Skip to content

expat: 2.4.4 -> 2.4.5#160826

Merged
vcunat merged 1 commit intoNixOS:stagingfrom
hartwork:expat-2-4-5
Feb 19, 2022
Merged

expat: 2.4.4 -> 2.4.5#160826
vcunat merged 1 commit intoNixOS:stagingfrom
hartwork:expat-2-4-5

Conversation

@hartwork
Copy link
Contributor

Motivation for this change

libexpat 2.4.5 with security fixes has been released, the upstream change log has more details.

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 22.05 Release Notes (or backporting 21.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@hartwork hartwork mentioned this pull request Feb 19, 2022
27 tasks
@bobby285271 bobby285271 added backport staging-21.11 1.severity: security Issues which raise a security issue, or PRs that fix one labels Feb 19, 2022
@bobby285271
Copy link
Member

@ofborg eval

@risicle risicle changed the title expat: 2.4.4 -> 2.4.5 (security) expat: 2.4.4 -> 2.4.5 Feb 19, 2022
Copy link
Member

@vcunat vcunat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changelog seems quite focused just on security fixes, so I assume that risk of some breakage is rather low. I tested building some packages. I see no use in waiting more.

@vcunat vcunat merged commit e7491cf into NixOS:staging Feb 19, 2022
@github-actions
Copy link
Contributor

Successfully created backport PR #160897 for staging-21.11.

@risicle
Copy link
Contributor

risicle commented Feb 19, 2022

Perhaps we'd be better off spending our testing effort on 21.11...

@hartwork
Copy link
Contributor Author

Perhaps we'd be better off spending our testing effort on 21.11...

Could you elaborate?

@risicle
Copy link
Contributor

risicle commented Feb 19, 2022

We're doing the bump in staging-21.11 too, and it's possible that it'll hit real users there (i.e. make it to release-21.11) before this makes it in to master. So I'll be doing some testing on #160897. That's all.

@trofi
Copy link
Contributor

trofi commented Feb 19, 2022

Bisect says perlPackages.XMLParser is broken by 62b1a57 expat: 2.4.4 -> 2.4.5 (security):

$ nix build -f. perlPackages.XMLParser -L
...
perl5.34.0-XML-Parser> #   Failed test at t/decl.t line 86.
perl5.34.0-XML-Parser> #          got: '((bar|foo|xyz+),bar)'
perl5.34.0-XML-Parser> #     expected: '((bar|foo|xyz+),zebra*)'
perl5.34.0-XML-Parser> #   Failed test at t/decl.t line 95.
perl5.34.0-XML-Parser> #          got: 'bar'
perl5.34.0-XML-Parser> #     expected: 'zebra'
perl5.34.0-XML-Parser> #   Failed test at t/decl.t line 96.
perl5.34.0-XML-Parser> #          got: undef
perl5.34.0-XML-Parser> #     expected: '*'
perl5.34.0-XML-Parser> # Looks like you failed 3 tests of 40.

@hartwork
Copy link
Contributor Author

@trofi can you help me find that test case so I can debug this in Expat?

@risicle
Copy link
Contributor

risicle commented Feb 19, 2022

@hartwork
Copy link
Contributor Author

Thanks!

@SuperSandro2000
Copy link
Member

SuperSandro2000 commented Feb 19, 2022

Next time it would be better to debug this first instead of leaving staging in a totally broken state.


also @hartwork you might want to add yourself to meta.maintainers.

PS: Why do we not have an extra tag for upstream developers which also maintain the package?


Or on GitHub https://github.com/toddr/XML-Parser/blob/master/t/decl.t#L86 . Repo seams to be pretty dead.

@hartwork
Copy link
Contributor Author

hartwork commented Feb 19, 2022

also @hartwork you might want to add yourself to meta.maintainers.

@SuperSandro2000 I'm not really maintaining the package and I have enough to do upstream already. I originally jumped in with Expat package updates at #124212 because Expat was badly out of date in NixOS at the time. Maybe it's best if I take my hands back off this package and someone else takes over.

@vcunat
Copy link
Member

vcunat commented Feb 19, 2022

I don't think staging is totally broken by this. And I did test libxml2 (and the stdenv rebuild) before merging.

@risicle
Copy link
Contributor

risicle commented Feb 19, 2022

Seconded - I've been building many, many packages without issue.

@SuperSandro2000
Copy link
Member

SuperSandro2000 commented Feb 19, 2022

perlPackages.XMLParser is in the dependency chain of nix through mdbook, cargo, git, openssh, libfido2, systemd-minimal, intltool and perl XML-Parser and the ofborg-eval-lib-tests currently fail because of that which means every PR against staging is red.

@SuperSandro2000
Copy link
Member

Maybe it's best if I take my hands back off this package and someone else takes over.

Not your fault that perlPackages.XMLParser is broken.


Anyone has any idea how to fix it? Is it just the test or code used by other things? Otherwise we need to revert this update until someone can fix it because right now every PR is red and normally can't be merged and staging would never advance.

@hartwork
Copy link
Contributor Author

Anyone has any idea how to fix it? Is it just the test or code used by other things?

I'm at it. I'll need more time.

@risicle
Copy link
Contributor

risicle commented Feb 20, 2022

Mental note: this is the sort of case where adding perlPackages.XMLParser to expat's passthru.tests would help us make sure it gets tested next time.

@SuperSandro2000
Copy link
Member

Mental note: this is the sort of case where adding perlPackages.XMLParser to expat's passthru.tests would help us make sure it gets tested next time.

image

@hartwork hartwork mentioned this pull request Feb 20, 2022
13 tasks
@hartwork
Copy link
Contributor Author

I'm at it. I'll need more time.

The regression turned out real, there is a fix, a new regression test, a new release 2.4.6 upstream, and a NixOS pull request #161090 to bump to 2.4.6.

@trofi
Copy link
Contributor

trofi commented Feb 20, 2022

Thank you, Sebastian!

@hartwork
Copy link
Contributor Author

@trofi thanks for the report!

@risicle
Copy link
Contributor

risicle commented Feb 20, 2022

Would you like us to set up a full nixpkgs rebuild as your expat project CI? It would only take a few weeks per commit... :trollface:

@hartwork
Copy link
Contributor Author

@risicle I think I need to respectfully decline 😃 (If there is a serious bit in there, let's take it to e-mail please.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants