guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Expat in GuixSD, please update


From: Leo Famulari
Subject: Re: Expat in GuixSD, please update
Date: Wed, 25 Oct 2017 13:22:41 -0400
User-agent: Mutt/1.9.1 (2017-09-22)

On Wed, Oct 25, 2017 at 02:58:13PM +0200, Sebastian Pipping wrote:
> Hi GuixSD team,
> 
> 
> from looking at [1] and [2] my impression is that GuixSD is still at
> version 2.2.2 with Expat, while there is version 2.2.4 with bugfixes
> upstream.  Is there anything blocking an update on your side that needs
> fixing upstream?

Thank you very much for reaching out, Sebastian.

No, there is nothing concrete blocking the update. I've just given
Tobias a "LGTM" for his 2.2.4 update patch.

There is a slight cost to updating packages with many dependents in Guix
[0], so we prefer not to update them between "core update" cycles unless
there are security issues affecting our users.

Expat 2.2.3's release notes only mentioned CVE-2017-11742, which is a
Windows vulnerability and out of scope for Guix. And I didn't see
security issues disclosed in the 2.2.4 release notes.

But, we can treat Expat as one of those "always update" libraries if
that is suggested. It's probably the right choice for any widely-used C
library.

[0] By treating package building as a pure function, if a lower-level
package changes, all dependent packages must be rebuilt. We have a
mechanism called grafting to cheat for security updates.

Attachment: signature.asc
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]