From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: bug#26176: What to do about unmaintained frameworks like webkitgtk@2.4 in Guix? Date: Sun, 19 Mar 2017 16:44:14 -0400 Message-ID: <20170319204414.GA23467@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="XsQoSWH+UP9D9v3l" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:49582) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cphhJ-0007Mp-EN for bug-guix@gnu.org; Sun, 19 Mar 2017 16:45:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cphhG-0004VQ-B3 for bug-guix@gnu.org; Sun, 19 Mar 2017 16:45:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:37317) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cphhG-0004VK-7q for bug-guix@gnu.org; Sun, 19 Mar 2017 16:45:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1cphhF-00051M-Ux for bug-guix@gnu.org; Sun, 19 Mar 2017 16:45:01 -0400 Sender: "Debbugs-submit" Resent-Message-ID: Received: from eggs.gnu.org ([2001:4830:134:3::10]:49525) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cphgb-0007Ki-7j for bug-guix@gnu.org; Sun, 19 Mar 2017 16:44:22 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cphgY-0004Q0-6f for bug-guix@gnu.org; Sun, 19 Mar 2017 16:44:21 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:50098) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cphgX-0004Pl-Fo for bug-guix@gnu.org; Sun, 19 Mar 2017 16:44:18 -0400 Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id 3F19D24371 for ; Sun, 19 Mar 2017 16:44:15 -0400 (EDT) Content-Disposition: inline List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: 26176@debbugs.gnu.org --XsQoSWH+UP9D9v3l Content-Type: text/plain; charset=us-ascii Content-Disposition: inline We do a good job of deploying security updates to webkitgtk@2.14. Typically, we push the update within 24 hours. However, several packages still depend on webkitgtk@2.4, which is unmaintained upstream and surely contains many serious security vulnerabilities. $ guix refresh -l webkitgtk@2.4 Building the following 6 packages would ensure 10 dependent packages are rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1 elixir-1.3.2 kicad-4.0-1.4ee344e audacity-2.1.2 People who install these packages probably do not expect to install software containing publicly disclosed security vulnerabilities. We should try to make these packages use a maintained version of webkitgtk. If that's not possible, what should we do? Here is a primer on the tangled world of webkit forks and versions: https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/ It states that distros should not expect webkitgtk@2.4 to receive security updates: ------ We could attempt to provide security backports to WebKitGTK+ 2.4. This would be very time consuming and therefore very expensive, so count this out. ------ --XsQoSWH+UP9D9v3l Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAljO7Z4ACgkQJkb6MLrK fwjkaQ//asWQnoMf0LuTDKWaAkCq2mpKMBrXYExxjUKHFnAogSJdZnte/SzmJzhP sRcErPjPZYY/XGFgeMqHS8KcFOnPFvFMQY8ICb3SsXhqoowKT587hfA9NmGNuU3e HBKzlK7KOwLanlW/qlZ1Ivr1ZrCs0KQk7/LhHfrdX/p8ctjQ35xcQaRSJIKpyriH 5XytZwQ15iabHvDw2dRIPxjmqRzCIY48/5Ayf/+Y5bnwa7ccEhv2XLP7gq7LlmyH rY521WTg1H2ivs1RzBFDk2IrZQt7gNXovjHsoXAS7wI8W6ZXG1twcSoeNznm9gMB TelNz3rJP3mqpCp4EQBd5Aj7/9qqQvc302NO8N8vumoGNV7erG8vQcWTIPmbdoM4 vwTdJEfvvByUv+N9eIcAOYzQnO05JdqcQZgPOL3KJ/3lozS17JXtKjq3wxCthk6k wVlGNsv4WBJ85F31NJN9PaOOUlpDiG8Gs/OvfQeqypET33cEBvTkctZE1DbVj52P 09frEoWmVo5fjdXY7nkzGX67q3Mh5wMbz6hgNoZkN7lVs8uc3/g1laiymg7IOD+i ri0yp8mfbWGYuzh7YxePWH29Y/TpR9iu2Ro70yFF18Wu1hrLEHvc/J0QHjcpdfSL sZGiq3Z6oUUYoXjP1wIPEvQfbxM4OQCNFoYCNsT6CVjSVOkJKE4= =66rg -----END PGP SIGNATURE----- --XsQoSWH+UP9D9v3l--