Hi,
Jack Hill <[email protected]> skribis:
> I'm an avid reader of `guix pull --news`. I like learning about new
> and updated software. However, I noticed that when a package gains a
> new replacement (e.g. for a security fix via grafting), it is not
> mentioned. We do not show all changes to package definitions in the
> new, but since a new replacement is often for a security fix, I think
> it is significant enough to warrant showing in the news. I'm imagining
> something like:
>
> """
> n packages with new replacements: gnutls, …
> """
>
> or perhaps:
>
> """
> n packages with new grafts: libxml, …
> """
>
> I haven't yet though about the implementation of this. I would want to
> avoid doing too much extra work for `guix pull --news`.
>
> What do you think?
I think it’s a great idea!
It would be even better if the message were higher-level:
The following security issues were fixed:
CVE-XYZ (gnutls), CVE-123 (icecat), etc.
The (guix cve) module would come in handy but it would be hard to
implement efficiently, I think.
Ludo’.
