* bug#26176: What to do about unmaintained frameworks like webkitgtk@2.4 in Guix?
@ 2017-03-19 20:44 Leo Famulari
2017-03-19 22:17 ` ng0
2018-06-09 5:11 ` Chris Marusich
0 siblings, 2 replies; 6+ messages in thread
From: Leo Famulari @ 2017-03-19 20:44 UTC (permalink / raw)
To: 26176
[-- Attachment #1: Type: text/plain, Size: 1125 bytes --]
We do a good job of deploying security updates to webkitgtk@2.14.
Typically, we push the update within 24 hours.
However, several packages still depend on webkitgtk@2.4, which is
unmaintained upstream and surely contains many serious security
vulnerabilities.
$ guix refresh -l webkitgtk@2.4
Building the following 6 packages would ensure 10 dependent packages are
rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1
elixir-1.3.2 kicad-4.0-1.4ee344e audacity-2.1.2
People who install these packages probably do not expect to install
software containing publicly disclosed security vulnerabilities.
We should try to make these packages use a maintained version of
webkitgtk.
If that's not possible, what should we do?
Here is a primer on the tangled world of webkit forks and versions:
https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/
It states that distros should not expect webkitgtk@2.4 to receive
security updates:
------
We could attempt to provide security backports to WebKitGTK+ 2.4. This
would be very time consuming and therefore very expensive, so count this
out.
------
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#26176: What to do about unmaintained frameworks like webkitgtk@2.4 in Guix?
2017-03-19 20:44 bug#26176: What to do about unmaintained frameworks like webkitgtk@2.4 in Guix? Leo Famulari
@ 2017-03-19 22:17 ` ng0
2017-03-20 6:50 ` Efraim Flashner
2018-06-09 5:11 ` Chris Marusich
1 sibling, 1 reply; 6+ messages in thread
From: ng0 @ 2017-03-19 22:17 UTC (permalink / raw)
To: Leo Famulari; +Cc: 26176
Leo Famulari transcribed 2.1K bytes:
> We do a good job of deploying security updates to webkitgtk@2.14.
> Typically, we push the update within 24 hours.
>
> However, several packages still depend on webkitgtk@2.4, which is
> unmaintained upstream and surely contains many serious security
> vulnerabilities.
>
> $ guix refresh -l webkitgtk@2.4
> Building the following 6 packages would ensure 10 dependent packages are
> rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1
> elixir-1.3.2 kicad-4.0-1.4ee344e audacity-2.1.2
>
> People who install these packages probably do not expect to install
> software containing publicly disclosed security vulnerabilities.
>
> We should try to make these packages use a maintained version of
> webkitgtk.
Maybe those packages are already confirmed to work with 2.14, in some
commit in upstream software. If they aren't, and we can't make them
build with 2.14 in a functional way, it would serve a broad spectrum of
clients including Guix users to get in contact with the affected
package.
> If that's not possible, what should we do?
>
> Here is a primer on the tangled world of webkit forks and versions:
> https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/
>
> It states that distros should not expect webkitgtk@2.4 to receive
> security updates:
> ------
> We could attempt to provide security backports to WebKitGTK+ 2.4. This
> would be very time consuming and therefore very expensive, so count this
> out.
> ------
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#26176: What to do about unmaintained frameworks like webkitgtk@2.4 in Guix?
2017-03-19 22:17 ` ng0
@ 2017-03-20 6:50 ` Efraim Flashner
2017-03-20 22:27 ` Ludovic Courtès
2017-04-07 12:02 ` Leo Famulari
0 siblings, 2 replies; 6+ messages in thread
From: Efraim Flashner @ 2017-03-20 6:50 UTC (permalink / raw)
To: Leo Famulari, 26176
[-- Attachment #1: Type: text/plain, Size: 2026 bytes --]
On Sun, Mar 19, 2017 at 10:17:38PM +0000, ng0 wrote:
> Leo Famulari transcribed 2.1K bytes:
> > We do a good job of deploying security updates to webkitgtk@2.14.
> > Typically, we push the update within 24 hours.
> >
> > However, several packages still depend on webkitgtk@2.4, which is
> > unmaintained upstream and surely contains many serious security
> > vulnerabilities.
> >
> > $ guix refresh -l webkitgtk@2.4
> > Building the following 6 packages would ensure 10 dependent packages are
> > rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1
> > elixir-1.3.2 kicad-4.0-1.4ee344e audacity-2.1.2
> >
> > People who install these packages probably do not expect to install
> > software containing publicly disclosed security vulnerabilities.
> >
> > We should try to make these packages use a maintained version of
> > webkitgtk.
>
> Maybe those packages are already confirmed to work with 2.14, in some
> commit in upstream software. If they aren't, and we can't make them
> build with 2.14 in a functional way, it would serve a broad spectrum of
> clients including Guix users to get in contact with the affected
> package.
