From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: Adding packages with vulnerabilities (was Re: [PATCH 1/2] gnu: Add
	perl-net-psyc. [pcre])
Date: Sat, 1 Oct 2016 21:50:22 -0400
Message-ID: <20161002015022.GB26660@jasmine>
References: <20160913113237.17434-1-ng0@we.make.ritual.n0.is>
	<20160913191644.GC5986@jasmine>
	<87twdjmw4y.fsf@we.make.ritual.n0.is>
	<87twdj8qqg.fsf@we.make.ritual.n0.is>
	<878tulr4qk.fsf@we.make.ritual.n0.is>
	<8737ktr17c.fsf@we.make.ritual.n0.is>
	<87shstccqg.fsf@we.make.ritual.n0.is>
	<20160927165640.GB2497@jasmine>
	<87twczrsju.fsf@we.make.ritual.n0.is>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:34613)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1bqVvJ-0000Iw-UJ
	for guix-devel@gnu.org; Sat, 01 Oct 2016 21:50:39 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1bqVvF-0002b1-RH
	for guix-devel@gnu.org; Sat, 01 Oct 2016 21:50:36 -0400
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:47872)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1bqVvE-0002ZX-Le
	for guix-devel@gnu.org; Sat, 01 Oct 2016 21:50:33 -0400
Content-Disposition: inline
In-Reply-To: <87twczrsju.fsf@we.make.ritual.n0.is>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: ng0 <ngillmann@runbox.com>
Cc: guix-devel@gnu.org

On Thu, Sep 29, 2016 at 08:58:29AM +0000, ng0 wrote:
> Leo Famulari <leo@famulari.name> writes:
> > On Wed, Sep 21, 2016 at 06:46:31PM +0000, ng0 wrote:
> >> Subject: [PATCH 1/2] gnu: Add psyclpc.
> >> 
> >> * gnu/packages/psyc.scm (psyclpc): New variable.

> >> +    (inputs
> >> +     `(("zlib" ,zlib)
> >> +       ("openssl" ,openssl)))
> >> +    ;; pcre is bundled to ensure the version is compatible. XXX: look into
> >> +    ;; unbundling it. Upstream should update from pcre 4.5 to 8.38. For
> >> +    ;; functionality reasons we can not unbundle it now.
> >> +    ;; ("pcre" ,pcre)))
> >
> > That version of PCRE was released in 2003. We might want to add a
> > warning to the package description...
> >
> > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pcre
> 
> Update on this: the pcre bundling was inherited from ldmud, current
> ldmud has unbundled pcre, so we will be able to unbundle pcre.
> 
> I'd still like to have the patches in their current form and update
> psyclpc when the next version without pcre is out.

I'd like some more opinions on this. Should we add this package even
though we know it contains some security bugs (linked above)?