From: Nicolas Graves via Guix-patches via <guix-patches@gnu.org>
To: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Cc: 74060@debbugs.gnu.org
Subject: [bug#74060] [PATCH] gnu: Remove allegro-5.0. [security fixes]
Date: Tue, 12 Nov 2024 11:58:05 +0100 [thread overview]
Message-ID: <877c9867nm.fsf@ngraves.fr> (raw)
In-Reply-To: <87r07h6eic.fsf@ngraves.fr>
On 2024-11-11 15:17, Nicolas Graves via Guix-patches via wrote:
> On 2024-11-11 21:37, Maxim Cournoyer wrote:
>
>> Hi!
>>
>> Nicolas Graves <ngraves@ngraves.fr> writes:
>>
>>> This package has no dependencies in Guix, is unsupported (see
>>> https://liballeg.org/old.html) and is vulnerable to CVE-2021-36489.
>>>
>>> * gnu/packages/game-development.scm (allegro-5.0): Delete variable.
>>> * gnu/local.mk: Deregister patch.
>>> * gnu/packages/patches/allegro-mesa-18.2.5-and-later.patch: Delete file.
>>
>> We also have an allegro-4.0 variable; is this one not vulnerable?
>> https://nvd.nist.gov/vuln/detail/CVE-2021-36489 suggest it is (up to
>> 5.2.6).
>
> If it is removable easily, we should remove it yes. I might have
> forgotten this one.
>
> They are indeed unsupported versions, I reported that upstream in
> https://github.com/liballeg/allegro5/issues/1587
> which confirmed that these versions won't receive security patches.
Indeed there's still a package depending on allegro-4 (aseprite). I
think that's the reason why I didn't consider updating it back then.
The issue is that the new version of aseprite seems nonfree (restricts
freedom to share the software, and the freedom to collaborate on the
software).
IMO we should remove both. Users can still use time-machine if they
really want to use that version, or submit a new version of aseprite in
nonguix. WDYT?
--
Best regards,
Nicolas Graves
next prev parent reply other threads:[~2024-11-12 10:59 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-28 11:27 [bug#74060] [PATCH] gnu: Remove allegro-5.0. [security fixes] Nicolas Graves via Guix-patches via
2024-11-11 12:37 ` Maxim Cournoyer
2024-11-11 14:17 ` Nicolas Graves via Guix-patches via
2024-11-12 10:58 ` Nicolas Graves via Guix-patches via [this message]
2024-11-12 12:30 ` Maxim Cournoyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877c9867nm.fsf@ngraves.fr \
--to=guix-patches@gnu.org \
--cc=74060@debbugs.gnu.org \
--cc=maxim.cournoyer@gmail.com \
--cc=ngraves@ngraves.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).