying nothing after 12 days.

    https://qa.guix.gnu.org/issue/61583


> Well, I am checking if git-minimal is used only for the tests by some of
> the packages.

I have tried to replace the plain =E2=80=99git=E2=80=99 or =E2=80=99git-min=
imal=E2=80=99 by
=E2=80=99git-minimal/pinned=E2=80=99 for some packages.  It does not change=
 much.


> For sure, it is a concern since it is a security fixes.

Hum, we are not very reactive. :-)


Cheers,
simon




From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 03 14:34:07 2023
Received: (at 61583) by debbugs.gnu.org; 3 Mar 2023 19:34:07 +0000
Received: from localhost ([127.0.0.1]:34022 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pYBAN-00043b-2B
	for submit@debbugs.gnu.org; Fri, 03 Mar 2023 14:34:07 -0500
Received: from tobias.gr ([80.241.217.52]:60974)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <me@tobias.gr>) id 1pYBAL-00043T-He
 for 61583@debbugs.gnu.org; Fri, 03 Mar 2023 14:34:06 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=2018; bh=rbklxMxW7/QqS
 rMV7Gebgrmvx5/qy5fgHL0RIrL8mC0=;
 h=in-reply-to:date:subject:cc:to:
 from:references; d=tobias.gr; b=YJyuFzFGf3pSNksdNnwXBzWJfDqMlHcT0wxMw3
 p1ESMCd8zcQQMSRyUvfqVZdNK21h07fh/aGvgxKJzPx8MWRRw6lz1STwk1d6udjYiv7gA7
 KH2d7mzM5n162MFi5GX8Bna3yM6e7eiOOjnTes4c9+6d0znl0megWT2oWGchFBoQjia7aT
 CFGk1htgbV5L1Jh2F4pxY6QVXGosAMLCt5uJyU+O4O0omOUocA4dNK5rFMbGw9zoa5Ftld
 H7FR6yNyhYSssg5CvKLCoa7iIDMORH3Az6tep9hXBb8aRHj+P5fegJkAWClRxknt7IxIwA
 TgJC06AH5VwO+MwF2lA/xFpA==
Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id d6e65741
 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); 
 Fri, 3 Mar 2023 19:34:01 +0000 (UTC)
References: <20230217180402.29401-1-code@greghogan.com>
 <87y1os36js.fsf@gmail.com> <867cvxzlz4.fsf@gmail.com>
From: Tobias Geerinckx-Rice <me@tobias.gr>
To: Simon Tournier <zimon.toutoune@gmail.com>
Subject: Re: [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes
 CVE-2023-22490 & CVE-2023-23946].
Date: Fri, 03 Mar 2023 20:33:59 +0100
In-reply-to: <867cvxzlz4.fsf@gmail.com>
BIMI-Selector: v=BIMI1; s=default;
Message-ID: <87fsaly6d7.fsf@nckx>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 61583
Cc: Josselin Poiret <dev@jpoiret.xyz>, 61583@debbugs.gnu.org,
 Mathieu Othacehe <othacehe@gnu.org>,
 Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@gnu.org>,
 Christopher Baines <mail@cbaines.net>, Greg Hogan <code@greghogan.com>,
 Ricardo Wurmus <rekado@elephly.net>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--=-=-=
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Hi,

I'd ask =E2=80=98why can we not simply graft this=E2=80=99 but=E2=80=A6

Simon Tournier =E5=86=99=E9=81=93=EF=BC=9A
>> As noticed previously for an update of Git, this implies a lot=20
>> of
>> rebuilds because git-minimal inherits from git.
>
> Well, I locally rebuilt all and maybe a couple of packages=20
> break.  The
> rebuild is intensive and I do not know if such update should to=20
> master
> or core-updates and/or use some grafts.

Packages that built with .1 break with .2?  That's not a very=20
semantic versioning :-/

What broke?  Then I can test just those.

Kind regards,

T G-R

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCZAJMRA0cbWVAdG9iaWFz
LmdyAAoJEA2w/4hPVW15D7cA/iN/ALqFYQWQY9vJGkGSdU+4K/YidIQne56yLLRo
aaXfAQDs2X0GpfeHDLmCMqnpEBhkxYtrI+v55bMbjy5IwFOwAg==
=wF2N
-----END PGP SIGNATURE-----
--=-=-=--




From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 03 16:57:11 2023
Received: (at 61583) by debbugs.gnu.org; 3 Mar 2023 21:57:11 +0000
Received: from localhost ([127.0.0.1]:34085 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pYDOp-0007bX-3O
	for submit@debbugs.gnu.org; Fri, 03 Mar 2023 16:57:11 -0500
Received: from wout4-smtp.messagingengine.com ([64.147.123.20]:39565)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1pYDOm-0007bG-9a
 for 61583@debbugs.gnu.org; Fri, 03 Mar 2023 16:57:09 -0500
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47])
 by mailout.west.internal (Postfix) with ESMTP id 0401F3200035;
 Fri,  3 Mar 2023 16:57:00 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162])
 by compute6.internal (MEProxy); Fri, 03 Mar 2023 16:57:01 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:cc:content-transfer-encoding:content-type:content-type
 :date:date:from:from:in-reply-to:in-reply-to:message-id
 :mime-version:references:reply-to:sender:subject:subject:to:to;
 s=mesmtp; t=1677880620; x=1677967020; bh=VTqyzzLHVdmat+w/ytwKqA
 qxrx5oBz4Od7Pj3DI5vso=; b=i8j3WE4FjdDIqV1ZufEElXvlSVPklISVTZ2MuI
 SwMBza+atNmLAI/zX8TGH2WIhnFtpNV4ZNiQIu2fSqES3gTHORFPSIrV4Ekh6/8N
 t1yUShAOWTdh6HvR/pE6N3tThiM9XYAgN8DM6Tzees1DqXOlZb4uDDENdqfshnv2
 dek1E=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-transfer-encoding
 :content-type:content-type:date:date:feedback-id:feedback-id
 :from:from:in-reply-to:in-reply-to:message-id:mime-version
 :references:reply-to:sender:subject:subject:to:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=
 1677880620; x=1677967020; bh=VTqyzzLHVdmat+w/ytwKqAqxrx5oBz4Od7P
 j3DI5vso=; b=PmxrSFzsHmLIoT+95L7ZmuzC6llpqHAxeRzuRSv8k8AgGQWJ3E8
 emO7V5mP8w1d7mdeuewFbXxouc6HA/W/pbCLYn4xiQM9WF0xHH1rNwuNZu8ee0PC
 K8NzskOEMTR8Op6U6IcwPh66cGWpwYVueWvrcqHPa63YeK0zlNLYSTiCfjf9cgnR
 THflvWbvZcn+YAlW99mlDd0vWNqt6mPqtR1TUz2QVFG6uZfXjtEfn8FfYH27rSW/
 8bMTkQoim2BxkuolDdk+XLOjKaJ8cG4BhJuV5L6Wrte4mmbXTycgk58vK4tjDfBE
 t6nmSgaR1UuQRA39KOjajmIAneZGXPHfg1g==
X-ME-Sender: <xms:LG0CZGVgBJG5gE0cCtQEPBufKKJe53HlDy8AnCWzWMfMGfOkWgpu1g>
 <xme:LG0CZCnliWjQZRE6JFeBii2cSr9-9aQVhr-DwJzTVwEJMbq-biM-JiAt_F1Nl9Ehb
 GIUmUuieK56zovpPQ>
X-ME-Received: <xmr:LG0CZKbAxS0ryLFFZZ49jJm_pHYUcLtUd5BRkkalMXXQO42RKYxjNDfXyvog-UXd3N_ofHtUY3-_2smB62Jgg3Yr>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrudelledgudeglecutefuodetggdotefrod
 ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
 necuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvfevuffkfhggtggugfgjse
 htkeertddttddunecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghm
 uhhlrghrihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpeegvdduhfduuedugefgvefgue
 dvheevffefvdeltefgveeftdekiedvkeeuhedvvdenucevlhhushhtvghrufhiiigvpedt
 necurfgrrhgrmhepmhgrihhlfhhrohhmpehlvghosehfrghmuhhlrghrihdrnhgrmhgv
X-ME-Proxy: <xmx:LG0CZNWWM_pPZBKz8WzOYcWMIV4Mg2HmZM9RqzbwOXfTCrxFE0CEKQ>
 <xmx:LG0CZAlbGuCV3SWem18SDXMvXEV8l3NImta1ec7a6n8kc5-rzqhPRQ>
 <xmx:LG0CZCd1NVSsWASSS-o7u-FgAIGY5lSsLAEyTPISO_c76hjtet4MGQ>
 <xmx:LG0CZMvHdH5TtHiC7UFjDyncmzYu62tAbif05HjLyU-5gQVOVb7yyA>
Feedback-ID: i819c4023:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri,
 3 Mar 2023 16:57:00 -0500 (EST)
Date: Fri, 3 Mar 2023 16:56:58 -0500
From: Leo Famulari <leo@famulari.name>
To: Simon Tournier <zimon.toutoune@gmail.com>
Subject: Re: [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes
 CVE-2023-22490 & CVE-2023-23946].
Message-ID: <ZAJtKtBBc+tZeBlX@jasmine.lan>
References: <20230217180402.29401-1-code@greghogan.com>
 <87y1os36js.fsf@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <87y1os36js.fsf@gmail.com>
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 61583
Cc: 61583@debbugs.gnu.org, Greg Hogan <code@greghogan.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

On Mon, Feb 20, 2023 at 12:44:23PM +0100, Simon Tournier wrote:
> On ven., 17 févr. 2023 at 18:04, Greg Hogan <code@greghogan.com> wrote:
> > * gnu/packages/version-control.scm (git): Update to 2.39.2.
> 
> As noticed previously for an update of Git, this implies a lot of
> rebuilds because git-minimal inherits from git.

------
$ guix refresh -l git-minimal
Building the following 43 packages would ensure 69 dependent packages are rebuilt: r-biocpkgtools@1.16.0 r-biocthis@1.8.1 r-biocworkflowtools@1.24.0 r-golem@0.3.5 r-megadepth@1.8.0 r-chromunity@0.0.1-1.09fce8b r-rnaseqdtu@2.0-1.5bee1e7 r-spectre@0.5.5-1.f6648ab r-battenberg@2.2.9 r-chemometricswithr@0.1.13 r-adapr@2.0.0 r-activpal@0.1.3 rust-git2-6@0.6.11 rust-git2@0.15.0 rust-git2@0.13.24 rust-git2@0.11.0 rust-git2@0.14.4 rust-git2@0.9.1 emacs-libgit@0.0.1-1.ab1a53a nuspell@3.1.2 kicad-doc@7.0.0 musescore@4.0.1 python-oslosphinx@4.18.0 conan@1.50.0 python-jupytext@1.14.1 snakemake@7.7.0 vorta@0.8.7 clipper@2.0.1 gnome@42.4 mate@1.24.1 r-prereg@0.6.0 python-ipython-documentation@8.2.0 python-numpy-documentation@1.21.6 nototools@0.2.16 python-clorm@1.4.1 python-telingo@2.1.1 python-screenkey@1.4 mbed-tools@7.53.0 snakemake@6.15.5 emacs-ghq@0.1.2 pre-commit@2.20.0 gitless@0.8.8 vlang@0.2.4
------

That's not a significant number of packages.

Overall, git and git-minimal will cause more than 300 rebuilds, but not
too many for the current state of the build farm.

Concretely, why can't we push this to master immediately?




