From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id 2PgWLAA1M2fqHQAAqHPOHw:P1 (envelope-from ) for ; Tue, 12 Nov 2024 10:59:12 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id 2PgWLAA1M2fqHQAAqHPOHw (envelope-from ) for ; Tue, 12 Nov 2024 11:59:12 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=Wab+6oXG; dkim=fail ("headers rsa verify failed") header.d=ngraves.fr header.s=ovhmo4487190-selector1 header.b=wA1OJ5js; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1731409152; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=6983FZSa6E3g+y/QbpX8r2IkwXzkPqKquv8iL3aNCiA=; b=IPgp1NCH+b2UXuMrKF0qAaTM1el2iFgaP9YTBUQlxra85/VuCzPP/gmRxnHO6LNmxecBgp Ystdyyw8UlyccET4L/nW6N/qkbDbK0nsA7hxl/y2Epm6ewSj9XlQmWJ2qakk6IZKiOFDPN B0dVv0hmo9A49Rvpm9RTMC0C6Z55eBfJkBgC7YjupB9C7Do6r9KHqOIEU1n4lJ7txUke+D 5mwYCLynrfFBY9NdX+5GAxSkIxGrLocyVwtUls6kj6mCzAHc/JEoqEmKMFQIJXDBCa9A1R nnFa1zG3Xt71EeU14km/1KL6L9d4QZ08Iz6OFBpVgOUOLo/8tXdyNpqgyYw9uQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=Wab+6oXG; dkim=fail ("headers rsa verify failed") header.d=ngraves.fr header.s=ovhmo4487190-selector1 header.b=wA1OJ5js; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Seal: i=1; s=key1; d=yhetil.org; t=1731409152; a=rsa-sha256; cv=none; b=UwACOqw8n9wDGQH6YaRI3HOObdhrWI1T/I0iBX6Q6t74z6UNfZCxXKNHZisV2lMX59DDq5 1lGzYafnwlNcGvpF0qC9hfpDNRKZxTLWH0uCmPUqVl0dQOehyBbrqI2aJBX/rY1+sdII7e 3ffLS5+bm2NGwwyK0/0mJWtehMt+NDLNtzhBatW5n8W9d3FzY51bRVjlCUCHX6oX6pTg+O UJlEIyyrUmWyOZC8nH8KXNmoOkQjv0++lrqhkBQ8GSkNzzmm4hAHPZ/6kQ1sPd6NvYCDB0 ZdXIn++R2GV+jRChpkSxVy34Yfn7hPU2OgJbvu6b+r5sRZzCyRsKfCJdNn/NLQ== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 25E0340270 for ; Tue, 12 Nov 2024 11:59:11 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tAobw-0004FY-Vj; Tue, 12 Nov 2024 05:59:04 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tAobu-0004FM-Le for guix-patches@gnu.org; Tue, 12 Nov 2024 05:59:02 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tAobu-0004fc-Cl for guix-patches@gnu.org; Tue, 12 Nov 2024 05:59:02 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:References:In-Reply-To:From:To:Subject; bh=6983FZSa6E3g+y/QbpX8r2IkwXzkPqKquv8iL3aNCiA=; b=Wab+6oXGt3L5f4Uo0FSwweegasO7c8QWjjQmrRKKeoeDcTSYaZZBFGEVm6DseIFSAtag/hHDYESF3sX6heQ4E0v9ldrhhcaOtqK3jNUseFb+yhQICtK4GylBw+ZXX3GbU6/2iH5Jjl8DsO+JSPQcnD8YwU5S+Y3nAWJZxpcIXXw4URhGFTb5uCV4O96sUss6F694ZqBWC5+xXKDpK5PDjvizYmv57ZycMfj6wiURhEuaWAMfKOIVdWfsAEFazDi1VguoPXWIaHAcbRV0sqFnB8/p8+KcrFbv4pm8VARinUS2TM+OECcU4gYVbwcuvp/6HTL2KqgTCwtC4qTp++ORxQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tAobu-0000aT-6x for guix-patches@gnu.org; Tue, 12 Nov 2024 05:59:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#74060] [PATCH] gnu: Remove allegro-5.0. [security fixes] Resent-From: Nicolas Graves Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 12 Nov 2024 10:59:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 74060 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch easy To: Maxim Cournoyer Cc: 74060@debbugs.gnu.org Received: via spool by 74060-submit@debbugs.gnu.org id=B74060.17314090962200 (code B ref 74060); Tue, 12 Nov 2024 10:59:02 +0000 Received: (at 74060) by debbugs.gnu.org; 12 Nov 2024 10:58:16 +0000 Received: from localhost ([127.0.0.1]:60818 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tAob9-0000ZP-Nr for submit@debbugs.gnu.org; Tue, 12 Nov 2024 05:58:16 -0500 Received: from 8.mo575.mail-out.ovh.net ([46.105.74.219]:55165) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tAob4-0000ZB-OZ for 74060@debbugs.gnu.org; Tue, 12 Nov 2024 05:58:14 -0500 Received: from director7.ghost.mail-out.ovh.net (unknown [10.109.176.25]) by mo575.mail-out.ovh.net (Postfix) with ESMTP id 4Xnk0c5Myxz1lnR for <74060@debbugs.gnu.org>; Tue, 12 Nov 2024 10:58:08 +0000 (UTC) Received: