Re: [PATCH] gnu: ed: Replace with 1.14.1 [fixes security issues].

[Ludovic Courtès]

Mark H Weaver <address@hidden> skribis:

> address@hidden (Ludovic Courtès) writes:
>
>> Leo Famulari <address@hidden> skribis:
>>
>>> On Thu, Jan 12, 2017 at 10:56:51PM +0100, Marius Bakke wrote:
>>>> Leo Famulari <address@hidden> writes:
>>>> 
>>>> > On Thu, Jan 12, 2017 at 09:13:53PM +0100, Marius Bakke wrote:
>>>> >> * gnu/packages/ed.scm (ed-1.14.1): New variable.
>>>> >> (ed)[replacement]: New field.
>>>> >
>>>> > Can you add a comment with a link to the bug report?
>>>> >
>>>> > https://lists.gnu.org/archive/html/bug-ed/2017-01/msg00000.html
>>>> 
>>>> Good find. I wonder, was this issue only present in the unreleased
>>>> 1.14.0? I can't reproduce it with the current Guix version.
>>>
>>> Good catch; I can only reproduce it with 1.14, and the ed maintainer
>>> points out that it was introduced in 1.14.
>>>
>>>> I'll wait and see what the response on oss-sec is. Maybe we can just
>>>> push the update to core-updates.
>>>
>>> I think it's fine for core-updates.
>>
>> With 200 dependent packages, it could even go to ‘master’.
>
> "guix refresh -l" is _way_ off in this case.  'ed' is a native-input for
> 'patch', which is of course entails a full rebuild.

Oh indeed, sorry for the confusion!

>From the viewpoint of ‘guix refresh -l’, (@ (gnu packages ed) ed) is not
the same package/derivation as the one that ‘patch’ in (@ (gnu packages
commencement) %final-inputs) refers to.

So ‘guix refresh -l’ is not “wrong”, but clearly it fails to capture
something important here.

Ludo’.