From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:58914) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dceYI-0004MP-Aw for guix-patches@gnu.org; Tue, 01 Aug 2017 17:18:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dceYF-0007C1-6C for guix-patches@gnu.org; Tue, 01 Aug 2017 17:18:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:34701) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dceYE-0007Bn-MO for guix-patches@gnu.org; Tue, 01 Aug 2017 17:18:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dceYE-00054T-HA for guix-patches@gnu.org; Tue, 01 Aug 2017 17:18:02 -0400 Subject: [bug#27909] Replace keepassx with keepassxc Resent-Message-ID: Date: Tue, 1 Aug 2017 17:17:40 -0400 From: Leo Famulari Message-ID: <20170801211740.GB5844@jasmine.lan> References: <20170801150815.GJ2406@macbook42.flashner.co.il> <20170801194319.GA31810@jasmine.lan> <20170801201150.GQ2406@macbook42.flashner.co.il> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="UHN/qo2QbUvPLonB" Content-Disposition: inline In-Reply-To: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Manolis Ragkousis Cc: 27909@debbugs.gnu.org, Efraim Flashner --UHN/qo2QbUvPLonB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Aug 01, 2017 at 11:27:11PM +0300, Manolis Ragkousis wrote: > Wouldn't it be a better option to keep both version for the time being? > Unless of course there is a security issue if we keep keepassx. I think that using Qt-4 is a security issue because it's unmaintained for a long while now, relative to its complexity. But we still have it in Guix because some packages would have to be removed if we remove it, and we don't have a clear or simple policy about what to do in cases like that. By the way, I'm not suggesting we need such a policy. Eventually we should remove those things, because it's not great to offer users programs that we suspect have security bugs. If somebody starting publishing details of how to exploit Qt-4 apps, then I think the choice would be clear. But I haven't read any such reports, so I don't know for sure that it's vulnerable. I think it's a good bet, however. --UHN/qo2QbUvPLonB Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlmA7/QACgkQJkb6MLrK fwi50hAAvxZwzkOwrflfDYMYXcqj8guo8LWCCtFEBiSc6jPbcbR8SgNvoIHXTqMF WQU6QgE6xC8xymQ+H3Wo0f7c3TdAAxM5jME7/el4iZkEAakUQOOvbadkFh0S1jpD B6ikuGEB8DcJ/GazmLFIDYtPveS6JTr7QJ13+x00dcryxZ8ugMOkF8cUF9VAZxi2 9dL3cwETZEiAuX7lJg2waepmKXUOz55OpxMtvgiwsIsRvQPlqJVWXy4pdJDCaJWh Qq7liPkBNRYSjh56oltvpvqDKH+Uy06p8uAShLJDHHNxO7T8mZlrgycKvOfUdbc0 sewRFhicYvWB08J9ckEbbgcH/NPL/azTaXKVqTfaQQZdIguzTjIAvXLBu7up/0Pb wyU2GRdtZAjyZxustRofiutkXmt6xudaLqkfOzAoTDzf8j7Qz9KDD6GyLVqP5Eir LxYSWJ/Wt456s7O0FlHrvNQuu2xhoI2u1sufDgjD/fp5JiG3Kl1tGCJLw6bIlT7x XHnn+SlmJGpwd4aFtRkkB3WN8IXC1utGGPowOjqDxL7Tz5d3heWtgqQZXTLDkfz/ +OT6VKmseJSE0oABtFk6BqmeBjFA/hKu/EoIztSmo7AVlJogZi7pX8edUdKSiMX2 lXler8cDqo5DMb17pTr64Skr42VquaXGrySXaRBKlCfyzRxfGw0= =mVzY -----END PGP SIGNATURE----- --UHN/qo2QbUvPLonB--