bug#26176: What to do about unmaintained frameworks like webkitgtk@2.4 in Guix?

bug#26176: What to do about unmaintained frameworks like webkitgtk@2.4 in Guix?

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1125 bytes --]

We do a good job of deploying security updates to webkitgtk@2.14.
Typically, we push the update within 24 hours.

However, several packages still depend on webkitgtk@2.4, which is
unmaintained upstream and surely contains many serious security
vulnerabilities.

$ guix refresh -l webkitgtk@2.4
Building the following 6 packages would ensure 10 dependent packages are
rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1
elixir-1.3.2 kicad-4.0-1.4ee344e audacity-2.1.2

People who install these packages probably do not expect to install
software containing publicly disclosed security vulnerabilities.

We should try to make these packages use a maintained version of
webkitgtk.

If that's not possible, what should we do?

Here is a primer on the tangled world of webkit forks and versions:
https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/

It states that distros should not expect webkitgtk@2.4 to receive
security updates:
------
We could attempt to provide security backports to WebKitGTK+ 2.4. This
would be very time consuming and therefore very expensive, so count this
out.
------

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#26176: What to do about unmaintained frameworks like webkitgtk@2.4 in Guix?

[ng0]

Leo Famulari transcribed 2.1K bytes:
> We do a good job of deploying security updates to webkitgtk@2.14.
> Typically, we push the update within 24 hours.
> 
> However, several packages still depend on webkitgtk@2.4, which is
> unmaintained upstream and surely contains many serious security
> vulnerabilities.
> 
> $ guix refresh -l webkitgtk@2.4
> Building the following 6 packages would ensure 10 dependent packages are
> rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1
> elixir-1.3.2 kicad-4.0-1.4ee344e audacity-2.1.2
> 
> People who install these packages probably do not expect to install
> software containing publicly disclosed security vulnerabilities.
> 
> We should try to make these packages use a maintained version of
> webkitgtk.

Maybe those packages are already confirmed to work with 2.14, in some
commit in upstream software. If they aren't, and we can't make them
build with 2.14 in a functional way, it would serve a broad spectrum of
clients including Guix users to get in contact with the affected
package.

> If that's not possible, what should we do?
> 
> Here is a primer on the tangled world of webkit forks and versions:
> https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/
> 
> It states that distros should not expect webkitgtk@2.4 to receive
> security updates:
> ------
> We could attempt to provide security backports to WebKitGTK+ 2.4. This
> would be very time consuming and therefore very expensive, so count this
> out.
> ------

bug#26176: What to do about unmaintained frameworks like webkitgtk@2.4 in Guix?

[Efraim Flashner]

[-- Attachment #1: Type: text/plain, Size: 2026 bytes --]

On Sun, Mar 19, 2017 at 10:17:38PM +0000, ng0 wrote:
> Leo Famulari transcribed 2.1K bytes:
> > We do a good job of deploying security updates to webkitgtk@2.14.
> > Typically, we push the update within 24 hours.
> > 
> > However, several packages still depend on webkitgtk@2.4, which is
> > unmaintained upstream and surely contains many serious security
> > vulnerabilities.
> > 
> > $ guix refresh -l webkitgtk@2.4
> > Building the following 6 packages would ensure 10 dependent packages are
> > rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1
> > elixir-1.3.2 kicad-4.0-1.4ee344e audacity-2.1.2
> > 
> > People who install these packages probably do not expect to install
> > software containing publicly disclosed security vulnerabilities.
> > 
> > We should try to make these packages use a maintained version of
> > webkitgtk.
> 
> Maybe those packages are already confirmed to work with 2.14, in some
> commit in upstream software. If they aren't, and we can't make them
> build with 2.14 in a functional way, it would serve a broad spectrum of
> clients including Guix users to get in contact with the affected
> package.
> 

Good news on that front! 

$ guix refresh -l wxwidgets
Building the following 5 packages would ensure 6 dependent packages are
rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1
elixir-1.3.2 audacity-2.1.2

kicad uses wxwidgets built with gtk+-2, and the one that didn't show up
at all, gnucash, uses webkitgtk/gtk+-2, which is the gtk+@2 version of
webkit@2.4.

Wxwidgets currently is built with webkit@2.4, but it looks like it
supports webkit.

I'm currently working on testing wxwidgets built with webkit to see if
that takes care of everything currently relying on webkit@ancient other
than gnucash.

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#26176: What to do about unmaintained frameworks like webkitgtk@2.4 in Guix?

[Ludovic Courtès]

Howdy!

Efraim Flashner <efraim@flashner.co.il> skribis:

> Good news on that front! 
>
> $ guix refresh -l wxwidgets
> Building the following 5 packages would ensure 6 dependent packages are
> rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1
> elixir-1.3.2 audacity-2.1.2

BTW, I used:

  guix graph -t reverse-package webkitgtk@2.4

to find out how things ended up depending on it.

> kicad uses wxwidgets built with gtk+-2, and the one that didn't show up
> at all, gnucash, uses webkitgtk/gtk+-2, which is the gtk+@2 version of
> webkit@2.4.
>
> Wxwidgets currently is built with webkit@2.4, but it looks like it
> supports webkit.
>
> I'm currently working on testing wxwidgets built with webkit to see if
> that takes care of everything currently relying on webkit@ancient other
> than gnucash.

Looks like it worked pretty well.  :-)

Thank you!

Ludo’.

bug#26176: What to do about unmaintained frameworks like webkitgtk@2.4 in Guix?

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 754 bytes --]

On Mon, Mar 20, 2017 at 08:50:54AM +0200, Efraim Flashner wrote:
> kicad uses wxwidgets built with gtk+-2, and the one that didn't show up
> at all, gnucash, uses webkitgtk/gtk+-2, which is the gtk+@2 version of
> webkit@2.4.

Good news: the GnuCash developers are actively working make GnuCash
compatible with the latest version of webkitgtk (or to completely remove
the dependency):

https://bugzilla.gnome.org/show_bug.cgi?id=751635

The other good news is that, apparently, GnuCash's use of webkit is
relatively insulated from security issues:

"GnuCash isn't affected by WebKit vulnerabilities, WebKit is used
exclusively to render HTML and interpret Javascript both created by
GnuCash itself."

https://bugzilla.gnome.org/show_bug.cgi?id=751635#c4

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#26176: What to do about unmaintained frameworks like webkitgtk@2.4 in Guix?

[Chris Marusich]

[-- Attachment #1: Type: text/plain, Size: 445 bytes --]

Leo Famulari <leo@famulari.name> writes:

> Several packages still depend on webkitgtk@2.4, which is
> unmaintained upstream and surely contains many serious security
> vulnerabilities.

We've removed webkitgtk-2.4 in commit
38039b4fa917c7516535167fb082ea63850ee578, which has been merged into
master (according to 'git branch --all --contains
38039b4fa917c7516535167fb082ea63850ee578'), so I'm closing this bug
report.

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]