On Sun, Mar 19, 2017 at 10:17:38PM +0000, ng0 wrote: > Leo Famulari transcribed 2.1K bytes: > > We do a good job of deploying security updates to webkitgtk@2.14. > > Typically, we push the update within 24 hours. > > > > However, several packages still depend on webkitgtk@2.4, which is > > unmaintained upstream and surely contains many serious security > > vulnerabilities. > > > > $ guix refresh -l webkitgtk@2.4 > > Building the following 6 packages would ensure 10 dependent packages are > > rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1 > > elixir-1.3.2 kicad-4.0-1.4ee344e audacity-2.1.2 > > > > People who install these packages probably do not expect to install > > software containing publicly disclosed security vulnerabilities. > > > > We should try to make these packages use a maintained version of > > webkitgtk. > > Maybe those packages are already confirmed to work with 2.14, in some > commit in upstream software. If they aren't, and we can't make them > build with 2.14 in a functional way, it would serve a broad spectrum of > clients including Guix users to get in contact with the affected > package. > Good news on that front! $ guix refresh -l wxwidgets Building the following 5 packages would ensure 6 dependent packages are rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1 elixir-1.3.2 audacity-2.1.2 kicad uses wxwidgets built with gtk+-2, and the one that didn't show up at all, gnucash, uses webkitgtk/gtk+-2, which is the gtk+@2 version of webkit@2.4. Wxwidgets currently is built with webkit@2.4, but it looks like it supports webkit. I'm currently working on testing wxwidgets built with webkit to see if that takes care of everything currently relying on webkit@ancient other than gnucash. -- Efraim Flashner אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted