From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: bug#27120: GraphicsMagick bundles libtiff, libpng, zlib, libxml2,
	and more
Date: Sun, 28 May 2017 17:26:25 -0400
Message-ID: <20170528212625.GA15986@jasmine>
References: <20170528202321.GA31713@jasmine>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="rwEMma7ioTxnRzrJ"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:35234)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dF5iM-0001Dx-3I
	for bug-guix@gnu.org; Sun, 28 May 2017 17:27:07 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dF5iI-0003qN-SS
	for bug-guix@gnu.org; Sun, 28 May 2017 17:27:06 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:39489)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1dF5iI-0003qF-62
	for bug-guix@gnu.org; Sun, 28 May 2017 17:27:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dF5iH-0004EL-Pi
	for bug-guix@gnu.org; Sun, 28 May 2017 17:27:01 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.27120.B27120.149600679216228@debbugs.gnu.org>
Content-Disposition: inline
In-Reply-To: <20170528202321.GA31713@jasmine>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: 27120@debbugs.gnu.org


--rwEMma7ioTxnRzrJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, May 28, 2017 at 04:23:21PM -0400, Leo Famulari wrote:
> GraphicsMagick bundles a large number of 3rd party libraries.
>=20
> We should unbundle and remove the ones that we can. For the rest, we
> should try patching their vulnerabilities and leaving code comments
> explaining the situation in the GraphicsMagick package definition.

The GraphicsMagick release tarball doesn't include these bundled
libraries. They are only in the Mercurial checkout.

We did not have to adjust our package very much when switching from the
release tarballs to the Mercurial checkout, so they are probably not
used, and it should not be too hard to unbundle them.

--rwEMma7ioTxnRzrJ
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlkrQH4ACgkQJkb6MLrK
fwjj9w//cKZCgKVFDdqmi1iLXuRNOP8dkol7mAi4UKlvtRZ6gEAZFKZgNFgNlECk
qk9roQ8PluuEuZmLnGSAf4h5xnMyAJPMkCZ03XQ0Ej4cKeA6XHdJsymjL9Vjl2DN
2RjyvKUmGNpylWIwf0PzvLoIx2WYfwNvjWGT2QsCx96ymswqlsEQP9vJal+aNe8g
+4p1uAq+5Z4VVSMDYjADMh3BHHUVNERO4wgTXvNBxVaGJoYP9Uh0xymrm6Qh+ip2
2evv7A6JrUYuLvQjhcTvvSKHP5R862Me1x+bi1rFccHvhizDr+lieTFIuyHERvSO
11XbXLi57Cb2pfoMcQpqdazP6HAObKHEoqQI0oTzqwKgc21E3yWJKFuRZteB2doW
9OFpKG+6YQFPIGjgEiE9mqwjTxQB3jQZ6FqchPi6H1kEvP6xZ/bHLZFLUCiDnjZ5
2gXmg1n86jHKQgdT4jor4fpUxRkOamt00SsLWQzTa8FMHGlGtqNv524f5lzSzS5U
P2I++tYEmM8CxTMUDxhwZRYMOS9pd0CfUlSA5DWouIESxiGZCv57IiF7LXIuSQPu
oUBi3xvTyEMVtVGNXLEQeSSZiicpETflIuTGrNmLB0umfv3DYmlOAatwrHAHnjTS
ZF6tYYt9rS3ctkB1jRBqv4+CfbUcc6F+oI20wVQ1d2orom58bm8=
=Os5H
-----END PGP SIGNATURE-----

--rwEMma7ioTxnRzrJ--