From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 03 22:39:31 2023
Received: (at 61583) by debbugs.gnu.org; 4 Mar 2023 03:39:31 +0000
Received: from localhost ([127.0.0.1]:35043 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pYIk7-0002EU-AK
	for submit@debbugs.gnu.org; Fri, 03 Mar 2023 22:39:31 -0500
Received: from mail-qt1-f178.google.com ([209.85.160.178]:44006)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@gmail.com>) id 1pYIk6-0002EH-0s
 for 61583@debbugs.gnu.org; Fri, 03 Mar 2023 22:39:30 -0500
Received: by mail-qt1-f178.google.com with SMTP id cf14so5118810qtb.10
 for <61583@debbugs.gnu.org>; Fri, 03 Mar 2023 19:39:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=content-transfer-encoding:mime-version:user-agent:message-id
 :in-reply-to:date:references:subject:cc:to:from:from:to:cc:subject
 :date:message-id:reply-to;
 bh=oXtSAhaMSvb7wa3DpYbH9ZCiGWMXaqYQf8OpPqeQiYo=;
 b=XQW/HBsFGcMpppiPi65Ms6oaF6rBiyuqsWmbChGzpGfUO1WzqYSCiJ0tRLTtCfI3yq
 WufLEBZlRTqG5cY/ObMdLJ+XhBTkktlB2xQFUy7c4CQdaOF24NTDFZoPfZsRIVk1Nduj
 K7MF93YJ8xeEuivrtqnQhtl53sikvDgKXig/AFBcLCYvKW/KeJmC0jt62GvbiXr7kfvN
 NooANgqXJibR25XKhm/8fML3KwVft9LoofwiEHYKiCS43uy5FhKTvqpmwUzKTksdmO16
 rLw7sZx/4MPUr7Gn4Y3fwhODGR1/R7xPOhVbCoWlwyHQXMkyjDFCihk6aNo0QHCnc315
 8Hnw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-transfer-encoding:mime-version:user-agent:message-id
 :in-reply-to:date:references:subject:cc:to:from:x-gm-message-state
 :from:to:cc:subject:date:message-id:reply-to;
 bh=oXtSAhaMSvb7wa3DpYbH9ZCiGWMXaqYQf8OpPqeQiYo=;
 b=YZHQ3HmZWI1sV6aye4Yh6xOPjhyVff5bVWJe4Z+lXYYj1wc2SJzfoyrWj0UBGZwsX7
 ZNVE4wz1h+tZYNv4KNJsfwdnfyFiEJg7BU6Gzw9dPJvWXfFs3CCXQej0b7C1npzWM2yJ
 DMN4oHorMKhHWJ+2mymYNul4VbYhVxo7ag055OX3eYddQAl7QJ8gjL1kSvyAep2eYt5S
 uizo8QlAnyZPBkO8zidAZGcnYtb8vsuruiAeOiFndO1KxjeJ6s3p33Ca5JzrjpDq2ISP
 PeFCJcUzukCm69vhQ7tgFBR7Jgms05maN64glE34s7/QlLlrQ4TA1zmGsb9T9uF3DB7i
 flbw==
X-Gm-Message-State: AO0yUKX27NovMRjxxxgAIIMhK0GtIIzOMO/a7gGUl4AjJga2iX9YueZT
 B0IzRpxWyD9VJiT/JsZOeAE=
X-Google-Smtp-Source: AK7set+CIa2nBLmoYoI90RvzKcohTR6nG5zYWWP24fxauW7KOKdrKxj9W8mnoSTN6Ba+zBUmID7RlQ==
X-Received: by 2002:ac8:5906:0:b0:3bf:bb9a:8e44 with SMTP id
 6-20020ac85906000000b003bfbb9a8e44mr7153917qty.4.1677901164550; 
 Fri, 03 Mar 2023 19:39:24 -0800 (PST)
Received: from hurd (dsl-10-129-180.b2b2c.ca. [72.10.129.180])
 by smtp.gmail.com with ESMTPSA id
 d11-20020a05620a158b00b0073b8745fd39sm2951557qkk.110.2023.03.03.19.39.23
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 03 Mar 2023 19:39:24 -0800 (PST)
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: Simon Tournier <zimon.toutoune@gmail.com>
Subject: Re: [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes
 CVE-2023-22490 & CVE-2023-23946].
References: <20230217180402.29401-1-code@greghogan.com>
 <87y1os36js.fsf@gmail.com> <867cvxzlz4.fsf@gmail.com>
Date: Fri, 03 Mar 2023 22:39:23 -0500
In-Reply-To: <867cvxzlz4.fsf@gmail.com> (Simon Tournier's message of "Fri, 03
 Mar 2023 20:14:07 +0100")
Message-ID: <87v8jh2nis.fsf@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 61583
Cc: Josselin Poiret <dev@jpoiret.xyz>, Tobias Geerinckx-Rice <me@tobias.gr>,
 61583@debbugs.gnu.org, Mathieu Othacehe <othacehe@gnu.org>,
 Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@gnu.org>,
 Christopher Baines <mail@cbaines.net>, Greg Hogan <code@greghogan.com>,
 Ricardo Wurmus <rekado@elephly.net>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Simon,

Simon Tournier <zimon.toutoune@gmail.com> writes:

> Hi,
>
> CC: core team
>
> On Mon, 20 Feb 2023 at 12:44, Simon Tournier <zimon.toutoune@gmail.com> w=
rote:
>
>> On ven., 17 f=C3=A9vr. 2023 at 18:04, Greg Hogan <code@greghogan.com> wr=
ote:
>
>>> * gnu/packages/version-control.scm (git): Update to 2.39.2.
>>
>> As noticed previously for an update of Git, this implies a lot of
>> rebuilds because git-minimal inherits from git.
>
> Well, I locally rebuilt all and maybe a couple of packages break.  The
> rebuild is intensive and I do not know if such update should to master
> or core-updates and/or use some grafts.
>
> For instance, QA is still saying nothing after 12 days.
>
>     https://qa.guix.gnu.org/issue/61583
>
>
>> Well, I am checking if git-minimal is used only for the tests by some of
>> the packages.
>
> I have tried to replace the plain =E2=80=99git=E2=80=99 or =E2=80=99git-m=
inimal=E2=80=99 by
> =E2=80=99git-minimal/pinned=E2=80=99 for some packages.  It does not chan=
ge much.
>
>
>> For sure, it is a concern since it is a security fixes.
>
> Hum, we are not very reactive. :-)

I think the number of rebuilt packages is in the thousands, so that's a
core-updates change.  On master it should be grafted instead, if that's
possible.

--=20
Thanks,
Maxim




From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 03 22:45:07 2023
Received: (at 61583) by debbugs.gnu.org; 4 Mar 2023 03:45:07 +0000
Received: from localhost ([127.0.0.1]:35052 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pYIpX-0002NA-41
	for submit@debbugs.gnu.org; Fri, 03 Mar 2023 22:45:07 -0500
Received: from wout3-smtp.messagingengine.com ([64.147.123.19]:36961)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1pYIpT-0002MJ-W4
 for 61583@debbugs.gnu.org; Fri, 03 Mar 2023 22:45:06 -0500
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
 by mailout.west.internal (Postfix) with ESMTP id AB50532004CE;
 Fri,  3 Mar 2023 22:44:57 -0500 (EST)
Received: from imap48 ([10.202.2.98])
 by compute5.internal (MEProxy); Fri, 03 Mar 2023 22:44:58 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:cc:content-transfer-encoding:content-type:content-type
 :date:date:from:from:in-reply-to:in-reply-to:message-id
 :mime-version:references:reply-to:sender:subject:subject:to:to;
 s=mesmtp; t=1677901497; x=1677987897; bh=zS/UH9ta8nD7xxXc6jYpfc
 x/BJwEaDAbpAYfG+wNRqM=; b=hBpkOtmr/iw8jDM36vixHM0X4CeIeSS43u18Vj
 udXh1DkF17TAjLbAyBpJusS4zpYmcilF4RdyBIxsFJGrV5N33hf7shGtbswEnk/t
 zq5qFpKTL8KwUBwSrGmWXcYrXR8Vv0r5ZLPcb2Yj/qEQqn3xHSSQYRlXPCzI4suR
 1I9LM=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-transfer-encoding
 :content-type:content-type:date:date:feedback-id:feedback-id
 :from:from:in-reply-to:in-reply-to:message-id:mime-version
 :references:reply-to:sender:subject:subject:to:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=
 1677901497; x=1677987897; bh=zS/UH9ta8nD7xxXc6jYpfcx/BJwEaDAbpAY
 fG+wNRqM=; b=ICzRnU4dF+RqV3SueqabvRduDeNLWcIDBofAVvQHfds6hPaIe+H
 AqCsru520Fbf+wpC18+QOng+2hIONHEPRrIrteiSHub1fKsh/24X/Ab7FBJ2Vt6l
 HPDm4xl128yxIdJtNVSwcKuIdfwVJJUf19CozSI1QkLcrkfOczRoDPCjbOl+gLyl
 mKJWjuDQRoCRyhUJAcjekNI5lhrAtFLuGI9/tAR1yJtobQ8Y6h9f0V2G5hI9Lcpg
 1T83VIvby6oRn3aLg5IGmV2lr+tOnrHP9KqFKXqxq3ipk5BvcMWSIfhsWacj+LJz
 RS2+8JvqWL71VfYMbYJ9aweMAYLE+ZvrODw==
X-ME-Sender: <xms:uL4CZCpv6cPrWmCsnplABpbhW9st95RYwgG8RERfZCc1s_XFiUShvw>
 <xme:uL4CZAot8lKnNhDDZHycxuhMMfiAEggnZS2lTgx5WtP1_dLAlnwHbiWWbkmGPZBho
 PZ35RPGJaGy7r36Dw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrvddttddgheelucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
 cujfgurhepofgfggfkjghffffhvfevufgtgfesthhqredtreerjeenucfhrhhomhepfdfn
 vghoucfhrghmuhhlrghrihdfuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecugg
 ftrfgrthhtvghrnhepkedthefhkedtudetgffhveelhefhheegtefgjeetueevfedvfeek
 ueeggedvueeinecuffhomhgrihhnpehgnhhurdhorhhgnecuvehluhhsthgvrhfuihiivg
 eptdenucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghm
 vg
X-ME-Proxy: <xmx:uL4CZHOBLA5hNHJeAFGqGM6W4iuCcWIWCwBnv7dZcw_109Q8lqeapA>
 <xmx:uL4CZB7cJ1rqC16CvRiRlAz8XR92qHoq9IeYrr53OjjdxXkJa7gtjg>
 <xmx:uL4CZB5xp147XVs6i4yGYYAlFPbIJItwElAROJuDYDRcJYECGugsIQ>
 <xmx:ub4CZMYNyQ7QkvX3-nM6l_gOPtzQS10OJYW9N7oNj4gXSP07yYgwkw>
Feedback-ID: i819c4023:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501)
 id 8C2BA31A0063; Fri,  3 Mar 2023 22:44:56 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-183-gbf7d00f500-fm-20230220.001-gbf7d00f5
Mime-Version: 1.0
Message-Id: <93db0716-b8f4-4918-a5ed-cbc0d60076f4@app.fastmail.com>
In-Reply-To: <87v8jh2nis.fsf@gmail.com>
References: <20230217180402.29401-1-code@greghogan.com>
 <87y1os36js.fsf@gmail.com> <867cvxzlz4.fsf@gmail.com>
 <87v8jh2nis.fsf@gmail.com>
Date: Fri, 03 Mar 2023 22:44:26 -0500
From: "Leo Famulari" <leo@famulari.name>
To: "Maxim Cournoyer" <maxim.cournoyer@gmail.com>,
 zimoun <zimon.toutoune@gmail.com>
Subject: Re: [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes
 CVE-2023-22490 & CVE-2023-23946].
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 61583
Cc: Josselin Poiret <dev@jpoiret.xyz>, Christopher Baines <mail@cbaines.net>,
 61583@debbugs.gnu.org, Mathieu Othacehe <othacehe@gnu.org>,
 =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>,
 Tobias Geerinckx-Rice <me@tobias.gr>, Greg Hogan <code@greghogan.com>,
 Ricardo Wurmus <rekado@elephly.net>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

On Fri, Mar 3, 2023, at 22:39, Maxim Cournoyer wrote:
> Hi Simon,
>
> Simon Tournier <zimon.toutoune@gmail.com> writes:
>
>> Hi,
>>
>> CC: core team
>>
>> On Mon, 20 Feb 2023 at 12:44, Simon Tournier <zimon.toutoune@gmail.co=
m> wrote:
>>
>>> On ven., 17 f=C3=A9vr. 2023 at 18:04, Greg Hogan <code@greghogan.com=
> wrote:
>>
>>>> * gnu/packages/version-control.scm (git): Update to 2.39.2.
>>>
>>> As noticed previously for an update of Git, this implies a lot of
>>> rebuilds because git-minimal inherits from git.
>>
>> Well, I locally rebuilt all and maybe a couple of packages break.  The
>> rebuild is intensive and I do not know if such update should to master
>> or core-updates and/or use some grafts.
>>
>> For instance, QA is still saying nothing after 12 days.
>>
>>     https://qa.guix.gnu.org/issue/61583
>>
>>
>>> Well, I am checking if git-minimal is used only for the tests by som=
e of
>>> the packages.
>>
>> I have tried to replace the plain =E2=80=99git=E2=80=99 or =E2=80=99g=
it-minimal=E2=80=99 by
>> =E2=80=99git-minimal/pinned=E2=80=99 for some packages.  It does not =
change much.
>>
>>
>>> For sure, it is a concern since it is a security fixes.
>>
>> Hum, we are not very reactive. :-)
>
> I think the number of rebuilt packages is in the thousands, so that's a
> core-updates change.  On master it should be grafted instead, if that's
> possible.

