l...@gnu.org (Ludovic Courtès) writes: > I pushed ‘wip-grafts’, a branch that implements “grafts.” > > Normally security updates deep in the DAG, such as an update of Bash or > libc, cause a rebuild of everything, which can some time, as we’ve seen > lately. > > The idea of grafts is to graft the fixed package on any packages users > may want to install. So, suppose there’s a libc fix; when installing > IceCat, you’ll just be starting from the (pre-built) IceCat, and an > additional derivation will patch the files in it to replace references > to the old libc with references to the fixed libc (in practice this only > works if the file name of the old and fixed libc have the same length.)
Thanks for working on this! I think it will be quite important. > ‘wip-grafts’ adds a ‘graft’ field to package records. In the example > above, we’d just add a ‘graft’ field to glibc, pointing to the fixed > glibc, and the graft would just be automagically applied. The branch > has an example of that with Bash: > > --- a/gnu/packages/bash.scm > +++ b/gnu/packages/bash.scm > @@ -185,7 +185,13 @@ allows command-line editing, unlimited command history, > shell functions and > aliases, and job control while still allowing most sh scripts to be run > without modification.") > (license gpl3+) > - (home-page "http://www.gnu.org/software/bash/";)))) > + (home-page "http://www.gnu.org/software/bash/";) > + (graft bash-fixed)))) > + > +(define bash-fixed ;FIXME: Use something real. > + (package (inherit bash) > + (version "4.3.42") > + (graft #f))) If you want a real example, upstream bash is at 4.3.30, whereas we only have 4.3.27. Thanks! Mark
