From debbugs-submit-bounces@debbugs.gnu.org Mon Jun 09 00:15:44 2025 Received: (at submit) by debbugs.gnu.org; 9 Jun 2025 04:15:44 +0000 Received: from localhost ([127.0.0.1]:53511 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uOTvE-0008KB-0z for submit@debbugs.gnu.org; Mon, 09 Jun 2025 00:15:44 -0400 Received: from lists.gnu.org ([2001:470:142::17]:60784) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uOTvA-0008Ju-8S for submit@debbugs.gnu.org; Mon, 09 Jun 2025 00:15:41 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uOTv1-0003wB-BF for bug-guix@gnu.org; Mon, 09 Jun 2025 00:15:31 -0400 Received: from butterfly.birch.relay.mailchannels.net ([23.83.209.27]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uOTuz-0000gX-FR for bug-guix@gnu.org; Mon, 09 Jun 2025 00:15:30 -0400 X-Sender-Id: dreamhost|x-authsender|nomike@nomike.com Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 67F1032345C for ; Mon, 9 Jun 2025 04:15:27 +0000 (UTC) Received: from pdx1-sub0-mail-a256.dreamhost.com (100-118-166-165.trex-nlb.outbound.svc.cluster.local [100.118.166.165]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 5EBFE323586 for ; Mon, 9 Jun 2025 04:15:25 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1749442525; a=rsa-sha256; cv=none; b=yJCWRIXNvN7ksNfk7RkhKhyvumUfoheMMSLX91LZwh3LPhVEG70q6046qwCUQDxFJpl8tr pYlHHoh4U98ulVGnyR5LVwNWIkOrnRvLdITGjIVWFoddFBwm0T2fyJ85b3v6hgA7ewBUf5 TOSZ8n7pGmcXDUW80qVEO2F7q6K3DRE8jvm40ObTcueeqOAQaDk+GEwyo8ftpbqexXG7kY J/QpeO/siUeTR0ZtfTB4EVOaf9xsfO0vbKwd63rn88mwOVZW8iiCAe7RhPXiWAW8JVIrqU sY8rH4vX3QDVDKFNcYqz+Jfsha/h5QajoQ8ehqGxr6u10M959qOJ5mL3CAdsyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1749442525; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding:dkim-signature:autocrypt:autocrypt; bh=p8k1tIaCJF3n9GLh+TvgHil16IVuetxqXCbPchERun0=; b=A+hXCeRazS0IajcVrywECdvvv4vo1fMB6JOcKDeDMKZT2HgqshILJ8a0gCe0IR6fScUru3 EBVVGhUFg0FBaTrpKEQjFsy0C8pDoQrxYFmsSOSoyVyucPeIR9Y6rKu0aY0A46/ZYbHcPO FKG719Zo5IXGN7AkUOVtjOnaOenmqhjjhIHFMaQnJgSbZB+e8XQOKUEuEAT5UUfEUq4pY7 ybAjwIuJm8eSBNFoZT1de5LZeR/8o0W4c5mryJdxhMJH7IUM+h47z+8E155Ay6FsEyiEgg qzpgbhsWR3Y8C4P6KgoWpx0HEZcn1fbEiXWzo1h1yYrm4hoYWBhInWsb+j6JKg== ARC-Authentication-Results: i=1; rspamd-5674bcf875-qnlvz; auth=pass smtp.auth=dreamhost smtp.mailfrom=nomike@nomike.com X-Sender-Id: dreamhost|x-authsender|nomike@nomike.com X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|nomike@nomike.com X-MailChannels-Auth-Id: dreamhost X-Snatch-Illustrious: 263c2e60249d7816_1749442527161_2345372866 X-MC-Loop-Signature: 1749442527161:2760861874 X-MC-Ingress-Time: 1749442527161 Received: from pdx1-sub0-mail-a256.