From mboxrd@z Thu Jan 1 00:00:00 1970 From: ng0 Subject: bug#26176: What to do about unmaintained frameworks like webkitgtk@2.4 in Guix? Date: Sun, 19 Mar 2017 22:17:38 +0000 Message-ID: <20170319221738.rjmsoak3y5otq5vu@abyayala> References: <20170319204414.GA23467@jasmine> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:52789) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cpi5W-00020K-1W for bug-guix@gnu.org; Sun, 19 Mar 2017 17:10:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cpi5S-0002uQ-Qt for bug-guix@gnu.org; Sun, 19 Mar 2017 17:10:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:37334) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cpi5S-0002uB-Je for bug-guix@gnu.org; Sun, 19 Mar 2017 17:10:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1cpi5S-0005ea-8s for bug-guix@gnu.org; Sun, 19 Mar 2017 17:10:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline In-Reply-To: <20170319204414.GA23467@jasmine> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Leo Famulari Cc: 26176@debbugs.gnu.org Leo Famulari transcribed 2.1K bytes: > We do a good job of deploying security updates to webkitgtk@2.14. > Typically, we push the update within 24 hours. > > However, several packages still depend on webkitgtk@2.4, which is > unmaintained upstream and surely contains many serious security > vulnerabilities. > > $ guix refresh -l webkitgtk@2.4 > Building the following 6 packages would ensure 10 dependent packages are > rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1 > elixir-1.3.2 kicad-4.0-1.4ee344e audacity-2.1.2 > > People who install these packages probably do not expect to install > software containing publicly disclosed security vulnerabilities. > > We should try to make these packages use a maintained version of > webkitgtk. Maybe those packages are already confirmed to work with 2.14, in some commit in upstream software. If they aren't, and we can't make them build with 2.14 in a functional way, it would serve a broad spectrum of clients including Guix users to get in contact with the affected package. > If that's not possible, what should we do? > > Here is a primer on the tangled world of webkit forks and versions: > https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/ > > It states that distros should not expect webkitgtk@2.4 to receive > security updates: > ------ > We could attempt to provide security backports to WebKitGTK+ 2.4. This > would be very time consuming and therefore very expensive, so count this > out. > ------