Vincent Legoll <vincent.leg...@gmail.com> skribis: > On Sun, Sep 11, 2016 at 5:41 PM, Leo Famulari <l...@famulari.name> wrote: >> There is a GnuTLS security advisory [0] regarding "an issue that affects >> validation of certificates using OCSP responses, which can falsely >> report a certificate as valid under certain circumstances." >> >> I updated GnuTLS on core-updates to 3.5.4, the latest release of the 3.5 >> series. >> >> For master, the naive approach of cherry-picking the patch [1] did not >> work; the test 'system-prio-file' fails consistently with that change. I >> could instead try grafting the updated version. >> >> What do you think? The authors seem to think it's a relatively minor >> issue [2], since exploiting it requires an attacker to compromise the >> certificate authority. > > Side questions (just for my curiosity's sake): > > - What does it cost (manpower, hydra build time, etc...) approximatively > to do a new release ?
Many packages would need to be rebuilt: --8<---------------cut here---------------start------------->8--- $ guix refresh -l gnutls Building the following 527 packages would ensure 1169 dependent packages are rebuilt: [...] --8<---------------cut here---------------end--------------->8--- > - Is it sufficiently automated ? Yes: --8<---------------cut here---------------start------------->8--- $ guix refresh gnutls /home/ludo/.config/guix/latest/gnu/packages/tls.scm:140:13: gnutls would be upgraded from 3.5.2 to 3.5.4 --8<---------------cut here---------------end--------------->8--- > - Can we help ? Always! ;-) The question is such situations is just how to deploy the fix as fast as possible, which means avoiding a situation that would lead users to rebuild or redownload massive amounts of software just to get the upgrade. Grafts make it faster. Ludo’.
