From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: bug#27120: GraphicsMagick bundles libtiff, libpng, zlib, libxml2, and more Date: Sun, 28 May 2017 17:26:25 -0400 Message-ID: <20170528212625.GA15986@jasmine> References: <20170528202321.GA31713@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="rwEMma7ioTxnRzrJ" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:35234) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dF5iM-0001Dx-3I for bug-guix@gnu.org; Sun, 28 May 2017 17:27:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dF5iI-0003qN-SS for bug-guix@gnu.org; Sun, 28 May 2017 17:27:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:39489) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dF5iI-0003qF-62 for bug-guix@gnu.org; Sun, 28 May 2017 17:27:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dF5iH-0004EL-Pi for bug-guix@gnu.org; Sun, 28 May 2017 17:27:01 -0400 Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline In-Reply-To: <20170528202321.GA31713@jasmine> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: 27120@debbugs.gnu.org --rwEMma7ioTxnRzrJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, May 28, 2017 at 04:23:21PM -0400, Leo Famulari wrote: > GraphicsMagick bundles a large number of 3rd party libraries. >=20 > We should unbundle and remove the ones that we can. For the rest, we > should try patching their vulnerabilities and leaving code comments > explaining the situation in the GraphicsMagick package definition. The GraphicsMagick release tarball doesn't include these bundled libraries. They are only in the Mercurial checkout. We did not have to adjust our package very much when switching from the release tarballs to the Mercurial checkout, so they are probably not used, and it should not be too hard to unbundle them. --rwEMma7ioTxnRzrJ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlkrQH4ACgkQJkb6MLrK fwjj9w//cKZCgKVFDdqmi1iLXuRNOP8dkol7mAi4UKlvtRZ6gEAZFKZgNFgNlECk qk9roQ8PluuEuZmLnGSAf4h5xnMyAJPMkCZ03XQ0Ej4cKeA6XHdJsymjL9Vjl2DN 2RjyvKUmGNpylWIwf0PzvLoIx2WYfwNvjWGT2QsCx96ymswqlsEQP9vJal+aNe8g +4p1uAq+5Z4VVSMDYjADMh3BHHUVNERO4wgTXvNBxVaGJoYP9Uh0xymrm6Qh+ip2 2evv7A6JrUYuLvQjhcTvvSKHP5R862Me1x+bi1rFccHvhizDr+lieTFIuyHERvSO 11XbXLi57Cb2pfoMcQpqdazP6HAObKHEoqQI0oTzqwKgc21E3yWJKFuRZteB2doW 9OFpKG+6YQFPIGjgEiE9mqwjTxQB3jQZ6FqchPi6H1kEvP6xZ/bHLZFLUCiDnjZ5 2gXmg1n86jHKQgdT4jor4fpUxRkOamt00SsLWQzTa8FMHGlGtqNv524f5lzSzS5U P2I++tYEmM8CxTMUDxhwZRYMOS9pd0CfUlSA5DWouIESxiGZCv57IiF7LXIuSQPu oUBi3xvTyEMVtVGNXLEQeSSZiicpETflIuTGrNmLB0umfv3DYmlOAatwrHAHnjTS ZF6tYYt9rS3ctkB1jRBqv4+CfbUcc6F+oI20wVQ1d2orom58bm8= =Os5H -----END PGP SIGNATURE----- --rwEMma7ioTxnRzrJ--