From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:45796) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ejc1H-0001CH-P5 for guix-patches@gnu.org; Wed, 07 Feb 2018 21:33:04 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ejc1G-0004Yb-Sk for guix-patches@gnu.org; Wed, 07 Feb 2018 21:33:03 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:53970) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ejc1G-0004YW-OK for guix-patches@gnu.org; Wed, 07 Feb 2018 21:33:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ejc1G-0008VH-HO for guix-patches@gnu.org; Wed, 07 Feb 2018 21:33:02 -0500 Subject: [bug#30329] [PATCH] gnu: emacs: Build with xwidgets support. Resent-Message-ID: Date: Wed, 7 Feb 2018 21:32:53 -0500 From: Leo Famulari Message-ID: <20180208023253.GA16980@jasmine.lan> References: <87vaff12sj.fsf@gmail.com> <20180205215839.GA17317@jasmine.lan> <87fu6e5e84.fsf@gnu.org> <87a7wks34s.fsf@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="mYCpIKhGyMATD0i+" Content-Disposition: inline In-Reply-To: <87a7wks34s.fsf@gmail.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Alex Vong Cc: 30329@debbugs.gnu.org --mYCpIKhGyMATD0i+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Feb 08, 2018 at 09:04:35AM +0800, Alex Vong wrote: > I agree with what Leo thought. Since it is up to emacs package authors > to make sure untrusted input are never sent to webkitgtk, and it is hard > to garantee that every package does the right thing. I'd like to clarify myself a bit. I believe that with some time and effort, someone could find exploitable bugs in every complex piece of software in Guix. We shouldn't let this hold us back from enjoying the features of the software. However, in cases where the bugs were publicized long ago (webkitgtk 2.4.0 is almost 4 years old; 2.4.11 almost 2 years old) and the bugs are easily accessible to attackers (webkitgtk renders content from web pages) we should be more careful. GnuCash is now the only thing in our tree using this old webkitgtk, and the GnuCash developers are actively working to make GnuCash use a more recent version. Other distros have even removed GnuCash or are preparing to remove it due to this issue, but I think we can wait for a bit longer. BTW, there is a bug to discuss related issues at . --mYCpIKhGyMATD0i+ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlp7ttUACgkQJkb6MLrK fwjHDg/8DHRork4XGezdq1jWkDWJRb4js409g0SK+xFgeo+95Dpe4oB1L1iqkzmV pb+sQh6yLglN9G0pG/bkRQafctDVHzo2erA0AX+T20zvWRsuZQ2xMK4GUZQAiTI+ whGLwiS0qDplpTaHLf96JwaXftPOHOmmMhJQz9dI4GxIjGsuTUQPXLVpX406l/59 Xs2RAg2Y6EfGakRUlU0Uc55KRK7i+fVprKqewFD0DpmzJqGsBcdQAgbOi3cLWOet CArhi7u2wavzkBmR74JgEOy5Gmd88hz7fcIq31f7QSPoQGacfoN2ZEhDiu4by0vu vAkYfrYAEYYsgYNkDycHJFJ22/wINDgylh8YuHx0BXAvPp5MVVzYHDV2pNYzhCWW mbCQ7ya9TwYI88Koh70Yu+a/GI+e5wi1b9YpjhXX6TXW7H9rpdL62qo69o3rMdY4 cde1uToStz0ogamW9g5rD0j9xLndzrujID/Y79UsZAOCeBo8VVvS+I7USVZSP0U5 QZDYBHNu4VLLgDrf+mWWjmakOJzXgN4hi9h314g4OdL0LTb3nAcaSExoiWu1SjGa a2AU6AzlsOR92eClZTAO7X9wlE/UleZlF/mGqjWGlza+US8lQrO0siK+hEMlTMWv 51mwFfmC5YjGCdGSNCjnvjrmj1ouVZsqUTuNgeOJSpxBkNdhT+E= =54Y+ -----END PGP SIGNATURE----- --mYCpIKhGyMATD0i+--