Leo Famulari <[email protected]> writes: > On Fri, Feb 19, 2016 at 08:33:07AM -0500, Mark H Weaver wrote: >> Hello Guix! >> >> I've pushed a fix for CVE-2015-7547 to the master branch, although Hydra >> has not fully rebuilt it. I directed Hydra to build the most popular >> packages first, and with greater effort devoted to x86_64, so my hope is >> that most of what typical desktop users need is already built on x86_64. >> Still, it is likely that you'll need to compile some things locally. > > At least two users on #guix (including me) have found that `guix pull` > is not fetching the latest snapshot. That is, the downloaded snapshot > is of some commit before the CVE-2015-7547 patch was applied. > > Can you take a look?
Indeed, you are right. The problem is that, by default, "guix pull" downloads the latest source from: http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz and unfortunately, something is currently broken on Savannah, and that snapshot is stuck on the commit before the glibc security update :-( Until that's fixed, here's a workaround: --8<---------------cut here---------------start------------->8--- $ git clone --depth 1 git://git.sv.gnu.org/guix.git master Cloning into 'master'... [...] $ rm -rf master/.git $ tar czf master.tar.gz master --sort=name --mtime=@0 --{owner,group}=root:0 $ guix pull --url=master.tar.gz --8<---------------cut here---------------end--------------->8--- Mark