`guix refresh -l git git-minimal` shows only hundreds of rebuilds. Am I =
missing something?




From debbugs-submit-bounces@debbugs.gnu.org Sat Mar 04 05:31:12 2023
Received: (at 61583) by debbugs.gnu.org; 4 Mar 2023 10:31:12 +0000
Received: from localhost ([127.0.0.1]:35278 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pYPAW-0007JH-38
	for submit@debbugs.gnu.org; Sat, 04 Mar 2023 05:31:12 -0500
Received: from jpoiret.xyz ([206.189.101.64]:43260)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <dev@jpoiret.xyz>) id 1pYPAU-0007JA-Ku
 for 61583@debbugs.gnu.org; Sat, 04 Mar 2023 05:31:11 -0500
Received: from authenticated-user (jpoiret.xyz [206.189.101.64])
 by jpoiret.xyz (Postfix) with ESMTPA id 07215184F2B;
 Sat,  4 Mar 2023 10:31:07 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim;
 t=1677925868;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=UtTT5oTfrFgTkUlJm79KTL08nGfN+NocUEwj6Nl4Lnk=;
 b=nt2YpsiJlgA1Qkfw0NZ/Tp0EGaqQogazK/kIwRl2SUVF0Y1roxbIOSRfbPdis6akQfe2Kn
 4Es25DK8usy7i2uinOXLqY2IPKjzdvzsowiQX82SXoHiHgZgQ8MqSSbgOqFk0MFxK9+RwW
 nKPQNlXebtu0sPOYIWbqOYyLV+p6OAauoeIGhQSMqvfYoSgG1J9cFryjf0NsUxOQ2yt9Ue
 XDT3oSYJowO7mzDRsi2FaCDPIco/bX2m9fQqbaQZeArL9eb+BmLlpub+hscVrhdxXOG/SZ
 vRdfYclQvs6UHd6cfXt8WP+v2NWwNEvgz9LSJ6KW/RSzUwRAWCav9qyPhwBr6g==
From: Josselin Poiret <dev@jpoiret.xyz>
To: Leo Famulari <leo@famulari.name>, Simon Tournier <zimon.toutoune@gmail.com>
Subject: Re: [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes
 CVE-2023-22490 & CVE-2023-23946].
In-Reply-To: <ZAJtKtBBc+tZeBlX@jasmine.lan>
References: <20230217180402.29401-1-code@greghogan.com>
 <87y1os36js.fsf@gmail.com> <ZAJtKtBBc+tZeBlX@jasmine.lan>
Date: Sat, 04 Mar 2023 11:30:57 +0100
Message-ID: <87ilfgreou.fsf@jpoiret.xyz>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
Authentication-Results: jpoiret.xyz;
 auth=pass smtp.auth=jpoiret@jpoiret.xyz smtp.mailfrom=dev@jpoiret.xyz
X-Spam-Level: *
X-Spamd-Bar: +
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 61583
Cc: 61583@debbugs.gnu.org, Greg Hogan <code@greghogan.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 0.0 (/)

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Hi Leo,

Leo Famulari <leo@famulari.name> writes:

> That's not a significant number of packages.
>
> Overall, git and git-minimal will cause more than 300 rebuilds, but not
> too many for the current state of the build farm.
>
> Concretely, why can't we push this to master immediately?

`guix refresh` is not great for core packages: it only detects things
that depend on other packages through inputs. Here though, git is used
indirectly by git-fetch origins, and would affect the dependency graph a
lot more.  I think this should be grafted to avoid too many rebuilds,
and ungrafted on core-updates (maybe now, maybe after the big
core-updates merge).

Best,
=2D-=20
Josselin Poiret

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQHEBAEBCAAuFiEEOSSM2EHGPMM23K8vUF5AuRYXGooFAmQDHeEQHGRldkBqcG9p
cmV0Lnh5egAKCRBQXkC5FhcaijmpC/0cziOPEjskRj0K2Y/sps8iY0ca6dO/1CAV
DSnUU7BcAa+g3LxTrt5zMg6iAtvbGS3sjkIQjveGdfHJhovsn1qr+hcQvQjWp9FG
2/91xHM32QbMhn2b3QZ18jVc1oJoOrzg2Mg1WbAAz370KeeaDNv0b25NGh0A679U
bhHtdRS7LB+pr4AaUBh6XwS6PO4u8DbGNsBfFnem5QUawUqg6cgQDjYt4zcJV+Rv
LZhg20ht7EEyiaIpvOlogcgFMIpXZwJ5ATEN7CiCHQQNGaSxKS5V+s0Lbk9gVtrd
wBFJnW8Qs+/LBbCjd9PcUTBYRpqoSeus87ymBXkPx51ox8AhlEcSOu+uZ2Rf+YM5
oQ2qAqsJLmG4/NLKvoqULvQOSNzlhUZmtSoTIAqn9oyT/0SKN+LM3sqNKktsGALF
7ob/VDZas6D7RrPC70qpsbxYKYm+zgZzMNrGKowEBcyNyUe2nz3AL3zbe99cTaMA
2FAdaCkaaIu/YSH69F5P2T8ASaIKh6Q=
=p2Vf
-----END PGP SIGNATURE-----
--=-=-=--




From debbugs-submit-bounces@debbugs.gnu.org Sat Mar 04 09:41:38 2023
Received: (at 61583) by debbugs.gnu.org; 4 Mar 2023 14:41:38 +0000
Received: from localhost ([127.0.0.1]:35635 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pYT4s-0001xO-Gh
	for submit@debbugs.gnu.org; Sat, 04 Mar 2023 09:41:38 -0500
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:59937)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1pYT4p-0001x9-S4
 for 61583@debbugs.gnu.org; Sat, 04 Mar 2023 09:41:36 -0500
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
 by mailout.nyi.internal (Postfix) with ESMTP id 7EEDC5C00C8;
 Sat,  4 Mar 2023 09:41:30 -0500 (EST)
Received: from imap48 ([10.202.2.98])
 by compute5.internal (MEProxy); Sat, 04 Mar 2023 09:41:30 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:cc:content-type:content-type:date:date:from:from
 :in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:sender:subject:subject:to:to; s=mesmtp; t=1677940890;
 x=1678027290; bh=lWgsFHtpN8+S3c3mYs4hsi6yOUwzxz66+DGtiVgER7k=; b=
 arO9N8vw5DWz7LPyPbNFpgc1bpi7/hdrVaGCW/w02uz8EWOc+oaDaPra3JSnswWz
 EIvK1YhJ658Sp5U/47G0etFDKYAr1AoXoy1PP7u4J2FXMyL/3XXa8kE33dEMowdz
 nBU6MK+74qOC6szU/cruIyhA0LdW2buDP02GeyQ+qSM=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-type:content-type:date:date
 :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
 :message-id:mime-version:references:reply-to:sender:subject
 :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
 :x-sasl-enc; s=fm1; t=1677940890; x=1678027290; bh=lWgsFHtpN8+S3
 c3mYs4hsi6yOUwzxz66+DGtiVgER7k=; b=HrUGXJETQbTDaS5cpYoL4YrGxb7HZ
 uJgOJtmU0YiDTqRVggmxTIG3qMjwkKX9FjndN7dIw2BezcunheL2noaMuSo4JWIs
 I8SYVsZ2TloZTFvsJaH1FEJJtX7fbz+kLauQjEvixSmHh3bjiXVWjPdsELhxcuh2
 Uv0wIog5bFiXcAjny1Zl8qMrRcd6zkTrqd32JH4jRjexM5Xs8wGz6Dvv1VuCS0CN
 VNAxuO0a/7VCsXxB08ydEKd0oP1L7DfCIWT+gzyCtk3yK+Cpx1JHY1oThi39C5dJ
 z6T3SFcK+8tF1zUw39m6rYeVpvVZinLTzWe66PMvzwItW3bsmyKl9jFPA==
X-ME-Sender: <xms:mlgDZG1gC9_n5GGDHM1FejPoeQGiYbdhLzZ9zbKUNIqm1arYn_70cA>
 <xme:mlgDZJEY7OLYEUmvDzQb64TmaTDpzP9Jhtz_iNzEf5D5A_TL8UcKo7OzYxX0CZzhv
 by0WmGgBBuphzikFA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrvddtuddgieefucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvvefutgesth
 dtredtreertdenucfhrhhomhepfdfnvghoucfhrghmuhhlrghrihdfuceolhgvohesfhgr
 mhhulhgrrhhirdhnrghmvgeqnecuggftrfgrthhtvghrnhepgfefleeuhfffvdetffegke
 eigeeltdehtdeiuedvffehfefhtdejffeuhefgleelnecuvehluhhsthgvrhfuihiivgep
 tdenucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg
X-ME-Proxy: <xmx:mlgDZO4TpRd5rxvpddXIURGHuwrQVbDvq98sMGS7iLxuG-2QoSI5jw>
 <xmx:mlgDZH28fGllYCIFb9zT8aRpQYq_iIz3Jfu9-1fbV26sKQKQkVDJtg>
 <xmx:mlgDZJFT9GB2MM_l_Uzvw7HBwAw4mVBYVFaCGlSPh0wwfYl28VyyJw>
 <xmx:mlgDZHP6jQ6_BTzIx3UwGni2oR6fJJ6_mQncwfjEO8TrOOdSuvem0g>
Feedback-ID: i819c4023:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501)
 id 2A51C31A0063; Sat,  4 Mar 2023 09:41:30 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-183-gbf7d00f500-fm-20230220.001-gbf7d00f5
Mime-Version: 1.0
Message-Id: <18a9b3b3-3dc7-44bf-84a5-74cd4fab8984@app.fastmail.com>
In-Reply-To: <87ilfgreou.fsf@jpoiret.xyz>
References: <20230217180402.29401-1-code@greghogan.com>
 <87y1os36js.fsf@gmail.com> <ZAJtKtBBc+tZeBlX@jasmine.lan>
 <87ilfgreou.fsf@jpoiret.xyz>
Date: Sat, 04 Mar 2023 09:41:08 -0500
From: "Leo Famulari" <leo@famulari.name>
To: "Josselin Poiret" <dev@jpoiret.xyz>, zimoun <zimon.toutoune@gmail.com>
Subject: Re: [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes
 CVE-2023-22490 & CVE-2023-23946].
Content-Type: text/plain
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 61583
Cc: 61583@debbugs.gnu.org, Greg Hogan <code@greghogan.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

On Sat, Mar 4, 2023, at 05:30, Josselin Poiret wrote:
> Hi Leo,
>
> Leo Famulari <leo@famulari.name> writes:
>
>> That's not a significant number of packages.
>>
>> Overall, git and git-minimal will cause more than 300 rebuilds, but not
>> too many for the current state of the build farm.
>>
>> Concretely, why can't we push this to master immediately?
>
> `guix refresh` is not great for core packages: it only detects things
> that depend on other packages through inputs. Here though, git is used
> indirectly by git-fetch origins, and would affect the dependency graph a
> lot more.  I think this should be grafted to avoid too many rebuilds,
> and ungrafted on core-updates (maybe now, maybe after the big
> core-updates merge).

