GNU bug report logs - #61583
[PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946].

Previous Next

Full log

Message #29 received at 61583 <at> debbugs.gnu.org (full text, mbox):

From: "Leo Famulari" <leo <at> famulari.name>
To: "Josselin Poiret" <dev <at> jpoiret.xyz>, zimoun <zimon.toutoune <at> gmail.com>
Cc: 61583 <at> debbugs.gnu.org, Greg Hogan <code <at> greghogan.com>
Subject: Re: [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes
 CVE-2023-22490 & CVE-2023-23946].
Date: Sat, 04 Mar 2023 09:41:08 -0500

On Sat, Mar 4, 2023, at 05:30, Josselin Poiret wrote:
> Hi Leo,
>
> Leo Famulari <leo <at> famulari.name> writes:
>
>> That's not a significant number of packages.
>>
>> Overall, git and git-minimal will cause more than 300 rebuilds, but not
>> too many for the current state of the build farm.
>>
>> Concretely, why can't we push this to master immediately?
>
> `guix refresh` is not great for core packages: it only detects things
> that depend on other packages through inputs. Here though, git is used
> indirectly by git-fetch origins, and would affect the dependency graph a
> lot more.  I think this should be grafted to avoid too many rebuilds,
> and ungrafted on core-updates (maybe now, maybe after the big
> core-updates merge).

Changing the Git package shouldn't affect fixed-output derivations that fetch from Git. If they do, that's a recent and very serious bug.

Git is a security critical package that we've always updated freely.

I'm AFK, only have my phone today . But, please try updating Git and check if the fixed-output source derivations change.

Leo

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.