[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & C
From: |
Simon Tournier |
Subject: |
[bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]. |
Date: |
Sun, 5 Mar 2023 21:33:20 +0100 |
Hi Leo,
On Sun, 5 Mar 2023 at 19:46, Leo Famulari <leo@famulari.name> wrote:
> At the Guix Days, it was said that there is a limit to how many builds
> the QA server will perform for a change. I don't recall the number, but
> maybe 300 builds per change? So, if a change causes too many rebuilds,
> the QA server will not perform the builds.
Ah thanks! I always forgot that limit. :-) I mean, since it says
"not yet processed", I still think the limit is higher. ;-) Anyway.
> For the Berlin server, I don't think that 546 builds is too many, at
> least for Intel systems.
Indeed. Just to note that the last update of Git was by commit:
--8<---------------cut here---------------start------------->8---
51f8a7aced70b7f79037bd99019dddaea07ced25
Author: Tobias Geerinckx-Rice <me@tobias.gr>
AuthorDate: Sun Jan 15 01:00:03 2023 +0100
Commit: Tobias Geerinckx-Rice <me@tobias.gr>
CommitDate: Sun Jan 15 01:00:08 2023 +0100
gnu: git: Update to 2.39.1 [fixes CVE-2022-41903 & CVE-2022-23521].
* gnu/packages/version-control.scm (git): Update to 2.39.1.
Reported by HexMachina in #guix.
--8<---------------cut here---------------end--------------->8---
and all was fine...
> > Somehow the guarantee that none of these 546 would not be broken by
> > the update. ;-)
>
> It's certainly possible that something breaks. But we can do a simple
> test by trying to update our profiles and Guix System installations, and
> checking that our tools still work. I think it's okay to cause a little
> breakage in order to deploy important security updates.
...but it was not with the previous,
--8<---------------cut here---------------start------------->8---
83ede5a02e1fc531d912eb92eb0a22a4b897997c
Author: Greg Hogan <code@greghogan.com>
AuthorDate: Wed Oct 19 20:13:15 2022 +0000
Commit: Ludovic Courtès <ludo@gnu.org>
CommitDate: Tue Nov 8 14:06:00 2022 +0100
gnu: git: Update to 2.38.1.
Fixes CVE-2022-39253 and CVE-2022-39260.
* gnu/packages/version-control.scm (git): Update to 2.38.1.
Co-authored-by: Ludovic Courtès <ludo@gnu.org>
--8<---------------cut here---------------end--------------->8---
which had broken part of the Julia ecosystem; now the same problem
cannot arise for Julia. Who knows for the others? Anyway, I did this
rebuild and I did not noticed large breaks.
> > > Concretely, why can't we push this to master immediately?
Since we agree it is fine for master, feel free to push. :-)
Cheers,
simon
- [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]., (continued)
[bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946]., Simon Tournier, 2023/03/04