GNU bug report logs - #61583
[PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946].

Previous Next

Package: guix-patches;

Reported by: Greg Hogan <code <at> greghogan.com>

Date: Fri, 17 Feb 2023 18:05:01 UTC

Severity: normal

Tags: patch

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

Message #20 received at 61583 <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Simon Tournier <zimon.toutoune <at> gmail.com>
Cc: Josselin Poiret <dev <at> jpoiret.xyz>, Tobias Geerinckx-Rice <me <at> tobias.gr>,
 61583 <at> debbugs.gnu.org, Mathieu Othacehe <othacehe <at> gnu.org>,
 Ludovic Courtès <ludo <at> gnu.org>,
 Christopher Baines <mail <at> cbaines.net>, Greg Hogan <code <at> greghogan.com>,
 Ricardo Wurmus <rekado <at> elephly.net>
Subject: Re: [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes
 CVE-2023-22490 & CVE-2023-23946].
Date: Fri, 03 Mar 2023 22:39:23 -0500

Hi Simon,

Simon Tournier <zimon.toutoune <at> gmail.com> writes:

> Hi,
>
> CC: core team
>
> On Mon, 20 Feb 2023 at 12:44, Simon Tournier <zimon.toutoune <at> gmail.com> wrote:
>
>> On ven., 17 févr. 2023 at 18:04, Greg Hogan <code <at> greghogan.com> wrote:
>
>>> * gnu/packages/version-control.scm (git): Update to 2.39.2.
>>
>> As noticed previously for an update of Git, this implies a lot of
>> rebuilds because git-minimal inherits from git.
>
> Well, I locally rebuilt all and maybe a couple of packages break.  The
> rebuild is intensive and I do not know if such update should to master
> or core-updates and/or use some grafts.
>
> For instance, QA is still saying nothing after 12 days.
>
>     https://qa.guix.gnu.org/issue/61583
>
>
>> Well, I am checking if git-minimal is used only for the tests by some of
>> the packages.
>
> I have tried to replace the plain ’git’ or ’git-minimal’ by
> ’git-minimal/pinned’ for some packages.  It does not change much.
>
>
>> For sure, it is a concern since it is a security fixes.
>
> Hum, we are not very reactive. :-)

I think the number of rebuilt packages is in the thousands, so that's a
core-updates change.  On master it should be grafted instead, if that's
possible.

-- 
Thanks,
Maxim
This bug report was last modified 2 years and 77 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.