On Mon, May 29, 2017 at 08:38:58PM +0200, Ricardo Wurmus wrote:
> Leo Famulari <leo@famulari.name> writes:
> 
> > Here are patches that allow you build groff, cairo, and cups with the
> > Artifex Ghostscript.
> 
> Woo!

Actually tested and it works!

> > +        (patches (search-patches "artifex-ghostscript-runpath.patch"
> > +                                 ;; TODO:
> > +                                 ;;"ghostscript-CVE-2017-8291.patch"
> > +                                 ))
> 
> What’s up with this?  Is the latest release of Artifex Ghostscript
> vulnerable?

I added this patch in v2 of the patch series (attached).

> > +         (replace 'build
> > +           (lambda _
> > +             ;; Build 'libgs.so', but don't build the statically-linked 'gs'
> > +             ;; binary (saves 22 MiB).
> > +             (zero? (system* "make" "so" "-j"
> > +                             (number->string
> > (parallel-job-count))))))
> 
> Couldn’t we just add “#:make-flags '("so")” and avoid replacing the
> build phase?

It seems to work.

How should we make this transition? Should we add Artifex Ghostscript
and transition packages over to it, wait for the next core-updates, or
something else?