Changing the Git package shouldn't affect fixed-output derivations that fetch from Git. If they do, that's a recent and very serious bug.

Git is a security critical package that we've always updated freely.

I'm AFK, only have my phone today . But, please try updating Git and check if the fixed-output source derivations change.

Leo




From debbugs-submit-bounces@debbugs.gnu.org Sat Mar 04 10:32:59 2023
Received: (at submit) by debbugs.gnu.org; 4 Mar 2023 15:32:59 +0000
Received: from localhost ([127.0.0.1]:37477 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pYTsZ-0003pc-D2
	for submit@debbugs.gnu.org; Sat, 04 Mar 2023 10:32:59 -0500
Received: from lists.gnu.org ([209.51.188.17]:45126)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <me@tobias.gr>) id 1pYTsY-0003pQ-DX
 for submit@debbugs.gnu.org; Sat, 04 Mar 2023 10:32:58 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <me@tobias.gr>) id 1pYTsY-0005A6-7Q
 for guix-patches@gnu.org; Sat, 04 Mar 2023 10:32:58 -0500
Received: from tobias.gr ([2a02:c205:2020:6054::1])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <me@tobias.gr>) id 1pYTsW-0000e8-7U
 for guix-patches@gnu.org; Sat, 04 Mar 2023 10:32:57 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=2018; bh=gZyT0EXB9PK0T
 +uetX5K00DXpbFZ/ku16gFQx5I6JW4=;
 h=in-reply-to:date:subject:cc:to:
 from:references; d=tobias.gr; b=DEl8Y6XElSTLGltZWUwtC3VD0fJFjBE3R7PSKN
 PFKlpZt/989rL2GIP8YtC1K+MlJIL+bRwNX5B/qmrpWH1mECIpegGvfAgJA5EvfkltBr0w
 yEhLQm3dgIhV0AT+1NoNliC+a6i6IMc6xlx7FqFh9qPbpfjIWk7cxm+Zuo/Dw4tZVkOTG7
 gbZqpnnfvb2ZMH35h9EEEoK5neczn8UGsAGzHnfvbuSfeuhu3utFddbAsTufDDXXqIkX/L
 4QHRd/27IT+AD5/iGf5okI5jYhoK4/437w/u6rhsGF9PFew6pZKLDyEi37S0WKl5oScRdR
 h4KESKRQZQYWWeQEWvT/d3YA==
Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id c88653e9
 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); 
 Sat, 4 Mar 2023 15:32:50 +0000 (UTC)
References: <20230217180402.29401-1-code@greghogan.com>
 <87y1os36js.fsf@gmail.com> <ZAJtKtBBc+tZeBlX@jasmine.lan>
 <87ilfgreou.fsf@jpoiret.xyz>
 <18a9b3b3-3dc7-44bf-84a5-74cd4fab8984@app.fastmail.com>
From: Tobias Geerinckx-Rice <me@tobias.gr>
To: Leo Famulari <leo@famulari.name>
Subject: Re: [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes
 CVE-2023-22490 & CVE-2023-23946].
Date: Sat, 04 Mar 2023 16:34:31 +0100
In-reply-to: <18a9b3b3-3dc7-44bf-84a5-74cd4fab8984@app.fastmail.com>
BIMI-Selector: v=BIMI1; s=default;
Message-ID: <87ttz0wmv4.fsf@nckx>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
Received-SPF: pass client-ip=2a02:c205:2020:6054::1; envelope-from=me@tobias.gr;
 helo=tobias.gr
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.6 (-)
X-Debbugs-Envelope-To: submit
Cc: 61583@debbugs.gnu.org, Josselin Poiret <dev@jpoiret.xyz>,
 guix-patches@gnu.org, Greg Hogan <code@greghogan.com>,
 zimoun <zimon.toutoune@gmail.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.6 (--)

--=-=-=
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Leo Famulari =E5=86=99=E9=81=93=EF=BC=9A
> I'm AFK, only have my phone today . But, please try updating Git=20
> and check if the fixed-output source derivations change.

=E2=80=A6and if not, shall we agree to push this?  (It's a yes from me,=20
dog.)

Kind regards,

T G-R

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCZANlPw0cbWVAdG9iaWFz
LmdyAAoJEA2w/4hPVW15cFEBAKmcf/vuCs0o0wZ5w5Vu9K8fAlaN/EKBulh9SVgh
Ka9pAP95nv3+dB1c9NDrtMFC3UvMjtMCtUKM6c555vgy575xCA==
=Jc38
-----END PGP SIGNATURE-----
--=-=-=--




From debbugs-submit-bounces@debbugs.gnu.org Sat Mar 04 12:53:07 2023
Received: (at 61583) by debbugs.gnu.org; 4 Mar 2023 17:53:07 +0000
Received: from localhost ([127.0.0.1]:37700 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pYW4A-0007ac-V1
	for submit@debbugs.gnu.org; Sat, 04 Mar 2023 12:53:07 -0500
Received: from jpoiret.xyz ([206.189.101.64]:51200)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <dev@jpoiret.xyz>) id 1pYW48-0007aR-Ip
 for 61583@debbugs.gnu.org; Sat, 04 Mar 2023 12:53:05 -0500
Received: from authenticated-user (jpoiret.xyz [206.189.101.64])
 by jpoiret.xyz (Postfix) with ESMTPA id A8807184D43;
 Sat,  4 Mar 2023 17:53:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim;
 t=1677952383;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=8OREPvPSoUn0zsk1xwyJVpxZKEkrGDU/3I5/9is+ZTU=;
 b=TFlrK7TMOU56OFLhpLBHsS28ixk1i3zC0n4dw37PgKINUzhntCe7zltKdBONI5QZjgBbHo
 DvdvjaRIe+f0OglQDz13TgJ9WCAD2a2vtEsxK+AUDbxTPfiiLFNRkBcO0L81033Vpc2jMg
 ChqwUpJVBXNZJ3tM0eJ3aI+GVxDT42swAWjvsuBMIKqp9/awHS6I3Jg7v0b5CF4yyUHrNh
 kktZxr42IZjyN1UsfnebUFeaEBYSLGTalaol8+GHa+/WiG0tabSe8w4nc8zX/KezlsYIX9
 h9SMlSRSvr3kliXbjL97O/3hTonSQsOCgSl8M7FVWRlv8cyi15Ey+hfvqPRzIQ==
From: Josselin Poiret <dev@jpoiret.xyz>
To: Leo Famulari <leo@famulari.name>, zimoun <zimon.toutoune@gmail.com>
Subject: Re: [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes
 CVE-2023-22490 & CVE-2023-23946].
In-Reply-To: <18a9b3b3-3dc7-44bf-84a5-74cd4fab8984@app.fastmail.com>
References: <20230217180402.29401-1-code@greghogan.com>
 <87y1os36js.fsf@gmail.com> <ZAJtKtBBc+tZeBlX@jasmine.lan>
 <87ilfgreou.fsf@jpoiret.xyz>
 <18a9b3b3-3dc7-44bf-84a5-74cd4fab8984@app.fastmail.com>
Date: Sat, 04 Mar 2023 18:52:58 +0100
Message-ID: <87bkl8qu85.fsf@jpoiret.xyz>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
Authentication-Results: jpoiret.xyz;
 auth=pass smtp.auth=jpoiret@jpoiret.xyz smtp.mailfrom=dev@jpoiret.xyz
X-Spam-Level: *
X-Spamd-Bar: +
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 61583
Cc: 61583@debbugs.gnu.org, Greg Hogan <code@greghogan.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 0.0 (/)

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Hi Leo,

"Leo Famulari" <leo@famulari.name> writes:

> Changing the Git package shouldn't affect fixed-output derivations that f=
etch from Git. If they do, that's a recent and very serious bug.

Whoops, you're right, I completely ignored that.  I agree with you and
Tobias about pushing to master immediately then!

Best,
=2D-=20
Josselin Poiret

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQHEBAEBCAAuFiEEOSSM2EHGPMM23K8vUF5AuRYXGooFAmQDhXoQHGRldkBqcG9p
cmV0Lnh5egAKCRBQXkC5Fhcaiu49C/4qNBP2Z1qLAnrJ23wMJOWDQH/ST2PpLc02
jRvA8nAyfY1Xdh8Had8jNXzLV97hTZgwreOFbi969Nu/LfuI2QlP/+rvWn1gqDlK
dYyzuzF+6ctimavYRox/UZb8WsN/l5aNPqoabOj+OF2b8tt1ASEHelgE8pB5BFZl
Ojl15c9o2kn5XdGto7J6grV5t9vK3b20ANwt5ut4I2a8JCY7o6r0Qik3o2+uT4kO
8IX5e9Ht2jwbsS/IyRUsSdxOrkX+5iGeihnghxzk0Dm8NDjLMWA9H4WuDrjkl3/A
6PdGduF8zKaDS2LHBlwfVS1EYNfLr9y5lTNBNba8MgOfZlvPTxF5KWLX/8zVB+UQ
W/cZowWlpWj8mJghXfULEB3b7B0NqsDPSFIDokIVlZQx8Wp/ueGaOYeM7ThFtuQZ
rfct5PUV9BWt3ug+u6ls9THpvmzv/F60ce90jvEdQIpaLykbxpqlIKtGjrKb7gTK
k+qD9vIrrGacP3GCINwCJL93JJZw4Mo=
=H6C4
-----END PGP SIGNATURE-----
--=-=-=--




