[bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946].

[Simon Tournier]

Hi Leo,

On Sun, 5 Mar 2023 at 19:46, Leo Famulari <leo@famulari.name> wrote:

> At the Guix Days, it was said that there is a limit to how many builds
> the QA server will perform for a change. I don't recall the number, but
> maybe 300 builds per change? So, if a change causes too many rebuilds,
> the QA server will not perform the builds.

Ah thanks!  I always forgot that limit. :-)  I mean, since it says
"not yet processed", I still think the limit is higher. ;-)  Anyway.

> For the Berlin server, I don't think that 546 builds is too many, at
> least for Intel systems.

Indeed.  Just to note that the last update of Git was by commit:

--8<---------------cut here---------------start------------->8---
51f8a7aced70b7f79037bd99019dddaea07ced25
Author:     Tobias Geerinckx-Rice <me@tobias.gr>
AuthorDate: Sun Jan 15 01:00:03 2023 +0100
Commit:     Tobias Geerinckx-Rice <me@tobias.gr>
CommitDate: Sun Jan 15 01:00:08 2023 +0100

gnu: git: Update to 2.39.1 [fixes CVE-2022-41903 & CVE-2022-23521].

* gnu/packages/version-control.scm (git): Update to 2.39.1.

Reported by HexMachina in #guix.
--8<---------------cut here---------------end--------------->8---

and all was fine...

> > Somehow the guarantee that none of these 546 would not be broken by
> > the update. ;-)
>
> It's certainly possible that something breaks. But we can do a simple
> test by trying to update our profiles and Guix System installations, and
> checking that our tools still work. I think it's okay to cause a little
> breakage in order to deploy important security updates.

...but it was not with the previous,

--8<---------------cut here---------------start------------->8---
83ede5a02e1fc531d912eb92eb0a22a4b897997c
Author:     Greg Hogan <code@greghogan.com>
AuthorDate: Wed Oct 19 20:13:15 2022 +0000
Commit:     Ludovic Courtès <ludo@gnu.org>
CommitDate: Tue Nov 8 14:06:00 2022 +0100

gnu: git: Update to 2.38.1.

Fixes CVE-2022-39253 and CVE-2022-39260.

* gnu/packages/version-control.scm (git): Update to 2.38.1.

Co-authored-by: Ludovic Courtès <ludo@gnu.org>
--8<---------------cut here---------------end--------------->8---

which had broken part of the Julia ecosystem; now the same problem
cannot arise for Julia.  Who knows for the others?  Anyway, I did this
rebuild and I did not noticed large breaks.


> > > Concretely, why can't we push this to master immediately?

Since we agree it is fine for master, feel free to push. :-)


Cheers,
simon