Hi Leo, Leo Famulari <l...@famulari.name> writes:
> On Thu, Apr 22, 2021 at 12:05:36AM -0400, Raghav Gururajan wrote: >> Okay, I was able to retrace. When Leo and I were working outside savannah, >> there was master --> core-updates merge. Leo made these changes when he >> committed to his repo >> (https://logs.guix.gnu.org/guix/2021-03-26.log#000811), from which I pulled >> then format-patched and sent it to guix-patches >> (https://issues.guix.gnu.org/42958#64). From guix-patches it was then pushed >> to core-updates (https://issues.guix.gnu.org/42958#67), from where I >> cherry-picked into wip-gnome. > > Mark, > > Do you know if the security fixes under discussion are necessary on > core-updates? The 'cairo' fixes are certainly still needed, because there has been no upstream stable release of 'cairo' since the version (1.16.0) on our 'master' branch. 宋文武 proposed a patch to re-apply the fixes on 'core-updates', here: https://lists.gnu.org/archive/html/guix-devel/2021-04/msg00361.html A similar patch will be needed for 'wip-gnome' as well. I'm not sure about the other packages off-hand, but both 'glib' and 'gdk-pixbuf' were ultimately updated to newer versions, so I guess it's likely that they're okay (although I haven't verified this). Thanks, Mark -- Support Richard Stallman against the vicious misinformation campaign against him and the FSF. See <https://stallmansupport.org> for more.
