GNU bug report logs - #71024
Update diffoscope to 268

Previous Next

Package: guix-patches;

Reported by: Vagrant Cascadian <vagrant <at> reproducible-builds.org>

Date: Sat, 18 May 2024 01:48:01 UTC

Severity: normal

Done: Vagrant Cascadian <vagrant <at> reproducible-builds.org>

Bug is archived. No further changes may be made.

Full log

Message #29 received at 71024 <at> debbugs.gnu.org (full text, mbox):

From: Vagrant Cascadian <vagrant <at> reproducible-builds.org>
To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Cc: 71024 <at> debbugs.gnu.org
Subject: Re: bug#71024: Update diffoscope to 267 (with xz bonus update)
Date: Mon, 20 May 2024 23:01:52 -0700

[Message part 1 (text/plain, inline)]
On 2024-05-20, Maxim Cournoyer wrote:
> vagrant <at> reproducible-builds.org writes:
>
>> From: Vagrant Cascadian <vagrant <at> reproducible-builds.org>
>>
>> * gnu/packages/compression.scm (xz-5.4): New variable.
>> ---
>>  gnu/packages/compression.scm | 15 +++++++++++++++
>>  1 file changed, 15 insertions(+)
>>
>> diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
>> index dd88fce9ca..d89d72c9b7 100644
>> --- a/gnu/packages/compression.scm
>> +++ b/gnu/packages/compression.scm
>> @@ -573,6 +573,21 @@ (define-public xz
>>     (license (list license:gpl2+ license:lgpl2.1+)) ; bits of both
>>     (home-page "https://tukaani.org/xz/")))
>>  
>> +(define-public xz-5.4
>> +  (package
>> +    (inherit xz)
>> +    (name "xz-5.4")
>> +    (version "5.4.5")
>> +    (source (origin
>> +              (method url-fetch)
>> +              (uri (list (string-append "http://tukaani.org/xz/xz-" version
>> +                                        ".tar.gz")
>> +                         (string-append "http://multiprecision.org/guix/xz-"
>> +                                        version ".tar.gz")))
>> +              (sha256
>> +               (base32
>> +                "1mmpwl4kg1vs6n653gkaldyn43dpbjh8gpk7sk0gps5f6jwr0p0k"))))))
>> +
>
> Any reason not to use the latest, which is v5.6.1 (fetched from git, to
> avoid the xz backdoor issue)?

For one, 5.6.1 was also released by "Jia Tan" according to:

  https://tukaani.org/xz-backdoor/

To fix bugs in the backdoor partly introduced in 5.6.0... e.g. not to
remove the backdoor, but to make it a working backdoor.

In other words, DO NOT USE 5.6.1. :)


There are some concerns about questionable code by "Jia Tan" in earlier
versions too:

  https://bugs.debian.org/1068024

... although even the 5.4.x version I proposed was, admittedly, being a
bit lazy and just picking a version already present in core-updates as
the easiest path forward that was reasonably close to the version
present in Debian which diffoscope was tested against...

Reverting to 5.3.1 might be a more conservative approach, although I
have not tested it with diffoscope.

Or fixing diffoscope to work with the older xz version in master
(5.2.x?) that guix is already using, which, now that I have spelled out
all of the above, seems possibly a much better idea!


live well,
  vagrant

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 1 year and 50 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.