ludo@gnu.org (Ludovic Courtès) writes: > Leo Famulari skribis: > >> On Thu, Nov 03, 2016 at 10:17:18PM -0500, Eric Bavier wrote: >>> On Thu, 03 Nov 2016 18:54:55 -0400 >>> Kei Kebreau wrote: >>> >>> > From b837111e3ddf406a3b9235538f63af678e3ac741 Mon Sep 17 00:00:00 2001 >>> > From: Kei Kebreau >>> > Date: Thu, 3 Nov 2016 17:58:48 -0400 >>> > Subject: [PATCH] gnu: w3m: Switch to Debian's actively maintained >>> > fork of w3m. >>> > >>> > Fixes some security issues seen here: >>> > >>> > >>> > * gnu/packages/patches/w3m-upstream-20120522.patch: New file. >>> > * gnu/packages/patches/w3m-debian-updates.patch: New file. >>> > * gnu/packages/w3m.scm (w3m): Switch to Debian's actively maintained >>> > fork of w3m. >>> > [source]: Use Debian's tarball and patches. Remove obsolete patches. >>> > [arguments]: Remove unnecessary modification of %standard-phases. >>> > * gnu/local.mk (dist_patch_DATA): Register new patches. Remove obsolete >>> > patches. >>> > --- >>> > gnu/local.mk | 6 +- >>> > gnu/packages/patches/w3m-debian-updates.patch | 28498 >>> > +++++++++++++++++++ >>> >>> So theirs is the only actively maintained version of w3m and all they >>> can provide is a 28.5 thousand line patch? No VCS repository? There >>> must be some point at which it would be better for us to fetch the >>> patch in an origin rather than importing it into our repo. >> >> I think we build from their Git repo: >> >> https://anonscm.debian.org/cgit/collab-maint/w3m.git >> >> They even offer non-Debian-ized release tags, such as >> . > > Then we should use that instead of importing all the patches in our own > repo, IMO. > > Kei: would that work for you? > > Thanks, > Ludo’. It seems simple enough. I'll give it a go.