From debbugs-submit-bounces@debbugs.gnu.org Sat Mar 04 13:52:24 2023
Received: (at 61583) by debbugs.gnu.org; 4 Mar 2023 18:52:24 +0000
Received: from localhost ([127.0.0.1]:37724 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pYWzX-0000oo-Ms
	for submit@debbugs.gnu.org; Sat, 04 Mar 2023 13:52:24 -0500
Received: from mail-lf1-f48.google.com ([209.85.167.48]:43571)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zimon.toutoune@gmail.com>) id 1pYWzW-0000oV-M6
 for 61583@debbugs.gnu.org; Sat, 04 Mar 2023 13:52:23 -0500
Received: by mail-lf1-f48.google.com with SMTP id r27so7675534lfe.10
 for <61583@debbugs.gnu.org>; Sat, 04 Mar 2023 10:52:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20210112; t=1677955936;
 h=cc:to:subject:message-id:date:from:in-reply-to:references
 :mime-version:from:to:cc:subject:date:message-id:reply-to;
 bh=NOrL8Xh+DscuNQDECRbTwVLEAq48D7EsDxyrhQy+Leg=;
 b=WhI2mrvxLHbfqy0bUXMvlY15ZsmG9dQJSaCEL8FurCETT7SnCmv3AL9R+b2ga4cDwP
 WbrIOPRnd7U4kpRvcW6ZTjuVKFLPWtp26AaG7e89UYn+lB00zrnHLsrCcEo0n9k+aWuk
 XcUCcdM1V318ta+nyfPDj7k0EDQW6vpPSLbVuHkj/IxGHgmuWbXUQr7iUlN8CXNBRBeN
 wwjYwm6srgCw8ClpVECwcF8BePC1oMJuZhVWlFs8RKh0aZfzY6PVHmLo/z2vZg2G/bgT
 MG/JswmUiKdkjs0pIh3T5TJCpsrkDxQPrKYbgxEpIgkQolmYiXXhjGW3/n2rlcbCs5Yv
 0ZGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112; t=1677955936;
 h=cc:to:subject:message-id:date:from:in-reply-to:references
 :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=NOrL8Xh+DscuNQDECRbTwVLEAq48D7EsDxyrhQy+Leg=;
 b=68rl3hMpS/Ae1wx2ffYxVMbdxkxszgJHV7PzAIaLr2/9IG/3yqBBw4e/LU3u2zm0eq
 67DqmBqYvxPiPuQ2udXeNtD0f/WTCJQIYtLbfjdJfip8u7ZChFu2Lnnb70mPmeqw3fo+
 0HyjhDEkJ2NoL5/9brLUd0tU4iT0fctHZ5ar5O7SoEYbOQO4oXn61huZtnPnNbJFACZP
 Q3y0SnZKlP7hHCXGRyubuYe48bCzpuIvD6nIN0sxrcdjiJH/3PHSg+Dnwh4cn027CpGX
 enVjCLonuXelrCZ18swdMuzcebQuBukaQg4hBOinByh3sgTLi8PATHswkNjgtjWZ/Tsp
 lbzA==
X-Gm-Message-State: AO0yUKWJB2z5Rc1xeZoWbT1AP1ypjEIC79IcqnFAGPxI7sauaDmp+FVk
 I5KpjgU4Zkwu520wG9GD15PppVeh+IEHmjRL3Xc=
X-Google-Smtp-Source: AK7set9mK4QuLlLd4J60/KJxq7FgNcDGcEz9nT3FW2bGArVpXIx7JYvCL89vtE5a+nQG7x2B0sgj1KDgUn8Zsvww/lk=
X-Received: by 2002:ac2:52bb:0:b0:4db:b4:c8d7 with SMTP id
 r27-20020ac252bb000000b004db00b4c8d7mr1810520lfm.2.1677955936393; 
 Sat, 04 Mar 2023 10:52:16 -0800 (PST)
MIME-Version: 1.0
References: <20230217180402.29401-1-code@greghogan.com>
 <87y1os36js.fsf@gmail.com> <ZAJtKtBBc+tZeBlX@jasmine.lan>
In-Reply-To: <ZAJtKtBBc+tZeBlX@jasmine.lan>
From: Simon Tournier <zimon.toutoune@gmail.com>
Date: Sat, 4 Mar 2023 19:52:04 +0100
Message-ID: <CAJ3okZ3dxoyHKoi0QVikKyanNz9xDCWU7b6WcF73N8J31bmLxQ@mail.gmail.com>
Subject: Re: [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes
 CVE-2023-22490 & CVE-2023-23946].
To: Leo Famulari <leo@famulari.name>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 61583
Cc: 61583@debbugs.gnu.org, Greg Hogan <code@greghogan.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi,

On Fri, 3 Mar 2023 at 22:57, Leo Famulari <leo@famulari.name> wrote:

> Overall, git and git-minimal will cause more than 300 rebuilds, but not
> too many for the current state of the build farm.

I get 546 dependent packages for git + git-minimal which need to be
re-built.  And some are really expensive -- that what I meant by "a
lot of rebuilds". :-)

Well, I do not know if there is an issue with QA or it is just really
expensive but the process is still pending, if I read correctly
<https://qa.guix.gnu.org/issue/61583>.

> Concretely, why can't we push this to master immediately?

Somehow the guarantee that none of these 546 would not be broken by
the update. ;-)

Anyway, I had locally built them -- it took 3-4 days on my machine,
IIRC -- and I do not remember any "big" breakage, maybe a couple of
packages -- even maybe not since some are already broken.  However, I
did not carefully tracked my process thinking to come back later --
well, I ran "guix gc" in the mean for checking stuff with SWH coverage
thinking that QA would have finished.

I do not have an opinion where or whether to push.

Cheers,
simon




From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 05 13:46:09 2023
Received: (at 61583) by debbugs.gnu.org; 5 Mar 2023 18:46:09 +0000
Received: from localhost ([127.0.0.1]:40645 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pYtN3-0000U7-FK
	for submit@debbugs.gnu.org; Sun, 05 Mar 2023 13:46:09 -0500
Received: from wout2-smtp.messagingengine.com ([64.147.123.25]:42825)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1pYtN2-0000Tu-2z
 for 61583@debbugs.gnu.org; Sun, 05 Mar 2023 13:46:08 -0500
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
 by mailout.west.internal (Postfix) with ESMTP id AC11932002D8;
 Sun,  5 Mar 2023 13:46:01 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163])
 by compute1.internal (MEProxy); Sun, 05 Mar 2023 13:46:02 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:cc:content-type:content-type:date:date:from:from
 :in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:sender:subject:subject:to:to; s=mesmtp; t=1678041961;
 x=1678128361; bh=oOn9uxFsCDBig6SckQcsII94Ra8WdHdVydvLy2RG0AY=; b=
 oNOKyxuZFd6AU+EeOstqLfCGNQGRgLGDriilup4BDb6P2YElj0OJp8oZByI8DWqb
 6x6LHu8m9BKu5ZC4x2hO6GtSkaSY0f6X0gbbuyvvMIANquOdb3PqqYZACDVGsxQH
 FmxV4lbZVLI6JO/q15A/d1xp/QVjCaApQj2Md5v0OxQ=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-type:content-type:date:date
 :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
 :message-id:mime-version:references:reply-to:sender:subject
 :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
 :x-sasl-enc; s=fm1; t=1678041961; x=1678128361; bh=oOn9uxFsCDBig
 6SckQcsII94Ra8WdHdVydvLy2RG0AY=; b=Al/56gp9RCy/cxnNqJuSHLnHvDAOS
 0ekScvdsKzg3WvXQ1s4XLD84nIuroT7I/Okqi8XJDmwpXvX3+v667p3RHDOnoxlo
 qdycAC36Bl2qWebIiisIN1t2+WCwkLSfdY4youufmJ755HFYX0ziVPuAO7aqJVfY
 TEG9CTcL5wI4dfvEKH9fU40SSsYwWtJBPlzMjDxWib1A9xLBN6HxuieO1EL+TF0G
 LXjMTsg/42Zx5JrZMk9rGhTeMVk+3Z2TcIalSUcmzDUt9kWRuAgyPV9USJ37y+eB
 jeylMnW3mSzJunZjEx0H/SHtxWxhY4SnFwVHTQqAtGoebVFGBk3yGHPBw==
X-ME-Sender: <xms:aOMEZBpIWIbNCofebCnCSTO7gb8ov6gLL3ECibD0yX7Q4-JcfEEwBQ>
 <xme:aOMEZDorTNC17-9uCEs82ZP3H5zcMA-cPuaPLJ3qPXcXMfq86yyLtMgooNgVPesS-
 LEkAcs75Mxv4190Mg>
X-ME-Received: <xmr:aOMEZOPbHDxokaKZkL5MBR-rBg0J0h7e2Ln2p4ZjXaVIL2hyelK5qOdQJvsvPHdrJWBpBQrfCSo9u4OLwxjZ2Gg0>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrvddtgedgudduiecutefuodetggdotefrod
 ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
 necuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvfevuffkfhggtggujgesth
 dtredttddtvdenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhu
 lhgrrhhirdhnrghmvgeqnecuggftrfgrthhtvghrnhepteehuedviedvleeuueekhfdtie
 ehtdeghfdvvdelhfdujeduieehleefveetuefhnecuffhomhgrihhnpehgnhhurdhorhhg
 necuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgvoh
 esfhgrmhhulhgrrhhirdhnrghmvg
X-ME-Proxy: <xmx:aOMEZM79_lmLYdumWcyP-229W4lagqa8blWhHorFyI299LoqaFiDCQ>
 <xmx:aOMEZA7pxEPnp7eJ-_BxOlcWkJg_KJPGedy7d-OU-5uZF0MrG-A_-A>
 <xmx:aOMEZEhrCEIdEu6SRpwswpiWtl4TBvZnBfkc-9mupx4ME-KAuFu4BQ>
 <xmx:aeMEZAHK8iaZSqofrkw87IZ4KvpTahrhcjJU8IawUdCHSCMRtZ_riQ>
Feedback-ID: i819c4023:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sun,
 5 Mar 2023 13:46:00 -0500 (EST)
Date: Sun, 5 Mar 2023 13:45:58 -0500
From: Leo Famulari <leo@famulari.name>
To: Simon Tournier <zimon.toutoune@gmail.com>
Subject: Re: [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes
 CVE-2023-22490 & CVE-2023-23946].
Message-ID: <ZATjZm3u26B1E7i6@jasmine.lan>
References: <20230217180402.29401-1-code@greghogan.com>
 <87y1os36js.fsf@gmail.com> <ZAJtKtBBc+tZeBlX@jasmine.lan>
 <CAJ3okZ3dxoyHKoi0QVikKyanNz9xDCWU7b6WcF73N8J31bmLxQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAJ3okZ3dxoyHKoi0QVikKyanNz9xDCWU7b6WcF73N8J31bmLxQ@mail.gmail.com>
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 61583
Cc: 61583@debbugs.gnu.org, Christopher Baines <mail@cbaines.net>,
 Greg Hogan <code@greghogan.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

On Sat, Mar 04, 2023 at 07:52:04PM +0100, Simon Tournier wrote:
> I get 546 dependent packages for git + git-minimal which need to be
> re-built.  And some are really expensive -- that what I meant by "a
> lot of rebuilds". :-)
> 
> Well, I do not know if there is an issue with QA or it is just really
> expensive but the process is still pending, if I read correctly
> <https://qa.guix.gnu.org/issue/61583>.

At the Guix Days, it was said that there is a limit to how many builds
the QA server will perform for a change. I don't recall the number, but
maybe 300 builds per change? So, if a change causes too many rebuilds,
the QA server will not perform the builds.

Aside: Chris, I'd be happy to add a FAQ page to the QA server that
answers this type of question. Let me know if I've missed that one
already exists.

For the Berlin server, I don't think that 546 builds is too many, at
least for Intel systems.

> > Concretely, why can't we push this to master immediately?
> 
> Somehow the guarantee that none of these 546 would not be broken by
> the update. ;-)

It's certainly possible that something breaks. But we can do a simple
test by trying to update our profiles and Guix System installations, and
checking that our tools still work. I think it's okay to cause a little
breakage in order to deploy important security updates.




