02/03: gnu: nghttp2: Update to 1.31.1 [fixes CVE-2018-1000168].

Discussion:

Mark H Weaver

2018-04-12 18:09:36 UTC

Hi Marius,

mbakke pushed a commit to branch master
in repository guix.
commit 65bfe30d8a4e930599603f6d835023bbd0dbcb9a
Date: Thu Apr 12 19:43:31 2018 +0200
gnu: nghttp2: Update to 1.31.1 [fixes CVE-2018-1000168].
* gnu/packages/web.scm (nghttp2): Update to 1.31.1.

Thank you for this, but it would entail far too many builds to update on
the 'master' branch. 'curl' depends on 'nghttp2'. According to 'guix
refresh -l', it would require 2839 rebuilds on x86_64.

Would you like to fix this with a graft instead?

Mark

Marius Bakke

2018-04-12 18:15:10 UTC

Permalink

Post by Mark H Weaver
Hi Marius,

Thank you for this, but it would entail far too many builds to update on
the 'master' branch. 'curl' depends on 'nghttp2'. According to 'guix
refresh -l', it would require 2839 rebuilds on x86_64.

On 'master', nghttp2 only has 1 dependent, the reverse curl dependency
was added in this 'core-updates'.

Since we haven't started the "full" core-updates on Hydra yet, I figured
it was okay. What do you think?

Mark H Weaver

2018-04-12 19:29:54 UTC

Permalink

Post by Marius Bakke

Post by Mark H Weaver
Hi Marius,

Thank you for this, but it would entail far too many builds to update on
the 'master' branch. 'curl' depends on 'nghttp2'. According to 'guix
refresh -l', it would require 2839 rebuilds on x86_64.

On 'master', nghttp2 only has 1 dependent, the reverse curl dependency
was added in this 'core-updates'.

Ah, sorry for the mistake. I just reverted my revert.

Post by Marius Bakke
Since we haven't started the "full" core-updates on Hydra yet, I figured
it was okay. What do you think?

Okay. I just merged master into core-updates, so that those of us
tracking core-updates can start rebuilding it again.

Thanks,
Mark