From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kei Kebreau Subject: Re: [PATCH] gnu: w3m: Switch to Debian's actively maintained fork of w3m. Date: Fri, 04 Nov 2016 10:52:55 -0400 Message-ID: <87d1ibwb3s.fsf@openmailbox.org> References: <87mvhgw4w0.fsf@openmailbox.org> <20161103221718.123dc755@centurylink.net> <20161104040309.GA5474@jasmine> <8760o31il3.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:34125) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1c2frj-0003Jo-KX for guix-devel@gnu.org; Fri, 04 Nov 2016 10:53:13 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1c2frg-0007s3-1b for guix-devel@gnu.org; Fri, 04 Nov 2016 10:53:11 -0400 Received: from smtp26.openmailbox.org ([62.4.1.60]:52297 helo=smtp11.openmailbox.org) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1c2frf-0007qb-Mk for guix-devel@gnu.org; Fri, 04 Nov 2016 10:53:07 -0400 In-Reply-To: <8760o31il3.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Fri, 04 Nov 2016 14:27:04 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: guix-devel@gnu.org --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable ludo@gnu.org (Ludovic Court=C3=A8s) writes: > Leo Famulari skribis: > >> On Thu, Nov 03, 2016 at 10:17:18PM -0500, Eric Bavier wrote: >>> On Thu, 03 Nov 2016 18:54:55 -0400 >>> Kei Kebreau wrote: >>>=20 >>> > From b837111e3ddf406a3b9235538f63af678e3ac741 Mon Sep 17 00:00:00 2001 >>> > From: Kei Kebreau >>> > Date: Thu, 3 Nov 2016 17:58:48 -0400 >>> > Subject: [PATCH] gnu: w3m: Switch to Debian's actively maintained for= k of w3m. >>> >=20 >>> > Fixes some security issues seen here: >>> > >>> >=20 >>> > * gnu/packages/patches/w3m-upstream-20120522.patch: New file. >>> > * gnu/packages/patches/w3m-debian-updates.patch: New file. >>> > * gnu/packages/w3m.scm (w3m): Switch to Debian's actively maintained >>> > fork of w3m. >>> > [source]: Use Debian's tarball and patches. Remove obsolete patches. >>> > [arguments]: Remove unnecessary modification of %standard-phases. >>> > * gnu/local.mk (dist_patch_DATA): Register new patches. Remove obsole= te >>> > patches. >>> > --- >>> > gnu/local.mk | 6 +- >>> > gnu/packages/patches/w3m-debian-updates.patch | 28498 +++++++++= ++++++++++ >>>=20 >>> So theirs is the only actively maintained version of w3m and all they >>> can provide is a 28.5 thousand line patch? No VCS repository? There >>> must be some point at which it would be better for us to fetch the >>> patch in an origin rather than importing it into our repo. >> >> I think we build from their Git repo: >> >> https://anonscm.debian.org/cgit/collab-maint/w3m.git >> >> They even offer non-Debian-ized release tags, such as >> . > > Then we should use that instead of importing all the patches in our own > repo, IMO. > > Kei: would that work for you? > > Thanks, > Ludo=E2=80=99. Here it is! --=-=-= Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename=0001-gnu-w3m-Switch-to-Debian-s-actively-maintained-fork-.patch