On Wed, Oct 25, 2017 at 02:58:13PM +0200, Sebastian Pipping wrote: > Hi GuixSD team, > > > from looking at [1] and [2] my impression is that GuixSD is still at > version 2.2.2 with Expat, while there is version 2.2.4 with bugfixes > upstream. Is there anything blocking an update on your side that needs > fixing upstream?
Thank you very much for reaching out, Sebastian. No, there is nothing concrete blocking the update. I've just given Tobias a "LGTM" for his 2.2.4 update patch. There is a slight cost to updating packages with many dependents in Guix [0], so we prefer not to update them between "core update" cycles unless there are security issues affecting our users. Expat 2.2.3's release notes only mentioned CVE-2017-11742, which is a Windows vulnerability and out of scope for Guix. And I didn't see security issues disclosed in the 2.2.4 release notes. But, we can treat Expat as one of those "always update" libraries if that is suggested. It's probably the right choice for any widely-used C library. [0] By treating package building as a pure function, if a lower-level package changes, all dependent packages must be rebuilt. We have a mechanism called grafting to cheat for security updates.
signature.asc
Description: PGP signature
