GNU bug report logs -
#61583
[PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946].
Previous Next
Reported by: Greg Hogan <code <at> greghogan.com>
Date: Fri, 17 Feb 2023 18:05:01 UTC
Severity: normal
Tags: patch
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
Full log
Message #44 received at 61583 <at> debbugs.gnu.org (full text, mbox):
On Sat, Mar 04, 2023 at 07:52:04PM +0100, Simon Tournier wrote:
> I get 546 dependent packages for git + git-minimal which need to be
> re-built. And some are really expensive -- that what I meant by "a
> lot of rebuilds". :-)
>
> Well, I do not know if there is an issue with QA or it is just really
> expensive but the process is still pending, if I read correctly
> <https://qa.guix.gnu.org/issue/61583>.
At the Guix Days, it was said that there is a limit to how many builds
the QA server will perform for a change. I don't recall the number, but
maybe 300 builds per change? So, if a change causes too many rebuilds,
the QA server will not perform the builds.
Aside: Chris, I'd be happy to add a FAQ page to the QA server that
answers this type of question. Let me know if I've missed that one
already exists.
For the Berlin server, I don't think that 546 builds is too many, at
least for Intel systems.
> > Concretely, why can't we push this to master immediately?
>
> Somehow the guarantee that none of these 546 would not be broken by
> the update. ;-)
It's certainly possible that something breaks. But we can do a simple
test by trying to update our profiles and Guix System installations, and
checking that our tools still work. I think it's okay to cause a little
breakage in order to deploy important security updates.
This bug report was last modified 2 years and 77 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.