Handling ‘file’ CVE

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Handling ‘file’ CVE

From:	Ludovic Courtès
Subject:	Handling ‘file’ CVE
Date:	Thu, 13 Nov 2014 11:41:17 +0100
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/24.4 (gnu/linux)

Commit 3940c5c makes a replacement for ‘file’, so that the new version
of file (5.20), which fixes a security vulnerability, is now grafted
onto packages that are installed.

I wonder if using a replacement makes sense here, because few packages
actually retain a dependency on ‘file’, and since grafting is
conservative, we graft anything that might retain a dependency on
‘file’, which means everything.

What about this other option: make another public package, ‘file-5.20’,
next to ‘file’, such that when a user explicitly installs ‘file’, they
get the new one?

That won’t address people referring to ‘file’ (the variable) in their OS
configuration, though.

Thanks,
Ludo’.

[Prev in Thread]

Current Thread

[Next in Thread]

Handling ‘file’ CVE, Ludovic Courtès <=
- Re: Handling ‘file’ CVE, Andreas Enge, 2014/11/13
  - Re: Handling ‘file’ CVE, Ludovic Courtès, 2014/11/13
- Re: Handling ‘file’ CVE, Ludovic Courtès, 2014/11/13
  - Re: Handling ‘file’ CVE, Mark H Weaver, 2014/11/13
    - Re: Handling ‘file’ CVE, Eric Bavier, 2014/11/13
    - Re: Handling ‘file’ CVE, Ludovic Courtès, 2014/11/13
    - Re: Handling ‘file’ CVE, Eric Bavier, 2014/11/13
    - Re: Handling ‘file’ CVE, Ludovic Courtès, 2014/11/13

Prev by Date: Re: [ART] Background image for login manager and desktop
Next by Date: Re: [ART] Background image for login manager and desktop
Previous by thread: [PATCH] gnu: Add GNU Typist.
Next by thread: Re: Handling ‘file’ CVE
Index(es):
- Date
- Thread