Hi L[ée]o,Wow, Léo. You've done some seriously impressive CVE squashing in such a short timespan, and I'm very grateful to have you on board.
Leo Famulari 写道:
I do agree that updating this program 5 versions in a graft was perhapstoo much.We should always try to cherry-pick bug-fix patches when grafting.Otherwise the risk of breakage is too high.
I agree. Whilst grafts are indispensible for timely deployment of security patches, they're also a dirty hack composed entirely of rough edges.
They exist for one purpose: patch out known vulnerabilities. Every extra change not strictly required for security is a liability.
We sometimes get away with grafting entire releases (OpenSSL comes to mind), but this is not an ideal to emulate.
At least, these types of patches should be reviewed on guix-patches.Léo, can you send them to guix-patches in the future?
I have the same request :-) Please submit non-trivial patches for review (and, unfortunately, grafts are hardly ever trivial). This isn't a comment on your work; it's our standard way of doing things.
I know we're not the #1 bestest project when it comes to the swift review of patches. I understand the sense of urgency in fixing things that one feels should have been fixed long ago. Thank you for helping us to improve on both points.
Kind regards, T G-R
signature.asc
Description: PGP signature
