[Nix-dev] GnuTLS 2.10

[Michael Raskin]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/12/2010 08:41 PM, Ludovic Courtès wrote:
>> was any). My motivation actually was to show that the real hard-to-fight
>> problems come from simple hard-to-notice things, not from the merits of
>> a way to avoid triggering too big a rebuild in corner cases...
> 
> IMO, this is typically an upstream issue, not a Nixpkgs one.  If the
> problem had been causing serious troubles, Nixpkgs could have reverted
> to a previous GnuTLS version, as Rob recently did for Autoconf 2.66.

You seem to have missed my point.

We can discard something as an upstream issue - if we know it is one. I
always thought that I need to have a good reason to revert an update
with positive security implications, isn't it so? And once I could show
that GnuTLS update breaks things, I could fix libsoup - in this
situation fixing was the same effort as reverting, and fixing seems better.

On the other hand, the fact GnuTLS was updated (in some sense it is a
major update - and I had zero chance to see it from the commit message)
caused a problem I can explain (I had to debug interaction of a few
quite fragile components, it is annoying). The only damage I can see
that is caused by original "parallel-build" patch was annoying, but it
was a typo and quite easy to fix. As for deepOverride - it is such a
corner case that most users won't notice the problem.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMO0n8AAoJEE6tnN0aWvw3DqcH/ArBVIlqIxQkpjHlEMVEDlIS
RG3wixoRuVBP2Mb2p0rXm/gVN7JXYo70JCNOE18FURkhFoiAtpOh/BeGGV5RDWym
dKtEkGDOHzOtQCGotHQMO2mT7LtILCioKCFtqm2Zv5Kk44ltru9d4Xyj9XvrSsYP
/d9HLghY7tMii+HeOUCzUGCGUFy8mKW9MurbH9X2c2u4JAtk4JcKNBe/+x8hiUVo
OI3ASmAiGIjdipQWu21o+oE248zmQ3alAEc2zFagi8rumojzIbbGiAhptzLM2Zul
Yy9exefM/pwwB288N3pt8oscJHmbj3c1iRudNhW83ih5ChuTcYAw1H0xMhWjDHo=
=EAyl
-----END PGP SIGNATURE-----