diff mbox

[01/68] gnu: Add flex-2.6.1.

Message ID 20161029180519.6061-1-david@craven.ch
State New
Headers

Commit Message

David Craven Oct. 29, 2016, 6:04 p.m. UTC 
  * gnu/packages/flex.scm (flex-2.6.1): New variable.
---
 gnu/packages/flex.scm | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

Comments

Marius Bakke Oct. 29, 2016, 6:46 p.m. UTC | #1 
David Craven <david@craven.ch> writes:

> * gnu/packages/flex.scm (flex-2.6.1): New variable.

This is newer than what we currently have (2.6.0). I know it's late in
the core-updates cycle, but maybe we can squeeze in a flex upgrade?

I haven't tried building the series, but the patches LGTM overall.
Leo Famulari Oct. 29, 2016, 8:27 p.m. UTC | #2 
On Sat, Oct 29, 2016 at 07:46:53PM +0100, Marius Bakke wrote:
> David Craven <david@craven.ch> writes:
> 
> > * gnu/packages/flex.scm (flex-2.6.1): New variable.
> 
> This is newer than what we currently have (2.6.0). I know it's late in
> the core-updates cycle, but maybe we can squeeze in a flex upgrade?

It's also not the latest upstream release, which is 2.6.2. Why use this
particular version instead of the latest?
Leo Famulari Oct. 29, 2016, 8:40 p.m. UTC | #3 
On Sat, Oct 29, 2016 at 07:46:53PM +0100, Marius Bakke wrote:
> David Craven <david@craven.ch> writes:
> 
> > * gnu/packages/flex.scm (flex-2.6.1): New variable.
> 
> This is newer than what we currently have (2.6.0). I know it's late in
> the core-updates cycle, but maybe we can squeeze in a flex upgrade?

Unfortunately, changing flex will cause ~1500 rebuilds per architecture,
so I think we won't do it unless there is some very serious problem.

Also see commit eba7fab890f43 on core-updates, which fixes a bug
(CVE-2016-6354) that allow DOS and potentially arbitrary code execution
in code generated by flex.

Updating flex to the latest version should happen in the next
core-updates, or possibly in an earlier staging / security-updates
cycle.
Leo Famulari Oct. 29, 2016, 8:45 p.m. UTC | #4 
On Sat, Oct 29, 2016 at 07:46:53PM +0100, Marius Bakke wrote:
> David Craven <david@craven.ch> writes:
> 
> > * gnu/packages/flex.scm (flex-2.6.1): New variable.
> 
> This is newer than what we currently have (2.6.0). I know it's late in
> the core-updates cycle, but maybe we can squeeze in a flex upgrade?

I saw this explanatory message on #guix:

https://gnunet.org/bot/log/guix/2016-10-29#T1187445

Please add some detail in a code comment so we know why it's required :)
diff mbox

Patch

diff --git a/gnu/packages/flex.scm b/gnu/packages/flex.scm
index 20aff19..7b59085 100644
--- a/gnu/packages/flex.scm
+++ b/gnu/packages/flex.scm
@@ -78,3 +78,17 @@  regular expressions for each rule.  Whenever it finds a match, it
 executes the corresponding C code.")
     (license (non-copyleft "file://COPYING"
                         "See COPYING in the distribution."))))
+
+(define-public flex-2.6.1
+  (package
+    (inherit flex)
+    (version "2.6.1")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "https://github.com/westes/flex"
+                    "/releases/download/v" version "/"
+                    "flex-" version ".tar.gz"))
+              (sha256
+               (base32
+                "0fy14c35yz2m1n1m4f02by3501fn0cca37zn7jp8lpp4b3kgjhrw"))))))