For reference, crossposting:
I pushed 00c67375b17f4a4cfad53399d1918f2e7eba2c7d to core-updates. Your
patch. Thank you for it. Let's watch for upstream zstd fix also.
I pushed 9feef62b73e284e106717a386624d6da90750a3d to master.
Ubuntu released a patch in the mean time, so while we couldnt make
Hi,
On Wed, 17 Mar 2021 at 07:24, Léo Le Bouter wrote:
> I think we can handle this without granting us any special powers, I
> like it that we don't have roles actually!
>
> We can discuss, debate, agree to common goals, I don't think we are
> going to enter into conflict, we hear each other,
On Tue, 2021-03-16 at 21:53 +0100, Tobias Geerinckx-Rice wrote:
> Hi L[ée]o,
>
> Wow, Léo. You've done some seriously impressive CVE squashing in
> such a short timespan, and I'm very grateful to have you on board.
I spent few days on this, it's not that much! I did not do much work, I
didnt
On Tue, 2021-03-16 at 22:46 +0100, Bengt Richter wrote:
> I would feel better about running guix on my laptop if I
> knew all you developers had gotten together and elected
> a "security czar" who is the most competent of you to monitor
> security and also cares the most, and had the power to
On Tue, Mar 16, 2021 at 10:46:11PM +0100, Bengt Richter wrote:
> Just wish I could type
> guix --what-and-who-am-I-trusting-q --full-report
> and get a complete list, with batting averages of the
> developers (regressions vs fixes), packages (estimated
> number of times executed without
On Tue, Mar 16, 2021 at 10:18:08PM +0100, Vincent Legoll wrote:
> I think we really should be shortening our releases cycles (core-updates,
> staging merges), because piling upon those branches for too long increase
> the disruption in a way that is probably more exponential than linear.
For most
On Tue, 2021-03-16 at 15:29 -0400, Leo Famulari wrote:
> > [...]
>
> No, sorry :) Someone else (maybe an i686 user?) will have to find the
> time to test it.
I haven't tried the patch, but note that x86-64 systems are also
i686 systems, so users of x86-64 systems can try
./pre-inst-env guix
Hi all,
On +2021-03-16 15:29:43 -0400, Leo Famulari wrote:
> On Tue, Mar 16, 2021 at 08:25:50PM +0100, zimoun wrote:
> > Hi,
> >
> > On Tue, 16 Mar 2021 at 20:18, Leo Famulari wrote:
> > > On Tue, Mar 16, 2021 at 07:19:53PM +0100, zimoun wrote:
> > > > I guess that it will not build for i686.
Hello,
On Tue, Mar 16, 2021 at 9:53 PM Tobias Geerinckx-Rice wrote:
> Wow, Léo. You've done some seriously impressive CVE squashing in
> such a short timespan, and I'm very grateful to have you on board.
Yes, impressive, I have been following the repology page about potentially
vulnerable &
Hi L[ée]o,
Wow, Léo. You've done some seriously impressive CVE squashing in
such a short timespan, and I'm very grateful to have you on board.
Leo Famulari 写道:
I do agree that updating this program 5 versions in a graft was
perhaps
too much.
We should always try to cherry-pick bug-fix
On Tue, Mar 16, 2021 at 07:19:53PM +0100, zimoun wrote:
> I guess that it will not build for i686. Does it?
I don't know. Either we will find out when building on CI, or people can
test it manually now.
We might consider building the wip-next-release earlier than you had
suggested. There is a
On Tue, Mar 16, 2021 at 08:25:50PM +0100, zimoun wrote:
> Hi,
>
> On Tue, 16 Mar 2021 at 20:18, Leo Famulari wrote:
> > On Tue, Mar 16, 2021 at 07:19:53PM +0100, zimoun wrote:
> > > I guess that it will not build for i686. Does it?
> >
> > I don't know. Either we will find out when building on
Hi,
On Tue, 16 Mar 2021 at 20:18, Leo Famulari wrote:
> On Tue, Mar 16, 2021 at 07:19:53PM +0100, zimoun wrote:
> > I guess that it will not build for i686. Does it?
>
> I don't know. Either we will find out when building on CI, or people can
> test it manually now.
Please try out the patch
On Tue, 16 Mar 2021 at 19:51, Léo Le Bouter wrote:
> On Tue, 2021-03-16 at 19:46 +0100, zimoun wrote:
> > Well, it seems better to send such changes to guix-patches, waiting
> > 15
> > days, and then if no comment, push. It is what the manual describes:
> >
> > Non-trivial patches
On Tue, 16 Mar 2021 at 19:08, Léo Le Bouter wrote:
On Tue, 2021-03-16 at 13:55 -0400, Leo Famulari wrote:
> > I do agree that updating this program 5 versions in a graft was
> > perhaps
> > too much.
> >
> > We should always try to cherry-pick bug-fix patches when grafting.
> >
> > Otherwise the
On Tue, 2021-03-16 at 19:46 +0100, zimoun wrote:
> Well, it seems better to send such changes to guix-patches, waiting
> 15
> days, and then if no comment, push. It is what the manual describes:
>
> Non-trivial patches should always be posted to
> guix-patc...@gnu.org (trivial
On Tue, 2021-03-16 at 19:19 +0100, zimoun wrote:
> I guess that it will not build for i686. Does it?
> If not, the patch attached to the previous email tweaks the offending
> test; as the original author of zstd has suggested:
>
>
On Tue, 2021-03-16 at 13:55 -0400, Leo Famulari wrote:
> I do agree that updating this program 5 versions in a graft was
> perhaps
> too much.
>
> We should always try to cherry-pick bug-fix patches when grafting.
>
> Otherwise the risk of breakage is too high. At least, these types of
> patches
Hi,
On Tue, 16 Mar 2021 at 18:56, Leo Famulari wrote:
>
> On Tue, Mar 16, 2021 at 05:34:34PM +0100, zimoun wrote:
> > The question is: should the next release 1.2.1 contain zstd@1.4.9 as
> > graft? Or do we revert the commit and simply fix it on core-updates
> > and wait for the next
Hi,
On Tue, 16 Mar 2021 at 18:06, Léo Le Bouter wrote:
> I suggest we disable the test-suite or the specific test in the interim
> for other architectures.
The patch attached in the previous email tweaks the offending test to
allow the test suite to pass on both architectures x86_64 and i686.
On Tue, Mar 16, 2021 at 06:06:28PM +0100, Léo Le Bouter wrote:
> The CVE-2021-24032 is Base Score: 9.1 CRITICAL - which is exceptionally
> high so fixing it is an absolute necessity in any branch.
This is off-topic, but I think that CVE scoring is not really that
useful. This bug is a local
On Tue, Mar 16, 2021 at 05:34:34PM +0100, zimoun wrote:
> The question is: should the next release 1.2.1 contain zstd@1.4.9 as
> graft? Or do we revert the commit and simply fix it on core-updates
> and wait for the next core-updates cycle. Personally, I am in favor
> of the latter. WDYT?
The
On Tue, 2021-03-16 at 13:48 -0400, Leo Famulari wrote:
> This is off-topic, but I think that CVE scoring is not really that
> useful. This bug is a local TOCTOU race which is bad but hardly
> critical, IMO. For something to be critical, it should enable remote
> execution of arbitrary code.
Well
I suggest we disable the test-suite or the specific test in the interim
for other architectures.
The CVE-2021-24032 is Base Score: 9.1 CRITICAL - which is exceptionally
high so fixing it is an absolute necessity in any branch.
signature.asc
Description: This is a digitally signed message part
24 matches
Mail list logo