Updated patch attached! Leo Famulari writes: > On Fri, Nov 04, 2016 at 10:52:55AM -0400, Kei Kebreau wrote: > > Thanks! > >> From cc7a61d61160817ceb395b648b18c885175441e8 Mon Sep 17 00:00:00 2001 >> From: Kei Kebreau >> Date: Fri, 4 Nov 2016 10:48:53 -0400 >> Subject: [PATCH] gnu: w3m: Switch to Debian's actively maintained fork of w3m. >> >> Fixes some security issues seen here: >> >> >> * gnu/packages/w3m.scm (w3m): Switch to Debian's actively maintained >> fork of w3m. > > No need to rewrite the commit title here :) > Got it. :) >> [source]: Use Debian's git tree. Remove obsolete patches. >> [arguments]: Remove unnecessary modification of %standard-phases. >> * gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch: Delete file. >> * gnu/packages/patches/w3m-disable-weak-ciphers.patch: Delete file. >> * gnu/packages/patches/w3m-force-ssl_verify_server-on.patch: Delete file. >> * gnu/packages/patches/w3m-libgc.patch: Delete file. > > Or: > * gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch, > gnu/packages/patches/w3m-disable-weak-ciphers.patch, > gnu/packages/patches/w3m-force-ssl_verify_server-on.patch, > gnu/packages/patches/w3m-libgc.patch: Delete files. > Fixed. > By the way, I double-checked that all these patches are indeed > integrated into the release tag used by this package definition. > I checked, too! Nice to know that we're doubly safe. >> (define-public w3m >> @@ -36,33 +37,16 @@ >> (name "w3m") >> (version "0.5.3") > > This should reflect the tag used in (commit). > I adjusted this according to what some other packages have done. Please tell me if I did it correctly. >> (source (origin >> - (method url-fetch) >> - (uri (string-append "mirror://sourceforge/" name "/" name "/" >> - name "-" version "/" >> - name "-" version ".tar.gz")) >> - (sha256 >> - (base32 >> - "1qx9f0kprf92r1wxl3sacykla0g04qsi0idypzz24b7xy9ix5579")) >> - >> - ;; cf. https://bugs.archlinux.org/task/33397 >> - (patches (search-patches "w3m-libgc.patch" >> - "w3m-force-ssl_verify_server-on.patch" >> - "w3m-disable-sslv2-and-sslv3.patch" >> - "w3m-disable-weak-ciphers.patch")))) >> + (method git-fetch) >> + ;; Debian's fork of w3m is the only one that is still maintained. >> + (uri (git-reference >> + (url "https://anonscm.debian.org/cgit/collab-maint/w3m.git") >> + (commit "v0.5.3+git20161031"))) > >> - (substitute* '("scripts/w3mmail.cgi.in" >> - "scripts/dirlist.cgi.in") >> - (("@PERL@") (which "perl")))) > > Does this @PERL@ get patched correctly? > No, it does not! I added the substitution back in. The other substitution appears to be handled by Debian upstream. > Thanks for taking this on! You're welcome! It frees up other developers' time to handle larger hacking targets than I can muster.