[Buildroot] [Bug 12256] New: package tar is outdated (1.29 is 3 years old)

[Buildroot] [Bug 12256] New: package tar is outdated (1.29 is 3 years old)

[bugzilla at busybox.net]

https://bugs.busybox.net/show_bug.cgi?id=12256

            Bug ID: 12256
           Summary: package tar is outdated (1.29 is 3 years old)
           Product: buildroot
           Version: 2019.02.6
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Outdated package
          Assignee: unassigned at buildroot.uclibc.org
          Reporter: dominique.tronche at atos.net
                CC: buildroot at uclibc.org
  Target Milestone: ---

The version of package tar 1.29 could be updated. Some more recent versions
which fix CVEs exist

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Buildroot] [Bug 12256] package tar is outdated (1.29 is 3 years old)

[bugzilla at busybox.net]

https://bugs.busybox.net/show_bug.cgi?id=12256

Yann E. MORIN <yann.morin.1998@free.fr> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |yann.morin.1998 at free.fr

--- Comment #1 from Yann E. MORIN <yann.morin.1998@free.fr> ---
We can't upgrade the version of tar without being cautious.

The host tar is used to create the archives in the VCS download backends
(git, cvs, svn, hg...) and tar 1.30 and forward have changed the wau they
generate the archives.

So, all the archives we had generated before 1.30 was released are not
bit-for-bit reproducible (even though the extracted content would be),
so the hashes we have for those archives would not match.

Hence we need to keep host-tar to 1.29.

For the target variant, this is less important of course, but so far
no one submitted a patch. It's also that we do not have many packages
for which the host and target versions are different.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Buildroot] [Bug 12256] package tar is outdated (1.29 is 3 years old)

[bugzilla at busybox.net]

https://bugs.busybox.net/show_bug.cgi?id=12256

--- Comment #2 from Dominique Tronche <dominique.tronche@atos.net> ---
Created attachment 8261
  --> https://bugs.busybox.net/attachment.cgi?id=8261&action=edit
patch for tar package update

Thanks for the explanations. Attached a patch made by my colleague which keeps
the host version to 1.29
Regards

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Buildroot] [Bug 12256] package tar is outdated (1.29 is 3 years old)

[bugzilla at busybox.net]

https://bugs.busybox.net/show_bug.cgi?id=12256

--- Comment #3 from Carlos Santos <unixmania@gmail.com> ---
Please submit the patch using git send-email so it becomes visible on
patchwork.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Buildroot] [Bug 12256] package tar is outdated (1.29 is 3 years old)

[bugzilla at busybox.net]

https://bugs.busybox.net/show_bug.cgi?id=12256

--- Comment #4 from Dominique Tronche <dominique.tronche@atos.net> ---
I'm on a corporate network and not part of buildroot mailing list (and don't
necessarily want to be) so I'm not sure how to proceed

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Buildroot] [Bug 12256] package tar is outdated (1.29 is 3 years old)

[bugzilla at busybox.net]

https://bugs.busybox.net/show_bug.cgi?id=12256

Carlos Santos <unixmania@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned at buildroot.uclibc |unixmania at gmail.com
                   |.org                        |

--- Comment #5 from Carlos Santos <unixmania@gmail.com> ---
(In reply to Dominique Tronche from comment #4)

OK, I submitted the patch after improving the commit message based on Yann's
comments:

    https://patchwork.ozlabs.org/patch/1197080/

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Buildroot] [Bug 12256] package tar is outdated (1.29 is 3 years old)

[bugzilla at busybox.net]

https://bugs.busybox.net/show_bug.cgi?id=12256

--- Comment #6 from Dominique Tronche <dominique.tronche@atos.net> ---
Thanks for your help
Regards

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Buildroot] [Bug 12256] package tar is outdated (1.29 is 3 years old)

[bugzilla at busybox.net]

https://bugs.busybox.net/show_bug.cgi?id=12256

Thomas Petazzoni <thomas.petazzoni@bootlin.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #7 from Thomas Petazzoni <thomas.petazzoni@bootlin.com> ---
We are now using tar 1.32 for the target. We had to keep tar 1.29 for the host,
though.

-- 
You are receiving this mail because:
You are on the CC list for the bug.