From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 05 14:30:57 2023
Received: (at 61583) by debbugs.gnu.org; 5 Mar 2023 19:30:57 +0000
Received: from localhost ([127.0.0.1]:40678 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pYu4O-0001eh-LJ
	for submit@debbugs.gnu.org; Sun, 05 Mar 2023 14:30:56 -0500
Received: from wout2-smtp.messagingengine.com ([64.147.123.25]:60011)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1pYu4M-0001eV-RM
 for 61583@debbugs.gnu.org; Sun, 05 Mar 2023 14:30:55 -0500
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
 by mailout.west.internal (Postfix) with ESMTP id A46ED32009D2;
 Sun,  5 Mar 2023 14:30:48 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162])
 by compute5.internal (MEProxy); Sun, 05 Mar 2023 14:30:49 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:cc:content-type:content-type:date:date:from:from
 :in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:sender:subject:subject:to:to; s=mesmtp; t=1678044648;
 x=1678131048; bh=7JehIp47OegmcHglAS5RRJ4+kd32JWyT2U2b2tMun3w=; b=
 kIAZTeTXrH70nAglyFA9yP9UumS+nD0IvLt+/1moOoViUBddaYwhcYAl85rIPjqu
 Y9/LNPdFCgj/ek1JRGP75zvVOk1gR9oq0nauqXb/mvqxXdhLAhK7l+ogrxrvcfZk
 GBnuSWpI6g9Bq4C3PfxfIDTW2QONF4TC96jtL+XWiEg=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-type:content-type:date:date
 :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
 :message-id:mime-version:references:reply-to:sender:subject
 :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
 :x-sasl-enc; s=fm1; t=1678044648; x=1678131048; bh=7JehIp47Oegmc
 HglAS5RRJ4+kd32JWyT2U2b2tMun3w=; b=T7g9gPmI1Gf/T5p3BOZbP4EQDwqkf
 BKMtEGWG+GOufTjD5w3FGfe2AkOWbxbGReln2r1axHtS5AEfFNl7OEjDN0lUNbGH
 qUX7O8Lbv+U4dMgo5IIAcjjZQ9G0NAcypVb06cXADVSXhCveqn4AO1uzesaoLRrQ
 qOmjqom0dRfzjqJf++/ks7cHmqDUahk5V5W9N412FMXu1Y7MKANTAl8n0YbIJkgn
 DK1HyMm8QJIILh4BQIo4Ao9B7HTxhljapwCO9885E1GFxmmv+lHO5iQl7jlNvPgv
 hByIbYUsZljLjFkZzWe9yXh7oGj4Rg96rAaA7KG3RIcggtBH1rharsJCA==
X-ME-Sender: <xms:6O0EZIN4J6GMYF-aaKWtob-scdrj6cqv14rVq5X1IKGAkkuB_AijOQ>
 <xme:6O0EZO8dzg5HO4J5VCCJ8ZeFbFSD5wAao6HfZUkKfUSYM-uPvUwJ0hlC58Mnsss5R
 SKo8pK5ZtGbaOzrJg>
X-ME-Received: <xmr:6O0EZPTQW05dEC1wwrJWV8dE5zliqOxk5ubBpKBXEE9xHYWW5Ghi0GZccQxDPZ33In47T8_6525Ad9hvrqKhPum8>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrvddtgedguddvhecutefuodetggdotefrod
 ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
 necuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvfevuffkfhggtggujgesth
 dtredttddtvdenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhu
 lhgrrhhirdhnrghmvgeqnecuggftrfgrthhtvghrnhepieetudehfeekueefleegudfhje
 fgleehfeeluefhfeffgfeuudelhedvjeelieetnecuvehluhhsthgvrhfuihiivgeptden
 ucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg
X-ME-Proxy: <xmx:6O0EZAucplj49pHzNh--Md8F4Qos68OWTtN1vvuf2phjGLpgnP4KRQ>
 <xmx:6O0EZAcXig9eYP0piwpYWQFZjng7Ml5toEF9WBcYJQmL0GOeelUE-Q>
 <xmx:6O0EZE201nvQOhKAvX-79-iKHCsCo6vxGF57Ze3ErmnGwnlN-Om3rQ>
 <xmx:6O0EZI52chhRkEcPoVztTRRCcTAsFaVswUQ94IVfRNUwnDN_-iicNA>
Feedback-ID: i819c4023:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sun,
 5 Mar 2023 14:30:47 -0500 (EST)
Date: Sun, 5 Mar 2023 14:30:45 -0500
From: Leo Famulari <leo@famulari.name>
To: Josselin Poiret <dev@jpoiret.xyz>
Subject: Re: [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes
 CVE-2023-22490 & CVE-2023-23946].
Message-ID: <ZATt5Qs2aEbUArVt@jasmine.lan>
References: <20230217180402.29401-1-code@greghogan.com>
 <87y1os36js.fsf@gmail.com> <ZAJtKtBBc+tZeBlX@jasmine.lan>
 <87ilfgreou.fsf@jpoiret.xyz>
 <18a9b3b3-3dc7-44bf-84a5-74cd4fab8984@app.fastmail.com>
 <87bkl8qu85.fsf@jpoiret.xyz>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <87bkl8qu85.fsf@jpoiret.xyz>
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 61583
Cc: 61583@debbugs.gnu.org, ludo@gnu.org, Greg Hogan <code@greghogan.com>,
 zimoun <zimon.toutoune@gmail.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

> "Leo Famulari" <leo@famulari.name> writes:
> > Changing the Git package shouldn't affect fixed-output derivations that fetch from Git. If they do, that's a recent and very serious bug.

Now I have confused myself and I'm unsure. I stepped away from Guix for
a while and forgot a lot of the intimate knowledge I had on this
subject.

I checked, and this patch does change the derivation of packages
fetching from Git, although the output is identical. So, I am confused
about if this will cause >10k rebuilds or not.

Here's how I checked, first by calculating derivations and outputs on
the master branch, and then after applying the patch:

------
$ git rev-parse --abbrev-ref HEAD
master
$ git rev-parse HEAD                                 
cedf97ed6ee4eba8c39bfe6cc0efe33fcb977ccf
$ ./pre-inst-env guix build --no-grafts corefreq -d
/gnu/store/78lhq407x6sjlf3k7jh16ph1pff1y2nw-corefreq-1.95.2.drv    
$ ./pre-inst-env guix build --no-grafts corefreq   
/gnu/store/vva0xljihzmpf4ddbihr168f2ymkh2k0-corefreq-1.95.2-linux-module
/gnu/store/qkwah5gnfqh293i36byhc00cd6xb3jml-corefreq-1.95.2
------

Apply the patch:

------
$ git checkout contrib-security-git                 
Switched to branch 'contrib-security-git'
$ git log --oneline | head -n1         
faeb52692d gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946].
$ ./pre-inst-env guix build --no-grafts corefreq -d
/gnu/store/sw5942gj4f5lm9i9zn6bwj7f0q0dlf7a-corefreq-1.95.2.drv         
$ ./pre-inst-env guix build --no-grafts corefreq   
/gnu/store/vva0xljihzmpf4ddbihr168f2ymkh2k0-corefreq-1.95.2-linux-module
/gnu/store/qkwah5gnfqh293i36byhc00cd6xb3jml-corefreq-1.95.2
------

The package derivation changed, but not the output.

I'm looking for guidance on how to interpret these results.




From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 05 14:47:16 2023
Received: (at 61583) by debbugs.gnu.org; 5 Mar 2023 19:47:16 +0000
Received: from localhost ([127.0.0.1]:40691 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pYuKC-00023p-3W
	for submit@debbugs.gnu.org; Sun, 05 Mar 2023 14:47:16 -0500
Received: from mira.cbaines.net ([212.71.252.8]:42346)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mail@cbaines.net>) id 1pYuKA-00023h-OE
 for 61583@debbugs.gnu.org; Sun, 05 Mar 2023 14:47:15 -0500
Received: from localhost (unknown [IPv6:2a02:8010:68c1:0:3a91:a0a4:ecee:f157])
 by mira.cbaines.net (Postfix) with ESMTPSA id 8C40116B8B;
 Sun,  5 Mar 2023 19:47:12 +0000 (GMT)
Received: from felis (localhost [127.0.0.1])
 by localhost (OpenSMTPD) with ESMTP id 6b63de03;
 Sun, 5 Mar 2023 19:47:10 +0000 (UTC)
References: <20230217180402.29401-1-code@greghogan.com>
 <87y1os36js.fsf@gmail.com> <ZAJtKtBBc+tZeBlX@jasmine.lan>
 <CAJ3okZ3dxoyHKoi0QVikKyanNz9xDCWU7b6WcF73N8J31bmLxQ@mail.gmail.com>
 <ZATjZm3u26B1E7i6@jasmine.lan>
User-agent: mu4e 1.8.13; emacs 28.2
From: Christopher Baines <mail@cbaines.net>
To: Leo Famulari <leo@famulari.name>
Subject: Re: [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes
 CVE-2023-22490 & CVE-2023-23946].
Date: Sun, 05 Mar 2023 19:27:40 +0000
In-reply-to: <ZATjZm3u26B1E7i6@jasmine.lan>
Message-ID: <871qm3rner.fsf@cbaines.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 61583
Cc: 61583@debbugs.gnu.org, Greg Hogan <code@greghogan.com>,
 Simon Tournier <zimon.toutoune@gmail.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--=-=-=
Content-Type: text/plain


Leo Famulari <leo@famulari.name> writes:

> On Sat, Mar 04, 2023 at 07:52:04PM +0100, Simon Tournier wrote:
>> I get 546 dependent packages for git + git-minimal which need to be
>> re-built.  And some are really expensive -- that what I meant by "a
>> lot of rebuilds". :-)
>>
>> Well, I do not know if there is an issue with QA or it is just really
>> expensive but the process is still pending, if I read correctly
>> <https://qa.guix.gnu.org/issue/61583>.
>
> At the Guix Days, it was said that there is a limit to how many builds
> the QA server will perform for a change. I don't recall the number, but
> maybe 300 builds per change? So, if a change causes too many rebuilds,
> the QA server will not perform the builds.

Currently the limit is 200 builds per system.

https://git.cbaines.net/guix/qa-frontpage/tree/guix-qa-frontpage/manage-builds.scm#n99

> Aside: Chris, I'd be happy to add a FAQ page to the QA server that
> answers this type of question. Let me know if I've missed that one
> already exists.

Contributions are very welcome, there's no documentation yet.

>> > Concretely, why can't we push this to master immediately?
>>
>> Somehow the guarantee that none of these 546 would not be broken by
>> the update. ;-)
>
> It's certainly possible that something breaks. But we can do a simple
> test by trying to update our profiles and Guix System installations, and
> checking that our tools still work. I think it's okay to cause a little
> breakage in order to deploy important security updates.

The backlog of revisions to be processed by data.qa.guix.gnu.org is
being processed faster now, so hopefully the impact of this change will
be visible there shortly.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQKlBAEBCgCPFiEEPonu50WOcg2XVOCyXiijOwuE9XcFAmQE8bxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF
ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcRHG1haWxAY2Jh
aW5lcy5uZXQACgkQXiijOwuE9XcGdw/9Ee94HmMs/rRsLx3yaPSH5FxjL1nHqcFU
6CuQ+YQNVvjCHF4WXuZzEDMeqv/MHS6J08bWstG03vPx9Vw1q9xfTSJ8XJsdPipe
Du//5AI4JDecDx/Rhr82ZppULq+S3H8mM3d54P9h8kz1pHjoxlN7llhXKlsi9/lu
RqIAhhfyXQU5h2amZL3yOO9zMwy9FWbSkd3q+tzYvcnEBApZgjlQPbLXQis1FgKd
CCCPsPamqRGxPasFidKKo9nsnwBFQH9ETuUhD5tgv9YXQy4eZRGpHNqt9Ax55azx
ile8+OGjqGOsQSf3+C+l5AVUW755PoW50JFgEgbSVpiFZNUvYjqNkSNr/q/CIjII
Q3+zeb7sKJ/NwgLXxnvGnhjVxPeOXY47SlbYg8Qr5AJbWbyS5E/cTYAr+Wl6DVTK
cYrMXnz0+Y3LUH+xsf2dEZfindGKHqGznMlt/WZYIyT9JrbeI9EgtVxwqOgoz9ON
aRuEcAXWd/CPWVM2dWWVRzQUfY3CQitSCy26nG/CJclQBdJeQ8IszEMUS+qAypAI
EsOZlsh71XxeB/8lHgFQqPVQQM8VgBdvyVSoxy3yoemqALsqZ4Fgx6CR5i6N8gUG
990k7LC7GNF1ZxDL4fVFmFheGHvF/+mjCiM6f1+FrX8WmFStEkEaLLC8hPUB4MwG
2uELLhc0zy8=
=69BE
-----END PGP SIGNATURE-----
--=-=-=--