Content-Transfer-Encoding: quoted-printable From=20cc7a61d61160817ceb395b648b18c885175441e8 Mon Sep 17 00:00:00 2001 From: Kei Kebreau Date: Fri, 4 Nov 2016 10:48:53 -0400 Subject: [PATCH] gnu: w3m: Switch to Debian's actively maintained fork of w= 3m. Fixes some security issues seen here: * gnu/packages/w3m.scm (w3m): Switch to Debian's actively maintained fork of w3m. [source]: Use Debian's git tree. Remove obsolete patches. [arguments]: Remove unnecessary modification of %standard-phases. * gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch: Delete file. * gnu/packages/patches/w3m-disable-weak-ciphers.patch: Delete file. * gnu/packages/patches/w3m-force-ssl_verify_server-on.patch: Delete file. * gnu/packages/patches/w3m-libgc.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove them. =2D-- gnu/local.mk | 4 --- .../patches/w3m-disable-sslv2-and-sslv3.patch | 24 -------------- .../patches/w3m-disable-weak-ciphers.patch | 24 -------------- .../patches/w3m-force-ssl_verify_server-on.patch | 24 -------------- gnu/packages/patches/w3m-libgc.patch | 28 ---------------- gnu/packages/w3m.scm | 38 +++++++-----------= ---- 6 files changed, 11 insertions(+), 131 deletions(-) delete mode 100644 gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch delete mode 100644 gnu/packages/patches/w3m-disable-weak-ciphers.patch delete mode 100644 gnu/packages/patches/w3m-force-ssl_verify_server-on.pat= ch delete mode 100644 gnu/packages/patches/w3m-libgc.patch diff --git a/gnu/local.mk b/gnu/local.mk index a23d536..a34d8ae 100644 =2D-- a/gnu/local.mk +++ b/gnu/local.mk @@ -891,10 +891,6 @@ dist_patch_DATA =3D \ %D%/packages/patches/vte-CVE-2012-2738-pt1.patch \ %D%/packages/patches/vte-CVE-2012-2738-pt2.patch \ %D%/packages/patches/vtk-mesa-10.patch \ =2D %D%/packages/patches/w3m-libgc.patch \ =2D %D%/packages/patches/w3m-force-ssl_verify_server-on.patch \ =2D %D%/packages/patches/w3m-disable-sslv2-and-sslv3.patch \ =2D %D%/packages/patches/w3m-disable-weak-ciphers.patch \ %D%/packages/patches/weechat-python.patch \ %D%/packages/patches/weex-vacopy.patch \ %D%/packages/patches/wicd-bitrate-none-fix.patch \ diff --git a/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch b/gnu/p= ackages/patches/w3m-disable-sslv2-and-sslv3.patch deleted file mode 100644 index 5b78f2d..0000000 =2D-- a/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch +++ /dev/null @@ -1,24 +0,0 @@ =2DSubject: Disable SSLv2 and SSLv3. =2D =2DThe only remaining methods are TLSv1.