"pelzflorian (Florian Pelz)" <pelzflor...@pelzflorian.de> writes:
> Hello Christopher. > > Christopher Baines <m...@cbaines.net> writes: >> Had the changes waited for longer, then these failures should have been >> spotted by QA, I would guess that the revision might have failed to be >> processed, and if it was processed successfully, the nss failures should >> have shown up, so maybe we should start requiring [5] that not only are >> changes sent to guix-patc...@gnu.org, but that QA processes them (to >> some extent) before merging? >> >> 5: >> https://guix.gnu.org/manual/devel/en/html_node/Managing-Patches-and-Branches.html# > > Yes, though note that the nss change did provide security fixes: > > commit e584ff08b162c46ef587daca438e97d56bc20b32 > Author: Maxim Cournoyer <maxim.courno...@gmail.com> > Date: Wed Apr 24 11:22:30 2024 -0400 > > gnu: nss: Graft with version 3.98 [security fixes]. > > This fixes CVE-2023-5388, CVE-2023-6135 and CVE-2024-0743. > > * gnu/packages/nss.scm (nss) [replacement]: New field. > (nss-3.98): Rename variable to... > (nss/fixed): ... this. Make it a hidden package. > * gnu/packages/librewolf.scm (librewolf) [inputs]: Replace nss-3.98 with > nss/fixed. > > Change-Id: I8cc667c53a270dfe00738bf731923f1342036624 > > I suppose the requirement to wait for QA should apply to security fixes > as well? Well, there's a risk in not testing things across multiple machines/architectures at least. The value of getting a security fix merged quickly is reduced if users on some architectures/systems can't use it. There's always going to be trade offs, and that's fine, but the question is more what can be done to try and improve things for the future.
signature.asc
Description: PGP signature
