Hi again!
Ludovic Courtès <l...@gnu.org> skribis:
> It’s also unclear to me that ImageMagick can be meaningfully grafted.
> Are there users of libMagick*.so in external packages? That seems
> unlikely.
>
> On berlin, I see this:
>
> $ guix graph -t referrers
> /gnu/store/7iwx7rj1ipsbgb9wgimrrflniyxpilw3-imagemagick-6.9.12-2g
> digraph "Guix referrers" {
> "/gnu/store/7iwx7rj1ipsbgb9wgimrrflniyxpilw3-imagemagick-6.9.12-2g" [label
> = "imagemagick-6.9.12-2g", shape = box, fontname = sans];
> "/gnu/store/7iwx7rj1ipsbgb9wgimrrflniyxpilw3-imagemagick-6.9.12-2g" ->
> "/gnu/store/7iwx7rj1ipsbgb9wgimrrflniyxpilw3-imagemagick-6.9.12-2g" [color =
> darkviolet];
> "/gnu/store/7iwx7rj1ipsbgb9wgimrrflniyxpilw3-imagemagick-6.9.12-2g" ->
> "/gnu/store/wsw9an4lsnqxalwkvycxaa3y0ybp8rxp-ecl-ltk-0.992" [color =
> darkviolet];
> "/gnu/store/wsw9an4lsnqxalwkvycxaa3y0ybp8rxp-ecl-ltk-0.992" [label =
> "ecl-ltk-0.992", shape = box, fontname = sans];
> "/gnu/store/wsw9an4lsnqxalwkvycxaa3y0ybp8rxp-ecl-ltk-0.992" ->
> "/gnu/store/wsw9an4lsnqxalwkvycxaa3y0ybp8rxp-ecl-ltk-0.992" [color =
> peachpuff4];
>
> }
>
> That means ‘ecl-ltk’ is the only package that keeps a reference to
> ImageMagick, and thus, it’s the only one that would benefit from the
> graft. The graft is useless.
I was plain wrong—apologies for the confusion!
Running:
guix graph -t referrers
/gnu/store/cnyiwi6mn53jwmjh7kdvnlmagf3frsa3-imagemagick-6.9.12-2g | xdot -
on my laptop, I see at least emacs-w3m, pstoedit, skribilo, and (of
course) inkscape.
So grafting makes sense.
Consequently, the way forward IMO is to get a 6.9.11 backport of
whatever CVEs it is we are patching and to use such a patched 6.9.11
variant as the replacement.
Does that make sense?
Ludo’.