* (the code never distinguishes =2Dbetween TLSv1.0, TLSv1.1, and TLSv1.2). =2D--- =2D fm.h | 2 +- =2D 1 file changed, 1 insertion(+), 1 deletion(-) =2D =2Ddiff --git a/fm.h b/fm.h =2Dindex 320906c..ddcd4fc 100644 =2D--- a/fm.h =2D+++ b/fm.h =2D@@ -1144,7 +1144,7 @@ global int ssl_path_modified init(FALSE); =2D #endif /* defined(USE_SSL) && =2D * defined(USE_SSL_VERIFY) */ =2D #ifdef USE_SSL =2D-global char *ssl_forbid_method init(NULL); =2D+global char *ssl_forbid_method init("2, 3"); =2D #endif =2D=20 =2D global int is_redisplay init(FALSE); =2D--=20 =2D2.6.4 =2D diff --git a/gnu/packages/patches/w3m-disable-weak-ciphers.patch b/gnu/pack= ages/patches/w3m-disable-weak-ciphers.patch deleted file mode 100644 index 4780d54..0000000 =2D-- a/gnu/packages/patches/w3m-disable-weak-ciphers.patch +++ /dev/null @@ -1,24 +0,0 @@ =2DSubject: Disable weak ciphers =2D =2DDisable RC4, "export ciphers", and all keys < 128 bits. =2D =2DBug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/w3m/+bug/1325674 =2D--- =2D url.c | 1 + =2D 1 file changed, 1 insertion(+) =2D =2Ddiff --git a/url.c b/url.c =2Dindex ed6062e..e86b1f3 100644 =2D--- a/url.c =2D+++ b/url.c =2D@@ -326,6 +326,7 @@ openSSLHandle(int sock, char *hostname, char **p_cer= t) =2D SSL_load_error_strings(); =2D if (!(ssl_ctx =3D SSL_CTX_new(SSLv23_client_method()))) =2D goto eend; =2D+ SSL_CTX_set_cipher_list(ssl_ctx, "DEFAULT:!LOW:!RC4:!EXP"); =2D option =3D SSL_OP_ALL; =2D if (ssl_forbid_method) { =2D if (strchr(ssl_forbid_method, '2')) =2D--=20 =2D2.6.4 =2D diff --git a/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch b/gn= u/packages/patches/w3m-force-ssl_verify_server-on.patch deleted file mode 100644 index dc9f117..0000000 =2D-- a/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch +++ /dev/null @@ -1,24 +0,0 @@ =2DSubject: Force ssl_verify_server on. =2D =2DBy default, SSL/TLS certificates are not verified. This enables the =2Dverification. =2D--- =2D fm.h | 2 +- =2D 1 file changed, 1 insertion(+), 1 deletion(-) =2D =2Ddiff --git a/fm.h b/fm.h =2Dindex 8378939..320906c 100644 =2D--- a/fm.h =2D+++ b/fm.h =2D@@ -1135,7 +1135,7 @@ global int view_unseenobject init(TRUE); =2D #endif =2D=20 =2D #if defined(USE_SSL) && defined(USE_SSL_VERIFY) =2D-global int ssl_verify_server init(FALSE); =2D+global int ssl_verify_server init(TRUE); =2D global char *ssl_cert_file init(NULL); =2D global char *ssl_key_file init(NULL); =2D global char *ssl_ca_path init(NULL); =2D--=20 =2D2.6.4 =2D diff --git a/gnu/packages/patches/w3m-libgc.patch b/gnu/packages/patches/w3= m-libgc.patch deleted file mode 100644 index 0dc6a40..0000000 =2D-- a/gnu/packages/patches/w3m-libgc.patch +++ /dev/null @@ -1,28 +0,0 @@ =2DThis patch fixes w3m compilation with libgc > 7.2. =2D =2DReported: =2Dhttps://bugs.archlinux.org/task/33397 =2D =2DPatch with explanation: =2Dhttp://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=3D770eec8= 304bdbe458 =2D--- =2D main.c | 3 ++- =2D 1 file changed, 2 insertions(+), 1 deletion(-) =2D =2Ddiff --git a/main.c b/main.c =2Dindex b421943..249eb1a 100644 =2D--- a/main.c =2D+++ b/main.c =2D@@ -833,7 +833,8 @@ main(int argc, char **argv, char **envp) =2D mySignal(SIGPIPE, SigPipe); =2D #endif =2D=20 =2D- orig_GC_warn_proc =3D GC_set_warn_proc(wrap_GC_warn_proc); =2D+ orig_GC_warn_proc =3D GC_get_warn_proc(); =2D+ GC_set_warn_proc(wrap_GC_warn_proc); =2D err_msg =3D Strnew(); =2D if (load_argc =3D=3D 0) { =2D /* no URL specified */ =2D--=20 =2D2.6.4 =2D diff --git a/gnu/packages/w3m.scm b/gnu/packages/w3m.scm index e7dd583..80171de 100644 =2D-- a/gnu/packages/w3m.scm +++ b/gnu/packages/w3m.