From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 05 15:33:41 2023
Received: (at 61583) by debbugs.gnu.org; 5 Mar 2023 20:33:41 +0000
Received: from localhost ([127.0.0.1]:40737 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pYv37-0003Jk-81
	for submit@debbugs.gnu.org; Sun, 05 Mar 2023 15:33:41 -0500
Received: from mail-lf1-f48.google.com ([209.85.167.48]:38829)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zimon.toutoune@gmail.com>) id 1pYv35-0003JG-91
 for 61583@debbugs.gnu.org; Sun, 05 Mar 2023 15:33:39 -0500
Received: by mail-lf1-f48.google.com with SMTP id m6so10181410lfq.5
 for <61583@debbugs.gnu.org>; Sun, 05 Mar 2023 12:33:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20210112; t=1678048413;
 h=content-transfer-encoding:cc:to:subject:message-id:date:from
 :in-reply-to:references:mime-version:from:to:cc:subject:date
 :message-id:reply-to;
 bh=9b2maxSR3khHyZmvv59KfLuib4i9L6KZPAXDS4f5opA=;
 b=kJq4OPYPBPNyF/nC16ynGVCcYP46Iut2cXOAd48Luc91vc6i0GDTdFWjcVKN+9B5KX
 hZCzieFhyG1ICv5p35/ZCDH11WWsPs9G5JU/kc6SobcSSnE6cwEfDxiBMNqo7QTayIsU
 e0XE/G2gWyqgwRY1pqXaZWvKgMJ4P3jDS4lalrnonSDs+JJf18Xqq7ZOfcA0Dn0csl4I
 wOFrvQ331b78kXKDOZX+/J0mP3bcWrEOMi2j6n4iQ9YLn264yjg3G72KLbf8cgfutFBQ
 B+nvdEBqm9bwJUU5hI/G9PaHlW9smOWynqkzZfwpq4LAz89KDQslhDRPkCDTsh39f7Yv
 F6dA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112; t=1678048413;
 h=content-transfer-encoding:cc:to:subject:message-id:date:from
 :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=9b2maxSR3khHyZmvv59KfLuib4i9L6KZPAXDS4f5opA=;
 b=PNa2ZIYjI8/TIoCVSLQDNtn4GEEuNf/Fa9pR2XpswWbauRZ+zzGg69wuK9sUBJ8gCj
 RiOGOnjB0uP1jSbVRqKozZVAnc2fF4wL65ty7os2syDd16k17iVxZKKohSeLB3hecHlL
 ktz4uT5QmV3nKqVFiMRDBbU3W3NHH8sEtqninzVeKEhiAnfw4ESg2rxYvyGzj0Nq6lyp
 FFpUMXMgG+OZ/PyArjMZJroa2uk/JJ41jypmpysIhEV3mtXqe4zq6K3DPHen2hUr+/jU
 ufutWEqJlgtGVqFKSr0xbY1h0bMz/FXypn5cZrp8xkylW69LsP1nLAu/WbP/Pu1zQcm6
 o51Q==
X-Gm-Message-State: AO0yUKWUUpC8rRgMIZ70Hchyt8Lki+s+HRCjsM1MdxVWxsFXRgeueQCs
 0u1XPGb/zf6Zusuqh0+Jj5hAKDgUoTUOo+5FR2I=
X-Google-Smtp-Source: AK7set8+7RFYLCBzxClEjS3St3p08GfX00KLHqLuC7UiMl01W8TeVxIFcw5byPhMVR0cskqSCQRYMOTacCgiS0huKIU=
X-Received: by 2002:ac2:44a3:0:b0:4df:1d72:8e87 with SMTP id
 c3-20020ac244a3000000b004df1d728e87mr2447161lfm.2.1678048412846; Sun, 05 Mar
 2023 12:33:32 -0800 (PST)
MIME-Version: 1.0
References: <20230217180402.29401-1-code@greghogan.com>
 <87y1os36js.fsf@gmail.com> <ZAJtKtBBc+tZeBlX@jasmine.lan>
 <CAJ3okZ3dxoyHKoi0QVikKyanNz9xDCWU7b6WcF73N8J31bmLxQ@mail.gmail.com>
 <ZATjZm3u26B1E7i6@jasmine.lan>
In-Reply-To: <ZATjZm3u26B1E7i6@jasmine.lan>
From: Simon Tournier <zimon.toutoune@gmail.com>
Date: Sun, 5 Mar 2023 21:33:20 +0100
Message-ID: <CAJ3okZ2topeJmVoEidBR1JAT6BmLjSDYXyhkK8vP+8cHU=nfrg@mail.gmail.com>
Subject: Re: [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes
 CVE-2023-22490 & CVE-2023-23946].
To: Leo Famulari <leo@famulari.name>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 61583
Cc: 61583@debbugs.gnu.org, Christopher Baines <mail@cbaines.net>,
 Greg Hogan <code@greghogan.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Leo,

On Sun, 5 Mar 2023 at 19:46, Leo Famulari <leo@famulari.name> wrote:

> At the Guix Days, it was said that there is a limit to how many builds
> the QA server will perform for a change. I don't recall the number, but
> maybe 300 builds per change? So, if a change causes too many rebuilds,
> the QA server will not perform the builds.

Ah thanks!  I always forgot that limit. :-)  I mean, since it says
"not yet processed", I still think the limit is higher. ;-)  Anyway.

> For the Berlin server, I don't think that 546 builds is too many, at
> least for Intel systems.

Indeed.  Just to note that the last update of Git was by commit:

--8<---------------cut here---------------start------------->8---
51f8a7aced70b7f79037bd99019dddaea07ced25
Author:     Tobias Geerinckx-Rice <me@tobias.gr>
AuthorDate: Sun Jan 15 01:00:03 2023 +0100
Commit:     Tobias Geerinckx-Rice <me@tobias.gr>
CommitDate: Sun Jan 15 01:00:08 2023 +0100

gnu: git: Update to 2.39.1 [fixes CVE-2022-41903 & CVE-2022-23521].

* gnu/packages/version-control.scm (git): Update to 2.39.1.

Reported by HexMachina in #guix.
--8<---------------cut here---------------end--------------->8---

and all was fine...

> > Somehow the guarantee that none of these 546 would not be broken by
> > the update. ;-)
>
> It's certainly possible that something breaks. But we can do a simple
> test by trying to update our profiles and Guix System installations, and
> checking that our tools still work. I think it's okay to cause a little
> breakage in order to deploy important security updates.

...but it was not with the previous,

--8<---------------cut here---------------start------------->8---
83ede5a02e1fc531d912eb92eb0a22a4b897997c
Author:     Greg Hogan <code@greghogan.com>
AuthorDate: Wed Oct 19 20:13:15 2022 +0000
Commit:     Ludovic Court=C3=A8s <ludo@gnu.org>
CommitDate: Tue Nov 8 14:06:00 2022 +0100

gnu: git: Update to 2.38.1.

Fixes CVE-2022-39253 and CVE-2022-39260.

* gnu/packages/version-control.scm (git): Update to 2.38.1.

Co-authored-by: Ludovic Court=C3=A8s <ludo@gnu.org>
--8<---------------cut here---------------end--------------->8---

which had broken part of the Julia ecosystem; now the same problem
cannot arise for Julia.  Who knows for the others?  Anyway, I did this
rebuild and I did not noticed large breaks.


> > > Concretely, why can't we push this to master immediately?

Since we agree it is fine for master, feel free to push. :-)


Cheers,
simon




From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 06 07:54:19 2023
Received: (at submit) by debbugs.gnu.org; 6 Mar 2023 12:54:19 +0000
Received: from localhost ([127.0.0.1]:41616 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pZAM7-0004yR-2v
	for submit@debbugs.gnu.org; Mon, 06 Mar 2023 07:54:19 -0500
Received: from lists.gnu.org ([209.51.188.17]:42266)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@gmail.com>) id 1pZAM5-0004yJ-Co
 for submit@debbugs.gnu.org; Mon, 06 Mar 2023 07:54:17 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <maxim.cournoyer@gmail.com>)
 id 1pZAM5-0004Nj-5p
 for guix-patches@gnu.org; Mon, 06 Mar 2023 07:54:17 -0500
Received: from mail-qv1-xf33.google.com ([2607:f8b0:4864:20::f33])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <maxim.cournoyer@gmail.com>)
 id 1pZAM3-0007II-Ek
 for guix-patches@gnu.org; Mon, 06 Mar 2023 07:54:16 -0500
Received: by mail-qv1-xf33.google.com with SMTP id nv15so6480377qvb.7
 for <guix-patches@gnu.org>; Mon, 06 Mar 2023 04:54:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20210112; t=1678107254;
 h=content-transfer-encoding:mime-version:user-agent:message-id
 :in-reply-to:date:references:subject:cc:to:from:from:to:cc:subject
 :date:message-id:reply-to;
 bh=Li+2zDqxksxHBXMRA74Ow1dC4LYLaaW9/UEqqhUUNeI=;
 b=eXFjdDZVBW0tCtICiHsRF2sRfkeiMqrNr1On1kWa0KHovg1+gsRhVGcM5YCpTIhAXc
 ErXvw0OXba1DEI5zooJlP3pls2G17rJKr2u4Ai6sQ2SxhXmF23nyS991DlbMEA3YBbyx
 rN/Juw7O5eqiuHSGG+JDLZG3pW+FKzeA7aRD7iLS1LhmerRW8SSKcw/8Fgw9B8jSw/pN
 gsrp50PsJRMLobS1vGrt812w2DlKjKaNcnawNibqATBU39dVGuhP7uQCQh5Vd6tvvRYO
 eTThSqu5UUXJSMFZP6+8VLAUfViRdsBv3gcx0Ab9pxlGBulL/tPqVm7Nl9q1F8g8d/3G
 M7YA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112; t=1678107254;
 h=content-transfer-encoding:mime-version:user-agent:message-id
 :in-reply-to:date:references:subject:cc:to:from:x-gm-message-state
 :from:to:cc:subject:date:message-id:reply-to;
 bh=Li+2zDqxksxHBXMRA74Ow1dC4LYLaaW9/UEqqhUUNeI=;
 b=uuXG93VNlI/KFiWqkClhlX++7Q4FdA5jzkYYywh8timIS4tNuT7NIeIUzRyY1EEPWF
 o4d5zXJ+bjyOybdf/nU/hR5gE4xV7K2jEvW3xwNtNSJFhoqVHChsg11H0eWpz/A2KHG8
 HvwSWsbx19t0KypRFkNiKMqjCaprXcATt/Di86zohJbli/B8B1Qio581GLMyLKpIhY0y
 D/8XZcmZP4Go0f8+7nQ0jkwQQvzU/Me3YX0MO/xNneeE+kAF8qOftqN0yvl5Onr7MPKO
 r0Ay6NpUh2Bhfkv1UZspZMaVPUWVqD7XNiFlnO3PQjio6XVcMQUUDq1+8GW11JM8JB4L
 ciJg==
X-Gm-Message-State: AO0yUKVFLEvj1Bs5vGqliBZCB/ZQLW74B0gYZ4WVTD4MYmtAdHmZ8wPI
 5jyintcxthLfP8l2nkZN66AUdkLF2UOJxA==
X-Google-Smtp-Source: AK7set/1EGmWfNlnjZNKTbgr2ThGqly6fT1L+DcyrzAsVLKxE4VwfZFmizk8zx2Dfz5KCI6Gcz0Snw==
X-Received: by 2002:a05:6214:4005:b0:537:6330:93a6 with SMTP id
 kd5-20020a056214400500b00537633093a6mr14177402qvb.34.1678107254392; 
 Mon, 06 Mar 2023 04:54:14 -0800 (PST)
Received: from hurd (dsl-149-144.b2b2c.ca. [66.158.149.144])
 by smtp.gmail.com with ESMTPSA id
 c133-20020ae9ed8b000000b0074280fc7bd8sm7403342qkg.60.2023.03.06.04.54.13
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 06 Mar 2023 04:54:14 -0800 (PST)
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: Tobias Geerinckx-Rice via Guix-patches via <guix-patches@gnu.org>
Subject: Re: [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes
 CVE-2023-22490 & CVE-2023-23946].
References: <20230217180402.29401-1-code@greghogan.com>
 <87y1os36js.fsf@gmail.com> <ZAJtKtBBc+tZeBlX@jasmine.lan>
 <87ilfgreou.fsf@jpoiret.xyz>
 <18a9b3b3-3dc7-44bf-84a5-74cd4fab8984@app.fastmail.com>
 <87ttz0wmv4.fsf@nckx>
Date: Mon, 06 Mar 2023 07:54:12 -0500
In-Reply-To: <87ttz0wmv4.fsf@nckx> (Tobias Geerinckx-Rice via Guix-patches
 via's message of "Sat, 04 Mar 2023 16:34:31 +0100")
Message-ID: <87zg8q11mz.fsf@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=2607:f8b0:4864:20::f33;
 envelope-from=maxim.cournoyer@gmail.com; helo=mail-qv1-xf33.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
Cc: dev@jpoiret.xyz, zimon.toutoune@gmail.com, 61583@debbugs.gnu.org,
 Tobias Geerinckx-Rice <me@tobias.gr>, code@greghogan.com,
 Leo Famulari <leo@famulari.name>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

Hi,

Tobias Geerinckx-Rice via Guix-patches via <guix-patches@gnu.org>
writes:

> Leo Famulari =E5=86=99=E9=81=93=EF=BC=9A
>> I'm AFK, only have my phone today . But, please try updating Git and
>> check if the fixed-output source derivations change.
>
> =E2=80=A6and if not, shall we agree to push this?  (It's a yes from me, d=
og.)
>
> Kind regards,

As long as it doesn't touch git-minimal/fixed, we should be OK,
otherwise it causes thousands of rebuilds (see the revert of
8a9bf794e184934e1432f25f4954117d4b46f655, where I got bitten by this).

