[Backport release-23.11] tailscale: 1.58.2 -> 1.66.4 #313691
Conversation
Changelog: https://go.dev/doc/devel/release#go1.22 Signed-off-by: Muhammad Falak R Wani <[email protected]>
Signed-off-by: Paul Meyer <[email protected]>
06kellyjac
added
the
1.severity: security
06kellyjac
changed the title
|
@ofborg eval |
|
I might need to drop the powerpc stuff |
Diff: tailscale/tailscale@v1.58.2...v1.60.0 Changelog: https://github.com/tailscale/tailscale/releases/tag/v1.60.0 Signed-off-by: Muhammad Falak R Wani <[email protected]>
|
Maybe, maybe not; the current eval failure is unrelated to your PR's contents: |
06kellyjac
force-pushed
the
tailscale_backports
branch
from
5e0d0bc to
e4bb623
Compare
kalbasit
added
the
12.approvals: 1
|
We also need to backport #311176 to fix tailscale ssh or just don't backport the combined binary commit. Also please review and merge the linked PR. |
|
approved, can't merge :) |
06kellyjac
force-pushed
the
tailscale_backports
branch
from
e4bb623 to
4f92ab9
Compare
|
I've dropped the combine commit for the backport |
|
@ofborg build tailscale |
|
This is quite a significant bump for stable. Is there no alternative? |
|
Technically tailscale is when used together with tailscale.com a software which is tied to an online service like Discord or yt-dlp and those get backported usually. |
|
I'm failing to find the comment on an old update PR but tailscale have a commitment to backwards compatibility and said it should be fine to backport everything unless specified. I do tend to put backport labels on the PR but the dependency on go 1.22 is a bit of a pain. But with just backporting a security patch to an old release it becomes tricky because you need to fully understand the fix, port that to the older release. It is possible that alone might not be a sufficient fix for the older release, so there's extra validation that you'd ideally want to do. And then there's the matter of identifying that release as fixed which I don't think would happen on the tailscale.com dashboard. So yeah in this case I think the policy of backporting all updates fits best. Seems like aarch64-darwin go build is busted "no space left on device" could be intermittent? |
|
Regarding upstream claiming everything they release is backwards compatible and backporting security fixes taking extra effort around understanding and testing the fix, you've just described 90% of packages in nixpkgs. Remember - any changes you make to the stable branch will be "surprise upgrades" for most stable branch users, who will likely have little opportunity for testing before rolling straight into production. I do wish there were a way for end users to get a better idea what kind of stability to expect from different packages on this front. Something like a |
|
There are some upstreams I believe more than others for backwards compatibility promises but I do get your point. |
|
Result of 3 packages built:
tested locally |
wegank
added
12.approvals: 2
JohnRTitor
added
12.approvals: 3+
|
I'll trust the two |
Description of changes
Resolves: #313678
Backport tailscale updates to resolve security issue.
Also needed to backport go 1.22.
I skipped some cosmetic commits like maintainers being removed, those will be caught up in 24.05
LMK if I've done anything wrong.
Not ran a full build myself yet.
Things done
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)Add a 👍 reaction to pull requests you find important.