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright =C2=A9 2013 Nikita Karetnikov ;;; Copyright =C2=A9 2016 Leo Famulari +;;; Copyright =C2=A9 2016 Kei Kebreau ;;; ;;; This file is part of GNU Guix. ;;; @@ -28,7 +29,7 @@ #:use-module (gnu packages tls) #:use-module (gnu packages) #:use-module (guix packages) =2D #:use-module (guix download) + #:use-module (guix git-download) #:use-module (guix build-system gnu)) =20 (define-public w3m @@ -36,33 +37,16 @@ (name "w3m") (version "0.5.3") (source (origin =2D (method url-fetch) =2D (uri (string-append "mirror://sourceforge/" name "/" name "= /" =2D name "-" version "/" =2D name "-" version ".tar.gz")) =2D (sha256 =2D (base32 =2D "1qx9f0kprf92r1wxl3sacykla0g04qsi0idypzz24b7xy9ix5579")) =2D =2D ;; cf. https://bugs.archlinux.org/task/33397 =2D (patches (search-patches "w3m-libgc.patch" =2D "w3m-force-ssl_verify_server-on.pa= tch" =2D "w3m-disable-sslv2-and-sslv3.patch" =2D "w3m-disable-weak-ciphers.patch"))= )) + (method git-fetch) + ;; Debian's fork of w3m is the only one that is still mainta= ined. + (uri (git-reference + (url "https://anonscm.debian.org/cgit/collab-maint/w3m= .git") + (commit "v0.5.3+git20161031"))) + (sha256 + (base32 + "142vkkmsk76wj9w6r4y2pa1hmy1kkzmc73an9zchx0ikm2z92x6s")))) (build-system gnu-build-system) =2D (arguments `(#:tests? #f ; no check target =2D #:phases (alist-cons-before =2D 'configure 'fix-perl =2D (lambda _ =2D ;; https://launchpad.net/bugs/935540 =2D ;; 'struct file_handle' is used by 'glibc' =2D (substitute* '("istream.c" "istream.h") =2D (("struct[[:blank:]]+file_handle") =2D "struct w3m_file_handle")) =2D (substitute* '("scripts/w3mmail.cgi.in" =2D "scripts/dirlist.cgi.in") =2D (("@PERL@") (which "perl")))) =2D %standard-phases))) + (arguments `(#:tests? #f)) ; no check target (inputs `(("libgc" ,libgc) ("ncurses" ,ncurses) =2D-=20 2.10.2 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJYHKDHAAoJEOal7jwZRnoNRT0P/j02vWPyjtSvKEgDzJcIMCXl Ab0qyY2Rg/rBKC56X4fKniriHz3mmMyepCbkCObRn6B7JhY4X+csQmWHYQl66dJR etrGtA78RYez8wMBQdK9OD7v+ThBAyo8rmABjDeUfHUO/Ki2d2AdWFvKSKwQItsj nh9sxqsvkqtntnw1P11BxwXHqE9qKl4wEJ4cLjnEqUFEuKZ3o3hDejnhSdHZqYJp rAX1D/Z2Q/NGOFxZSdwvwBiRvp3bTaFUhLYt+eVHh6cyC1xY8zgjVdOgzAcwnfS3 qFX6UDZaboip9peQcINKx9IhVa7VYR0XSJAS46x/gImxALrFkRq6+6ZHz4VmwL3g xX0V2nORIY904h0citfK/Wu5lBU4vsq6G+iHSM/YWV7+irFgKIjseSECIRgurCc7 OxNfcRHooGTQ3uEo1EygQZxvNOG33s+hfLjm9b0pzHNPkWuQ4T1MK9I867M6oM0Q LIQhS3QE/LVWxr1RUD6piALDgZWUYZBzlVX7qsdSSnXuJHEnBTQObkhm1m4RDqZV SSsclEVqpe4zlp7e9zUDAtHPRY6VbBl0QJLLtM4AlY/CRI2Ghf19nCwqlRyGKj0h bY/w9eR0zpl7t8QOCmitL4Kbz37livXawjiS/gaBJdJs8cakzAtiMJFrsf1WDVy+ LAQOFjV73Jlkaeaksbg+ =eqfD -----END PGP SIGNATURE----- --==-=-=--