Thanks Andreas!
2023/05/19 11:26, Andreas Enge:
>> And while I have your attention and you're wondering which patches I'd
>> like to promote.. 😉
>> - #62557 [guix-patches]
>> [PATCH] gnu: ruby-2.7-fixed: Upgrade to 2.7.8 [fixes CVE-2023-{28755,
>> 28756}]
>> - #62558 [guix-patches]
>> [PATCH] gnu: ruby-3.0: Upgrade to 3.0.6 [fixes CVE-2023-{28755, 28756}].
>> - #62559 [guix-patches]
>> [PATCH] gnu: ruby-3.1: Upgrade to 3.1.4 [fixes CVE-2023-{28755, 28756}].
>> - #62561 [guix-patches]
>> [PATCH] gnu: ruby-3.2: Upgrade to 3.2.2 [fixes CVE-2023-{28755, 28756}].
>
> I applied the last three ones, but not the first one, as it requires a very
> big amount of rebuilds (more than 8000 dependent packages).
>
> Maybe this could be an occasion for the ruby team to tidy up the
> packages. We currently have five publicly visible ruby versions:
> $ ./pre-inst-env guix package -A ^ruby$
> ruby 3.1.4 out gnu/packages/ruby.scm:232:2
> ruby 2.7.6 out gnu/packages/ruby.scm:163:2
> ruby 3.2.2 out gnu/packages/ruby.scm:246:2
> ruby 2.6.10 out gnu/packages/ruby.scm:110:2
> ruby 3.0.6 out gnu/packages/ruby.scm:215:2
>
> Could the three middle ones be dropped?
Ruby 2.6 is EOL and 2.7 got it's "last" release in march
(https://www.ruby-lang.org/en/news/2023/03/30/ruby-2-7-8-released/). So
I guess 2.6 can be dropped and 2.7 may linger for a while?
> Then there is an internal version ruby/fixed, which is very old, but,
> strangely, ahead of the public minor ruby version, @2.7.7.
It seems the ruby-2.7-fixed var has been orphaned by the latest
core-updates merge. It was used for grafting (used as an "replacement"
in the ruby-2.7 var) and my patch was still depending on that. I can
update the patch by reinserting the grafting bit. WDYT?
> Could the remainder of ruby and other packages be made dependent on @3.2
> instead of @2.7?
This will probably me a trail and error path leaning on tests included
in the packages.
Cheers,
Remco