from ghost-submission-5b5ff79f4f-76zrf (unknown [10.110.118.167]) by director7.ghost.mail-out.ovh.net (Postfix) with ESMTPS id 65D041FE91; Tue, 12 Nov 2024 10:58:08 +0000 (UTC) Received: from ngraves.fr ([37.59.142.110]) by ghost-submission-5b5ff79f4f-76zrf with ESMTPSA id nuA/Nb80M2dZahMAyyemgg (envelope-from ); Tue, 12 Nov 2024 10:58:08 +0000 X-OVh-ClientIp: 90.92.117.144 In-Reply-To: <87r07h6eic.fsf@ngraves.fr> References: <20241028112739.21615-1-ngraves@ngraves.fr> <87iksu9cac.fsf@gmail.com> <87r07h6eic.fsf@ngraves.fr> Date: Tue, 12 Nov 2024 11:58:05 +0100 Message-ID: <877c9867nm.fsf@ngraves.fr> MIME-Version: 1.0 Content-Type: text/plain X-Ovh-Tracer-Id: 3801038085748286160 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: -105 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeefuddrudeggddulecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenfghrlhcuvffnffculddqhedmnecujfgurhephffvvefujghffffkgggtsehttdertddttddtnecuhfhrohhmpefpihgtohhlrghsucfirhgrvhgvshcuoehnghhrrghvvghssehnghhrrghvvghsrdhfrheqnecuggftrfgrthhtvghrnhepfeeugeeludffvdfgvdegiedtueeigeegheetvdevudehhfevjeduveduieeugfdunecuffhomhgrihhnpehlihgsrghllhgvghdrohhrghdpnhhishhtrdhgohhvpdhgihhthhhusgdrtghomhenucfkphepuddvjedrtddrtddruddpledtrdelvddruddujedrudeggedpfeejrdehledrudegvddruddutdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeduvdejrddtrddtrddupdhmrghilhhfrhhomhepnhhgrhgrvhgvshesnhhgrhgrvhgvshdrfhhrpdhnsggprhgtphhtthhopedupdhrtghpthhtohepjeegtdeitdesuggvsggsuhhgshdrghhnuhdrohhrghdpoffvtefjohhsthepmhhoheejhegmpdhmohguvgepshhmthhpohhuth DKIM-Signature: a=rsa-sha256; bh=6983FZSa6E3g+y/QbpX8r2IkwXzkPqKquv8iL3aNCiA=; c=relaxed/relaxed; d=ngraves.fr; h=From; s=ovhmo4487190-selector1; t=1731409088; v=1; b=wA1OJ5js0nmAW148OXoGOaljULm8/CnC4MLrEhJ1Eh6XanVOS4cHcSPh19KIDezCm0Dk0117 0j0zONIDNm9/qPmGOSX87QHyk7f7GLIsLEv7BOhmHzGkxLeKgMHnxRBvK/xLEd7Le7xZx4KwAPB vsJCN/zKaM8CF2+27O/IXVw0VU93G/KLR32iwQU3GuSRB5hhsM4sHN5e7CJw9HHJeaWjp9PQ6iN PAMamt/Aj9wlBSZUaxUMohuA7hJMYZDBAaHcdisI2pzthFZFZ37p/1tCXRrt02aHepfQwP2JMQt 1Y0HrbGTuFEDjhrwkvfRDRtLLPsP7TCtPboxrC8Y+j+yw== X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Nicolas Graves X-ACL-Warn: , Nicolas Graves via Guix-patches From: Nicolas Graves via Guix-patches via Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Scanner: mx11.migadu.com X-Migadu-Spam-Score: 0.08 X-Spam-Score: 0.08 X-Migadu-Queue-Id: 25E0340270 X-TUID: pBRSurteEne+ On 2024-11-11 15:17, Nicolas Graves via Guix-patches via wrote: > On 2024-11-11 21:37, Maxim Cournoyer wrote: > >> Hi! >> >> Nicolas Graves writes: >> >>> This package has no dependencies in Guix, is unsupported (see >>> https://liballeg.org/old.html) and is vulnerable to CVE-2021-36489. >>> >>> * gnu/packages/game-development.scm (allegro-5.0): Delete variable. >>> * gnu/local.mk: Deregister patch. >>> * gnu/packages/patches/allegro-mesa-18.2.5-and-later.patch: Delete file. >> >> We also have an allegro-4.0 variable; is this one not vulnerable? >> https://nvd.nist.gov/vuln/detail/CVE-2021-36489 suggest it is (up to >> 5.2.6). > > If it is removable easily, we should remove it yes. I might have > forgotten this one. > > They are indeed unsupported versions, I reported that upstream in > https://github.com/liballeg/allegro5/issues/1587 > which confirmed that these versions won't receive security patches. Indeed there's still a package depending on allegro-4 (aseprite). I think that's the reason why I didn't consider updating it back then. The issue is that the new version of aseprite seems nonfree (restricts freedom to share the software, and the freedom to collaborate on the software). IMO we should remove both. Users can still use time-machine if they really want to use that version, or submit a new version of aseprite in nonguix. WDYT? -- Best regards, Nicolas Graves