bug#26176: What to do about unmaintained frameworks like address@hidden

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#26176: What to do about unmaintained frameworks like address@hidden

From:	Efraim Flashner
Subject:	bug#26176: What to do about unmaintained frameworks like address@hidden in Guix?
Date:	Mon, 20 Mar 2017 08:50:54 +0200
User-agent:	Mutt/1.8.0 (2017-02-23)

On Sun, Mar 19, 2017 at 10:17:38PM +0000, ng0 wrote:
> Leo Famulari transcribed 2.1K bytes:
> > We do a good job of deploying security updates to address@hidden
> > Typically, we push the update within 24 hours.
> > 
> > However, several packages still depend on address@hidden, which is
> > unmaintained upstream and surely contains many serious security
> > vulnerabilities.
> > 
> > $ guix refresh -l address@hidden
> > Building the following 6 packages would ensure 10 dependent packages are
> > rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1
> > elixir-1.3.2 kicad-4.0-1.4ee344e audacity-2.1.2
> > 
> > People who install these packages probably do not expect to install
> > software containing publicly disclosed security vulnerabilities.
> > 
> > We should try to make these packages use a maintained version of
> > webkitgtk.
> 
> Maybe those packages are already confirmed to work with 2.14, in some
> commit in upstream software. If they aren't, and we can't make them
> build with 2.14 in a functional way, it would serve a broad spectrum of
> clients including Guix users to get in contact with the affected
> package.
> 

Good news on that front! 

$ guix refresh -l wxwidgets
Building the following 5 packages would ensure 6 dependent packages are
rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1
elixir-1.3.2 audacity-2.1.2

kicad uses wxwidgets built with gtk+-2, and the one that didn't show up
at all, gnucash, uses webkitgtk/gtk+-2, which is the address@hidden version of
address@hidden

Wxwidgets currently is built with address@hidden, but it looks like it
supports webkit.

I'm currently working on testing wxwidgets built with webkit to see if
that takes care of everything currently relying on address@hidden other
than gnucash.

-- 
Efraim Flashner   <address@hidden>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

bug#26176: What to do about unmaintained frameworks like address@hidden in Guix?, Leo Famulari, 2017/03/19
- bug#26176: What to do about unmaintained frameworks like address@hidden in Guix?, ng0, 2017/03/19
  - bug#26176: What to do about unmaintained frameworks like address@hidden in Guix?, Efraim Flashner <=
    - bug#26176: What to do about unmaintained frameworks like address@hidden in Guix?, Ludovic Courtès, 2017/03/20

Prev by Date: bug#26136: core-updates: address@hidden fails due to missing zlib
Next by Date: bug#26158: Gnome starts unreliably
Previous by thread: bug#26176: What to do about unmaintained frameworks like address@hidden in Guix?
Next by thread: bug#26176: What to do about unmaintained frameworks like address@hidden in Guix?
Index(es):
- Date
- Thread