From: Leo Famulari <leo@famulari.name>
To: ng0 <ngillmann@runbox.com>
Cc: guix-devel@gnu.org
Subject: Adding packages with vulnerabilities (was Re: [PATCH 1/2] gnu: Add perl-net-psyc. [pcre])
Date: Sat, 1 Oct 2016 21:50:22 -0400 [thread overview]
Message-ID: <20161002015022.GB26660@jasmine> (raw)
In-Reply-To: <87twczrsju.fsf@we.make.ritual.n0.is>
On Thu, Sep 29, 2016 at 08:58:29AM +0000, ng0 wrote:
> Leo Famulari <leo@famulari.name> writes:
> > On Wed, Sep 21, 2016 at 06:46:31PM +0000, ng0 wrote:
> >> Subject: [PATCH 1/2] gnu: Add psyclpc.
> >>
> >> * gnu/packages/psyc.scm (psyclpc): New variable.
> >> + (inputs
> >> + `(("zlib" ,zlib)
> >> + ("openssl" ,openssl)))
> >> + ;; pcre is bundled to ensure the version is compatible. XXX: look into
> >> + ;; unbundling it. Upstream should update from pcre 4.5 to 8.38. For
> >> + ;; functionality reasons we can not unbundle it now.
> >> + ;; ("pcre" ,pcre)))
> >
> > That version of PCRE was released in 2003. We might want to add a
> > warning to the package description...
> >
> > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pcre
>
> Update on this: the pcre bundling was inherited from ldmud, current
> ldmud has unbundled pcre, so we will be able to unbundle pcre.
>
> I'd still like to have the patches in their current form and update
> psyclpc when the next version without pcre is out.
I'd like some more opinions on this. Should we add this package even
though we know it contains some security bugs (linked above)?
next prev parent reply other threads:[~2016-10-02 1:50 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-13 11:32 [PATCH 1/2] gnu: Add perl-net-psyc ng0
2016-09-13 11:32 ` [PATCH 2/2] gnu: Add libpsyc ng0
2016-09-13 19:17 ` Leo Famulari
2016-09-13 19:16 ` [PATCH 1/2] gnu: Add perl-net-psyc Leo Famulari
2016-09-13 19:34 ` ng0
2016-09-13 20:55 ` ng0
2016-09-21 9:17 ` ng0
2016-09-21 10:34 ` ng0
2016-09-21 18:46 ` ng0
2016-09-27 16:56 ` Leo Famulari
2016-09-27 21:41 ` ng0
2016-09-28 14:03 ` ng0
2016-09-29 8:58 ` [PATCH 1/2] gnu: Add perl-net-psyc. [pcre] ng0
2016-10-02 1:50 ` Leo Famulari [this message]
2016-10-02 10:30 ` Adding packages with vulnerabilities (was Re: [PATCH 1/2] gnu: Add perl-net-psyc. [pcre]) ng0
2016-10-02 10:40 ` ng0
2016-10-03 15:44 ` Ludovic Courtès
2016-10-03 21:06 ` ng0
2016-09-27 16:49 ` [PATCH 1/2] gnu: Add perl-net-psyc Leo Famulari
2016-09-28 15:47 ` [PATCH] Add psyc* suite ng0
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161002015022.GB26660@jasmine \
--to=leo@famulari.name \
--cc=guix-devel@gnu.org \
--cc=ngillmann@runbox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.