bug-guix
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#21784: Alternate xz-5.0.4.tar.gz URL

From: Ludovic Courtès
Subject: bug#21784: Alternate xz-5.0.4.tar.gz URL
Date: Fri, 30 Oct 2015 18:06:26 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) 
Efraim Flashner <address@hidden> skribis:

> It turns out that hydra, the automated build server for guix, has a copy of
> xz that you can download if you authorize hydra to provide substitutions.
> With a copy of hydra.gnu.org.pub, the command is `sudo guix archive
> --authorize hydra.gnu.org.pub`. After that, instead of building everything
> locally, your computer will first check to see if hydra has already built a
> package and you can just download it.

Since we must have an additional URL to fetch it.

I looked for mirrors on the Web for this tarball and couldn’t find one
(fossies.org doesn’t have it, for instance.)

Then I wanted to upload it to ftp://alpha.gnu.org/gnu/guix/mirror, but
that is rejected:

  file rejected: xz-5.0.4.tar.gz contains a vulnerable Makefile.in
  CVE-2012-3386
  Regenerate it with automake 1.11.6 / 1.12.2 or newer.

So we need another solution.  Any suggestions?  Like mirror URLs I might
have missed?

TIA,
Ludo’.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]