>
Good news on that front!
$ guix refresh -l wxwidgets
Building the following 5 packages would ensure 6 dependent packages are
rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1
elixir-1.3.2 audacity-2.1.2
kicad uses wxwidgets built with gtk+-2, and the one that didn't show up
at all, gnucash, uses webkitgtk/gtk+-2, which is the gtk+@2 version of
webkit@2.4.
Wxwidgets currently is built with webkit@2.4, but it looks like it
supports webkit.
I'm currently working on testing wxwidgets built with webkit to see if
that takes care of everything currently relying on webkit@ancient other
than gnucash.
--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#26176: What to do about unmaintained frameworks like webkitgtk@2.4 in Guix?
2017-03-20 6:50 ` Efraim Flashner
@ 2017-03-20 22:27 ` Ludovic Courtès
2017-04-07 12:02 ` Leo Famulari
1 sibling, 0 replies; 6+ messages in thread
From: Ludovic Courtès @ 2017-03-20 22:27 UTC (permalink / raw)
To: Efraim Flashner; +Cc: 26176
Howdy!
Efraim Flashner <efraim@flashner.co.il> skribis:
> Good news on that front!
>
> $ guix refresh -l wxwidgets
> Building the following 5 packages would ensure 6 dependent packages are
> rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1
> elixir-1.3.2 audacity-2.1.2
BTW, I used:
guix graph -t reverse-package webkitgtk@2.4
to find out how things ended up depending on it.
> kicad uses wxwidgets built with gtk+-2, and the one that didn't show up
> at all, gnucash, uses webkitgtk/gtk+-2, which is the gtk+@2 version of
> webkit@2.4.
>
> Wxwidgets currently is built with webkit@2.4, but it looks like it
> supports webkit.
>
> I'm currently working on testing wxwidgets built with webkit to see if
> that takes care of everything currently relying on webkit@ancient other
> than gnucash.
Looks like it worked pretty well. :-)
Thank you!
Ludo’.
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#26176: What to do about unmaintained frameworks like webkitgtk@2.4 in Guix?
2017-03-20 6:50 ` Efraim Flashner
2017-03-20 22:27 ` Ludovic Courtès
@ 2017-04-07 12:02 ` Leo Famulari
1 sibling, 0 replies; 6+ messages in thread
From: Leo Famulari @ 2017-04-07 12:02 UTC (permalink / raw)
To: Efraim Flashner; +Cc: 26176
[-- Attachment #1: Type: text/plain, Size: 754 bytes --]
On Mon, Mar 20, 2017 at 08:50:54AM +0200, Efraim Flashner wrote:
> kicad uses wxwidgets built with gtk+-2, and the one that didn't show up
> at all, gnucash, uses webkitgtk/gtk+-2, which is the gtk+@2 version of
> webkit@2.4.
Good news: the GnuCash developers are actively working make GnuCash
compatible with the latest version of webkitgtk (or to completely remove
the dependency):
https://bugzilla.gnome.org/show_bug.cgi?id=751635
The other good news is that, apparently, GnuCash's use of webkit is
relatively insulated from security issues:
"GnuCash isn't affected by WebKit vulnerabilities, WebKit is used
exclusively to render HTML and interpret Javascript both created by
GnuCash itself."
https://bugzilla.gnome.org/show_bug.cgi?id=751635#c4
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#26176: What to do about unmaintained frameworks like webkitgtk@2.4 in Guix?
2017-03-19 20:44 bug#26176: What to do about unmaintained frameworks like webkitgtk@2.4 in Guix? Leo Famulari
2017-03-19 22:17 ` ng0
@ 2018-06-09 5:11 ` Chris Marusich
1 sibling, 0 replies; 6+ messages in thread
From: Chris Marusich @ 2018-06-09 5:11 UTC (permalink / raw)
To: Leo Famulari; +Cc: 26176-done
[-- Attachment #1: Type: text/plain, Size: 445 bytes --]
Leo Famulari <leo@famulari.name> writes:
> Several packages still depend on webkitgtk@2.4, which is
> unmaintained upstream and surely contains many serious security
> vulnerabilities.
We've removed webkitgtk-2.4 in commit
38039b4fa917c7516535167fb082ea63850ee578, which has been merged into
master (according to 'git branch --all --contains
38039b4fa917c7516535167fb082ea63850ee578'), so I'm closing this bug
report.
--
Chris
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-06-09 5:12 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-03-19 20:44 bug#26176: What to do about unmaintained frameworks like webkitgtk@2.4 in Guix? Leo Famulari
2017-03-19 22:17 ` ng0
2017-03-20 6:50 ` Efraim Flashner
2017-03-20 22:27 ` Ludovic Courtès
2017-04-07 12:02 ` Leo Famulari
2018-06-09 5:11 ` Chris Marusich
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).