Am Wed, May 17, 2023 at 04:30:44PM +0200 schrieb Remco van 't Veer:
> What's the preferred / politest way to draw attention to patches (and /
> or bugs) which seem to have been overlooked?
No idea, ideally it should not be necessary ;-)
There is a certain backlog in the QA process so that your patches were not
built out on the build farm. Otherwise I think someone would have applied
(most of) them already.
> And while I have your attention and you're wondering which patches I'd
> like to promote.. 😉
> - #62557 [guix-patches]
> [PATCH] gnu: ruby-2.7-fixed: Upgrade to 2.7.8 [fixes CVE-2023-{28755,
> 28756}]
> - #62558 [guix-patches]
> [PATCH] gnu: ruby-3.0: Upgrade to 3.0.6 [fixes CVE-2023-{28755, 28756}].
> - #62559 [guix-patches]
> [PATCH] gnu: ruby-3.1: Upgrade to 3.1.4 [fixes CVE-2023-{28755, 28756}].
> - #62561 [guix-patches]
> [PATCH] gnu: ruby-3.2: Upgrade to 3.2.2 [fixes CVE-2023-{28755, 28756}].
I applied the last three ones, but not the first one, as it requires a very
big amount of rebuilds (more than 8000 dependent packages).
Maybe this could be an occasion for the ruby team to tidy up the
packages. We currently have five publicly visible ruby versions:
$ ./pre-inst-env guix package -A ^ruby$
ruby 3.1.4 out gnu/packages/ruby.scm:232:2
ruby 2.7.6 out gnu/packages/ruby.scm:163:2
ruby 3.2.2 out gnu/packages/ruby.scm:246:2
ruby 2.6.10 out gnu/packages/ruby.scm:110:2
ruby 3.0.6 out gnu/packages/ruby.scm:215:2
Could the three middle ones be dropped?
Then there is an internal version ruby/fixed, which is very old, but,
strangely, ahead of the public minor ruby version, @2.7.7.
Could the remainder of ruby and other packages be made dependent on @3.2
instead of @2.7?
Andreas
