Sebastian Pipping schreef op za 08-05-2021 om 18:00 [+0200]: > Hello everyone, > > > just a quick heads up that there will be a new release of libexpat with > security fix in a few weeks. Unless I looked in the wrong place, I > noticed that your distro has not updated to libexpat 2.3.0 as of today.
Correct > > If you ran into any issues with packaging 2.3.0, please let me know now > so that I can fix things upstream for you and everyone while there is > still a window before next releases to do so. Thank you! According to "guix refresh -l", simply updating expat would entail rebuilding 6031 packages. This can be avoided is v2.4.0 is binary compatible with v2.2.9. Is this the case? If this is not the case, we will have to cherry-pick the security fixes. I have attached a patch adding a graft for expat, updating from v2.2.9 to v2.3.0, but it needs some testing. Greetings, Maxime.
From f87aa1ef0ecfcda27c798ecfd140ce3b33218ddc Mon Sep 17 00:00:00 2001 From: Maxime Devos <[email protected]> Date: Sun, 9 May 2021 11:05:14 +0200 Subject: [PATCH] gnu: expat: Add graft for 2.3.0 [security fixes] There will be security fixes in the upcoming 2.4.0 release. For now, upgrade to 2.3.0. As this would cause 6031 rebuilds, use the grafting mechanism. * gnu/packages/xml.scm (expat-uris): New procedure. (expat)[source]<uri>: Use new procedure. (expat)[replacement]: Add graft for 2.3.0. (expat/fixed): New package. --- gnu/packages/xml.scm | 43 +++++++++++++++++++++++++++++++------------ 1 file changed, 31 insertions(+), 12 deletions(-) diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index 04cb09779b..4412660ae0 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -31,6 +31,7 @@ ;;; Copyright © 2021 Julien Lepiller <[email protected]> ;;; Copyright © 2021 Felix Gruber <[email protected]> ;;; Copyright © 2021 Guillaume Le Vaillant <[email protected]> +;;; Copyright © 2021 Maxime Devos <[email protected]> ;;; ;;; This file is part of GNU Guix. ;;; @@ -116,22 +117,27 @@ the entire document.") (home-page "https://github.com/hughsie/libxmlb";) (license license:lgpl2.1+))) +(define (expat-uris version) + (define (dot->underscore c) + (if (char=? #\. c) #\_ c)) + (list (string-append "mirror://sourceforge/expat/expat/" + version "/expat-" version ".tar.xz") + (string-append + "https://github.com/libexpat/libexpat/releases/download/R_"; + (string-map dot->underscore version) + "/expat-" version ".tar.xz"))) + (define-public expat (package (name "expat") (version "2.2.9") - (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c)))) - (origin - (method url-fetch) - (uri (list (string-append "mirror://sourceforge/expat/expat/" - version "/expat-" version ".tar.xz") - (string-append - "https://github.com/libexpat/libexpat/releases/download/R_"; - (string-map dot->underscore version) - "/expat-" version ".tar.xz"))) - (sha256 - (base32 - "1960mmgbb4cm64n1p0nz3hrs1pw03hkrfcw8prmnn4622mdrd9hy"))))) + (source (origin + (method url-fetch) + (uri (expat-uris version)) + (sha256 + (base32 + "1960mmgbb4cm64n1p0nz3hrs1pw03hkrfcw8prmnn4622mdrd9hy")))) + (replacement expat/fixed) (build-system gnu-build-system) (arguments '(#:configure-flags '("--disable-static"))) @@ -143,6 +149,19 @@ stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags).") (license license:expat))) +;; There will be a new release with security fixes soon. +(define-public expat/fixed + (package + (inherit expat) + (version "2.3.0") + (source + (origin + (inherit (package-source expat)) + (uri (expat-uris version)) + (sha256 + (base32 + "1ab7fkab4wbj53xqsx2a4h5m310ak9abczjh0a2ymg73nsclz8ya")))))) + (define-public libebml (package (name "libebml") -- 2.31.1
signature.asc
Description: This is a digitally signed message part
