From mboxrd@z Thu Jan 1 00:00:00 1970 From: Efraim Flashner Subject: bug#26176: What to do about unmaintained frameworks like webkitgtk@2.4 in Guix? Date: Mon, 20 Mar 2017 08:50:54 +0200 Message-ID: <20170320065054.GE19779@macbook42.flashner.co.il> References: <20170319204414.GA23467@jasmine> <20170319221738.rjmsoak3y5otq5vu@abyayala> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="7LkOrbQMr4cezO2T" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:43167) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cprAl-0007bA-AX for bug-guix@gnu.org; Mon, 20 Mar 2017 02:52:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cprAh-00067C-Fe for bug-guix@gnu.org; Mon, 20 Mar 2017 02:52:07 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:37635) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cprAh-000678-Bv for bug-guix@gnu.org; Mon, 20 Mar 2017 02:52:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1cprAh-0004tP-4t for bug-guix@gnu.org; Mon, 20 Mar 2017 02:52:03 -0400 Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline In-Reply-To: <20170319221738.rjmsoak3y5otq5vu@abyayala> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Leo Famulari , 26176@debbugs.gnu.org --7LkOrbQMr4cezO2T Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Mar 19, 2017 at 10:17:38PM +0000, ng0 wrote: > Leo Famulari transcribed 2.1K bytes: > > We do a good job of deploying security updates to webkitgtk@2.14. > > Typically, we push the update within 24 hours. > >=20 > > However, several packages still depend on webkitgtk@2.4, which is > > unmaintained upstream and surely contains many serious security > > vulnerabilities. > >=20 > > $ guix refresh -l webkitgtk@2.4 > > Building the following 6 packages would ensure 10 dependent packages are > > rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1 > > elixir-1.3.2 kicad-4.0-1.4ee344e audacity-2.1.2 > >=20 > > People who install these packages probably do not expect to install > > software containing publicly disclosed security vulnerabilities. > >=20 > > We should try to make these packages use a maintained version of > > webkitgtk. >=20 > Maybe those packages are already confirmed to work with 2.14, in some > commit in upstream software. If they aren't, and we can't make them > build with 2.14 in a functional way, it would serve a broad spectrum of > clients including Guix users to get in contact with the affected > package. >=20 Good news on that front!=20 $ guix refresh -l wxwidgets Building the following 5 packages would ensure 6 dependent packages are rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1 elixir-1.3.2 audacity-2.1.2 kicad uses wxwidgets built with gtk+-2, and the one that didn't show up at all, gnucash, uses webkitgtk/gtk+-2, which is the gtk+@2 version of webkit@2.4. Wxwidgets currently is built with webkit@2.4, but it looks like it supports webkit. I'm currently working on testing wxwidgets built with webkit to see if that takes care of everything currently relying on webkit@ancient other than gnucash. --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --7LkOrbQMr4cezO2T Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEkVdB/rIvpOM7bo+N9MHTkX6s7pMFAljPe8AACgkQ9MHTkX6s 7pPNSA//fmnzCyBOplq5bZmZCu5Qh2be+HiP6ib7sZNMb+iJFhZzsJe0T/NC/Bbt wJN9wK3SBGwnHZz+W+Z3gVvVncdoyKwfbprtEsdlUXfeO+vYoWf/YJB8siboQtz4 v/HMdX6S60rBtruOdWipNyLaJNjMRGVwoZd1pvaBOFDPDWQ7obME5nxCO3FtQrTt JVLnTIdkIK4eOyL7c5So5RClPMh0CU4o7Wfxk2Cl80llBTpbH0w5hOd7b5pCa7LN 73cZaSpuY9pqtoCiN3j0GtkD7Nbiczz8RRJr8diQp9Y84QHriBGiXPHpJqukUu51 7AuStwKcEoiIHxMlnQhy7m+aZg2EEjbwNp0W4QCT7qYv1CB9vUl831LkJkMdqsTX M0E2gkuC1SivtOdNNeFfifMIyJ0NL8zwVpl6NhIaz9AbDlYVndORWiSt4lfd0ozP xvpdwNCio6NFOjlI8azY8aRkW7tWy6T1LuID40wyOJyTXxF4Ekox5AExsPTKeBGs s/wK+wFxRfncoA0FdfWrPJptLY6h2RLrAKdhOfPRbQm/wzNOOe4OaM6bS2z1LUF8 YInjXsWYlBxL5jdkRGEqqjRjSse9gf/DSUjlc+qBA55gyCEiYCtPKJjic2elGvIK A+Yd32kFezLXXtfwJe4j0JLevWSR7yQQ9q4yAbbvecHZU3Em/EA= =uPKI -----END PGP SIGNATURE----- --7LkOrbQMr4cezO2T--