I don't recall why it causes so many rebuilds.

--=20
Thanks,
Maxim




From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 06 12:23:32 2023
Received: (at 61583-done) by debbugs.gnu.org; 6 Mar 2023 17:23:32 +0000
Received: from localhost ([127.0.0.1]:43538 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pZEYd-0006fC-OB
	for submit@debbugs.gnu.org; Mon, 06 Mar 2023 12:23:31 -0500
Received: from wout1-smtp.messagingengine.com ([64.147.123.24]:47257)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1pZEYc-0006ew-GH
 for 61583-done@debbugs.gnu.org; Mon, 06 Mar 2023 12:23:31 -0500
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.west.internal (Postfix) with ESMTP id 84DF9320029B;
 Mon,  6 Mar 2023 12:23:22 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163])
 by compute3.internal (MEProxy); Mon, 06 Mar 2023 12:23:22 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:cc:content-type:content-type:date:date:from:from
 :in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:sender:subject:subject:to:to; s=mesmtp; t=1678123402;
 x=1678209802; bh=hfSdYQi7T30Uc1lZZWs59joeFISDWaQx9SJxOGyYUiU=; b=
 YApCIBETZwRp0x3xAvphvTwEUyjlJIrWyWpOM4fl9C0GExhx60ep7/HfIVJjTEQJ
 Qtv8RT5dP0f60TYKbz8SHA28uUwrEPH18iZVveRy59vVGN/09RCjEUOBVk8tzBB8
 gnOxViYUjlRAepFcnmuTranu0dyWYS8I3F4NRNk6kV8=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-type:content-type:date:date
 :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
 :message-id:mime-version:references:reply-to:sender:subject
 :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
 :x-sasl-enc; s=fm1; t=1678123402; x=1678209802; bh=hfSdYQi7T30Uc
 1lZZWs59joeFISDWaQx9SJxOGyYUiU=; b=nrLgajnD4+DmBo3jDRe528Ob8fuda
 nASesbpkrEAp0fjeWUYpLRwIZylHshR49PveXQ2URyCN4wWX3UZrnopBzxdv4jiD
 Zt4Osp7iEEn7QgRP3AoS81V/NJLCTv645CdVUnGjuHs5I31adorrU4rjA1Dshr9z
 TKGG4IoT/fEUsEgh0DJ/BcYMG1w+TWoDX2TG815bocP1XLQ3OvPTyIPkUTTwbYXL
 L78avPFSz+XACkfnTaa8n5DJ7QvhokV7v/ZP0aTuTwQk07PC1EW5jhn2+trUzdZ4
 /A1eLxui4mkWiC/7ynkqOZCWO4tDGmnu5WfygSAalKLjBh9iAYF0M+YJQ==
X-ME-Sender: <xms:iSEGZF48xp7MO9rkbvzqpBs9MKZk9Jilk6ASIvtd1BRUjFRimD7Dtw>
 <xme:iSEGZC5EQifjwGqS2BQBtAr9Nw-Ru-4YJAwgxQLWcKnETJrElajgCUmDZ3rKc5u09
 jtXZVBotcY0dCcxtg>
X-ME-Received: <xmr:iSEGZMezQPYHHKukk5_ijxkmXrD5YuEJUSIAPfBpwTWnwliOOqnv0JJeXqpyJ8l4eL1H_CihdcvKNeLCdNCpod8H>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrvddtkedgjedvucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvvefukfhfgggtuggjsehttd
 ertddttddvnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhl
 rghrihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpeetheeuvdeivdelueeukefhtdeihe
 dtgefhvddvlefhudejudeiheelfeevteeuhfenucffohhmrghinhepghhnuhdrohhrghen
 ucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvghose
 hfrghmuhhlrghrihdrnhgrmhgv
X-ME-Proxy: <xmx:iSEGZOLBaI1UfeROrYQOZJkEeO99AyuS7BO2JB3WiQtT2PJBYytXyw>
 <xmx:iSEGZJJdZ0jozSKtdI45boS64yn1yiRRHXEkEWoTepf_861MktDyCg>
 <xmx:iSEGZHyfkhFA66lp1cEYNOQ9MsB29QgUPKh10AAWHke9Jp5DYzR8Qg>
 <xmx:iiEGZLziD6tq9KNhm9tRoNO14Ev-hqGrDkW8-DbCe56h8fEzKxnI5w>
Feedback-ID: i819c4023:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon,
 6 Mar 2023 12:23:21 -0500 (EST)
Date: Mon, 6 Mar 2023 12:23:19 -0500
From: Leo Famulari <leo@famulari.name>
To: Greg Hogan <code@greghogan.com>
Subject: Re: [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes
 CVE-2023-22490 & CVE-2023-23946].
Message-ID: <ZAYhh259BdvWtwMQ@jasmine.lan>
References: <20230217180402.29401-1-code@greghogan.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20230217180402.29401-1-code@greghogan.com>
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 61583-done
Cc: 61583-done@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

On Fri, Feb 17, 2023 at 06:04:02PM +0000, Greg Hogan wrote:
> * gnu/packages/version-control.scm (git): Update to 2.39.2.

Thank you! Pushed as a0d22c41989e529859c813fb64a78250bde76991

Some more discussion on the subject on #guix IRC:

http://logs.guix.gnu.org/guix/2023-03-06.log#175418




From debbugs-submit-bounces@debbugs.gnu.org Wed Mar 08 05:17:24 2023
Received: (at 61583-done) by debbugs.gnu.org; 8 Mar 2023 10:17:25 +0000
Received: from localhost ([127.0.0.1]:47828 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pZqrM-0004Xx-L5
	for submit@debbugs.gnu.org; Wed, 08 Mar 2023 05:17:24 -0500
Received: from mail-wr1-f42.google.com ([209.85.221.42]:38886)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zimon.toutoune@gmail.com>) id 1pZqrK-0004XW-4B
 for 61583-done@debbugs.gnu.org; Wed, 08 Mar 2023 05:17:22 -0500
Received: by mail-wr1-f42.google.com with SMTP id h11so14807586wrm.5
 for <61583-done@debbugs.gnu.org>; Wed, 08 Mar 2023 02:17:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20210112; t=1678270636;
 h=content-transfer-encoding:mime-version:message-id:date:references
 :in-reply-to:subject:cc:to:from:from:to:cc:subject:date:message-id
 :reply-to; bh=WPW5YZexM6XsPm9mlaC5dkE0EyVNXo1kK2eBK/vwTZI=;
 b=JIF/4ussQOcZcKsjyZYjRSUTKj2/bkSNU61GTzEOzeUogUQhZM+hM1aSyLlcbVmKcI
 VxC39Nn+85qugcK3SDNpJzcM9YewvFesfoeTTxq48GQ4HQ3mUaNCf97tA97IqFFgNWGe
 bExFoWKyGHjOg4IExJZkCX6xfb9hrLQ0iQKEeFfk9ynV3JfJPSgtpEs4M86+FSaWTQsF
 d22sKj3oUK+4iK39EBehOzWV2nTnhGgpmAdMUn3uixUdkE6oa66pUGlOwBfc57xgmBVi
 sIWhZA1Ba+PB54L3gzJ8x6ohuBy9eOSLG06tUFzq69aTmNx9voq+M0DvwdkTnU5Rr31a
 AL+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112; t=1678270636;
 h=content-transfer-encoding:mime-version:message-id:date:references
 :in-reply-to:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=WPW5YZexM6XsPm9mlaC5dkE0EyVNXo1kK2eBK/vwTZI=;
 b=lTVpN3vTybAV2VkpP9ip9OzyjJxxUSmnnO8ru7bqpHudiBMzlL6M/dLb5k++dIpg3e
 YlKcfhZGAnkBH2/lEagcm7omFFx1OlcfE0F+llXiJ9e07GWrPrAd0Gu07XI9Xveqeu+E
 HFCXSp+tAqULV8CkRdpqtcBCx8Z3SQo1qab7KZN9vhNHPO0nye0fJdqARrdtEn0Oa60G
 ycd1u3Ml+5z5S7yt+/+2UcMjg1jo6nGRP1d0vIADbf+Ej5wOa5+HUrySIjgdcvwmdjZu
 BilJgW1h9M2vAAWeW6te2esFoWcH1J/Mk8q/uaFOqyM071kQrzZqlnwl9NMIYZGk+166
 35rg==
X-Gm-Message-State: AO0yUKWy6cMQxX6KtK+LCF3Dy+R6FfEavqBK2hNK3Gc1LavoP5YPprSH
 5BO39FrMBXyb3bze/Dnu8B+9S/WC6L8=
X-Google-Smtp-Source: AK7set9Pwk6HgnB/AMY2noz0V/r37H+GNENH/KeUfEI1/1GtWQnW8DsIv2WG1dOkGZm2uaBfNj4CeQ==
X-Received: by 2002:adf:de8e:0:b0:2c5:557f:93b8 with SMTP id
 w14-20020adfde8e000000b002c5557f93b8mr9899873wrl.7.1678270636106; 
 Wed, 08 Mar 2023 02:17:16 -0800 (PST)
Received: from lili ([2a01:e0a:59b:9120:65d2:2476:f637:db1e])
 by smtp.gmail.com with ESMTPSA id
 z16-20020adfdf90000000b002c707785da4sm14777288wrl.107.2023.03.08.02.17.15
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 08 Mar 2023 02:17:15 -0800 (PST)
From: Simon Tournier <zimon.toutoune@gmail.com>
To: Leo Famulari <leo@famulari.name>, Greg Hogan <code@greghogan.com>
Subject: Re: bug#61583: [PATCH] gnu: git: Update to 2.39.2 [fixes
 CVE-2023-22490 & CVE-2023-23946].
In-Reply-To: <ZAYhh259BdvWtwMQ@jasmine.lan>
References: <20230217180402.29401-1-code@greghogan.com>
 <ZAYhh259BdvWtwMQ@jasmine.lan>
Date: Wed, 08 Mar 2023 10:50:23 +0100
Message-ID: <86r0tz8tcw.fsf@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 61583-done
Cc: 61583-done@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Leo,

On Mon, 06 Mar 2023 at 12:23, Leo Famulari <leo@famulari.name> wrote:

> Some more discussion on the subject on #guix IRC:
>
> http://logs.guix.gnu.org/guix/2023-03-06.log#175418

There is mentioned git-minimal/fixed and git-minimal/pinned.

 + git-minimal/fixed  =3D grafted
 + git-minimal/pinned =3D that does not change

Basically, the aim of git-minimal/pinned is to avoid =E2=80=9Cworld rebuild=
=E2=80=9D
when updating git-minimal.  It is mainly used by some tests and it is
safe to make few upgrades.

See more details here:

    https://issues.guix.gnu.org/issue/61078

or the discussion starting here:

    https://issues.guix.gnu.org/issue/60042#msgid-c811d75e30752a591d9777368=
672dbdf801675b4

Cheers,
simon




From unknown Sat Jun 21 10:25:34 2025
Received: (at fakecontrol) by fakecontrolmessage;
To: internal_control@debbugs.gnu.org
From: Debbugs Internal Request <help-debbugs@gnu.org>
Subject: Internal Control
Message-Id: bug archived.
Date: Wed, 05 Apr 2023 11:24:10 +0000
User-Agent: Fakemail v42.6.9

# This is a fake control message.
#
# The action:
# bug archived.
thanks
# This fakemail brought to you by your local debbugs
# administrator