From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: Staying on top of Qt security Date: Mon, 22 Feb 2016 15:19:50 -0500 Message-ID: <20160222201950.GA14025@jasmine> References: <20160214200143.GA19744@jasmine> <20160218204349.GA4179@solar> <87egc9pr2p.fsf@dustycloud.org> <20160218225938.GA29487@solar> <8760xjw81o.fsf@dustycloud.org> <20160221072837.GA16855@jasmine> <87ziuuarix.fsf@dustycloud.org> <20160222195339.GD29652@solar> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:40372) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aXwxX-0003dw-M1 for guix-devel@gnu.org; Mon, 22 Feb 2016 15:19:56 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aXwxU-0007Jr-Ek for guix-devel@gnu.org; Mon, 22 Feb 2016 15:19:55 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:51958) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aXwxU-0007Jn-8E for guix-devel@gnu.org; Mon, 22 Feb 2016 15:19:52 -0500 Content-Disposition: inline In-Reply-To: <20160222195339.GD29652@solar> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Andreas Enge Cc: guix-devel@gnu.org On Mon, Feb 22, 2016 at 08:53:39PM +0100, Andreas Enge wrote: > Sorry, Chris, that I bothered you with the state of pumpa; I was so convinced > that you were the packager that I did not even check! I suppose that I have > read too many of your blog posts to planet gnu; whenever I hear "federation" > or "pumpsomething" now, I think of you. > > On Sun, Feb 21, 2016 at 09:42:43AM -0800, Christopher Allan Webber wrote: > > Leo Famulari writes: > > > Apparently QJson's master branch has supported Qt-5 for some time, so I > > > asked the maintainers if that is true, and if they plan to issue a new > > > release [0]. We could try packaging from git. > > > https://github.com/flavio/qjson/issues/49 > > Thanks for the initiative! > > > Sounds good. If they don't make a new release, I think packaging from > > git is the best option. > > I am not a big fan of packaging from non-release versions. Maybe you could > convince upstream that this is enough of an exciting change to make a release, > Leo? In the end, it is probably more interesting and important to get rid > of Qt-4 than to not package from git. But there are still other packages > requiring Qt-4. Maybe we should wait a bit until their number is more reduced, > and then take a joint decision for the remaining ones. I agree that packaging non-release versions is not ideal. We may trade one security issue for another, since non-release commits are usually not scrutinized as much by upstream. My plan is to wait a little bit to see if QJson takes action. Another option is to persuade the Pumpa upstream to stop using QJson.