John Darrington writes: > [CC guix-devel@gnu.org] > > So we have to make a choice: > > 1. Package a released program with a known vulnerability; or > 2. Package an unreleased git snapshot. > > Which is the lesser evil? I choose option two. I'm quite uncomfortable with packaging software that is known to be vulnerable. To me it seems almost malicious if it can be avoided. Other opinions? > > J' > > On Sat, Mar 18, 2017 at 12:21:40PM -0400, Kei Kebreau wrote: >> John Darrington writes: >> >> > On Fri, Mar 17, 2017 at 04:42:59PM -0400, Kei Kebreau wrote: >> > >> > Judging from the description of the software, it seems like this could >> > fit in gnu/packages/image.scm. >> > Also, the linter says that this package vulnerable to >> > CVE-2015-8979. Supposedly this* upstream patch fixes it. Could you see >> > if that fix works for this package? >> > >> > * https://github.com/commontk/DCMTK/commit/1b6bb76 >> > >> > >> > Unfortunately this patch doesn't go in. It seems that as well as fixing this >> > vulnerability it also makes some unrelated changes. Furthermore, it depends >> > on a whole lot of other patches which are not in this release. >> > >> > Do we have a procedure on what to do in cases like this? >> > >> > J' >> >> I don't know if we have an official procedure, though we could try using >> a later git snapshot with the security patch already integrated. >> Hopefully that provides functionality compatible to that of the stable >> release, though it's at least a five year difference between release times. >> >> http://git.cmtk.org/?p=dcmtk.git,a=tags