[bug#33347] [PATCH 4/4] gnu: teeworlds: Update to 0.7.0 [fixes CVE-2018-18541].

[Alex Vong <alexvong1995@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 1726 bytes --]

Leo Famulari <leo@famulari.name> writes:

> On Mon, Nov 12, 2018 at 03:09:39AM +0800, Alex Vong wrote:
>>           (replace 'configure
>>             (lambda* (#:key outputs #:allow-other-keys)
>> +             (define (use-latest-json-parser file)
>> +               (substitute* file
>> +                 (("engine/external/json-parser/json\\.h")
>> +                  "json-parser/json.h")
>> +                 (("json_parse_ex\\(&JsonSettings, pFileData, aError\\);")
>> +                  "json_parse_ex(&JsonSettings,
>> +                                 pFileData,
>> +                                 strlen(pFileData),
>> +                                 aError);")))
>> +
>
> Please add a code comment explaining this.
>
OK

>> -    ;; FIXME: teeworlds bundles the sources of "pnglite", a two-file PNG
>> -    ;; library without a build system.
>
> These sorts of mini-libraries are designed to be copied and pasted into
> host projects rather than packaged on their own. That's why they don't
> include a build system. For example, many cryptographic primitive
> implementations are distributed this way — that's why you never see a
> package for 'SHA256'. Is there a particular reason we should unbundle
> pnglite?

Well, I though we have a policy to remove bundle dependencies in order
to avoid building the same library many times. Do we make exceptions for
shared libraries w/o a build system? (an exception I can think of is
gnulib)

Besides, the FIXME comment seems to suggest future readers to help
remove the bundled pnglite. Debian also removes the bundled pnglite in
teeworlds[0].

Thanks for all the feedback!

[0]: https://packages.debian.org/sid/teeworlds

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]