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.118.166.165 (trex/7.0.3); Mon, 09 Jun 2025 04:15:27 +0000 Received: from [10.31.0.247] (84-112-221-106.cable.dynamic.surfer.at [84.112.221.106]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nomike@nomike.com) by pdx1-sub0-mail-a256.dreamhost.com (Postfix) with ESMTPSA id 4bFz9S5nZYz6b for ; Sun, 8 Jun 2025 21:15:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nomike.com; s=dreamhost; t=1749442525; bh=p8k1tIaCJF3n9GLh+TvgHil16IVuetxqXCbPchERun0=; h=Date:To:From:Subject:Content-Type:Content-Transfer-Encoding; b=WKJVlH+lUTW54w1uEid1HxjyKggOvuWFVedu4fJ2DAjf42O/CS3iw4OMn78qpJV0t BO9woWRvzfjq5pZJ++2eKDtncE5EvfdZhYzEYl4BpU2hOYudtWbgS4ZaJ0yTFC/j0F c78acUihzrNTSwDuepguY6bMdF/ooK+n74ckeEclbGPmkdGNT5lB4tNXyOA0jlA8SS gp9ZabPBfHize8EUrEXN8cYKfWlq1cRkxkloYADEDXzJIMAjm/ht52lG6rHiBanuG4 ZFuhzwm8cs4CnNmsRBFWdEutlnUXEs4gwsrKtVsuPyktSkNHY6zdffnqUsFsCw6qdN 8qlRBmTdvMVFA== Message-ID: <2005204f-66ee-45cf-8164-334ed4dda507@nomike.com> Date: Mon, 9 Jun 2025 06:15:21 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: bug-guix@gnu.org From: "nomike (they/them)" Subject: diffoscope.comparators.xml: Vulnerable version of pyexpat detected; disabling comparison of XML documents. Install defusedxml or upgrade your pyexpat. Autocrypt: addr=nomike@nomike.com; keydata= xjMEZ+8bGhYJKwYBBAHaRw8BAQdAnX/6ThbmnmGYDNklZjA0bz600QNUdP+ajuwTe4TVe4PN L25vbWlrZSBQb3N0bWFubiAodGhleS90aGVtKSA8bm9taWtlQG5vbWlrZS5jb20+wpkEExYK AEECGwMFCQWjmoACHgcCF4AWIQRDQfMGyihCx53NO0tbWPztpJIHVwUCZ+8vPgULCQgHAgIi AgYVCgkICwIEFgIDAQAKCRBbWPztpJIHV6A3APoCTSYs7uR0ZoxGMoEFdDUdgbdmPFNZSNoA 3J5js9FQwgD/UUGwD9PCILmGZTeyG1BmUUFIDshW/NlKtgzc38AeRQ3OOARn7xsaEgorBgEE AZdVAQUBAQdAQYFr4LDmq9tDyrJ1hmbnQ18nN/TEzmM+X0Dc84f+51UDAQgHwn4EGBYKACYW IQRDQfMGyihCx53NO0tbWPztpJIHVwUCZ+8bGgIbDAUJBaOagAAKCRBbWPztpJIHV549AQCo MLaLPJ8OhIRvEJkvS2nVEn+D/DKG7bxxbyvB5gwaqgEA3aVP643HUqWDp2u9q+57SCycExVI mOW3VG9jxDNJlAc= Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=23.83.209.27; envelope-from=nomike@nomike.com; helo=butterfly.birch.relay.mailchannels.net X-Spam_score_int: -30 X-Spam_score: -3.1 X-Spam_bar: --- X-Spam_report: (-3.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.9 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.1 (/) Hi! When running `diffoscope` it complains about the version of pyexpat being vulnerable. I wasn't able to find any package named 'pyexpat' or 'python-expat' in guix, there is also nothing related to expat in the package inputs of 'diffoscope'. 'diffoscope' is at the latest available version. There is the package 'expat' of course, which is at version 2.5.0 and could in theory be upgraded to version 2.7.1, but that would trigger 28379 rebuilds, so it's nothing which could be done easily. And I'm not even sure if this would fix the vulnerability after all. And maybe this has been dealt with via grafts ¯\_(ツ)_/¯? Thanks nomike