bug#43075: Prioritize providing substitutes for security-critical packages with potentially long build times

[Ludovic Courtès]

Hi,

chaosmonk <chaosmonk@riseup.net> skribis:

> ungoogled-chromium receives frequent security updates, so it is
> important for users to keep it up-to-date.  However, binary
> substitutes for the latest version are usually not available, and it
> can take a  very long time to build from source, possibly multiple
> days on low-end hardware.  This might tempt or force some users to put
> off upgrading the package and run an older, vulnerable version until a
> binary substitute is available or they have a chance to set aside the
> uptime needed to build from source.
>
> I don't know what Guix's CI system looks like or how packages are
> queued for building, but if there is a way to prioritize builds for
> certain packages, I propose that substitutes for packages like
> ungoogled-chromium should be built as soon as possible once there is a
> new version.  Other security-critical packages with potentially long
> build times that come to mind are icecat and linux-libre.

Thanks for your feedback.  Our build farm has often been lagging behind
lately and that’s something we’ve been working on.  The
ungoogled-chromium package is even more problematic because it takes
more than ~80 CPU-hours to build, and that often times out with our
current build farm settings (where we don’t allow builds to take more
than 6h, IIRC).

Right now we’re trying to improve build throughput in general but your
proposal makes sense, of course.

Thanks,
Ludo’.