[debbugs-tracker] bug#26176: closed (What to do about unmaintained frame

emacs-bug-tracker

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debbugs-tracker] bug#26176: closed (What to do about unmaintained frame

From:	GNU bug Tracking System
Subject:	[debbugs-tracker] bug#26176: closed (What to do about unmaintained frameworks like address@hidden in Guix?)
Date:	Sat, 09 Jun 2018 05:12:02 +0000

Your message dated Fri, 08 Jun 2018 22:11:10 -0700
with message-id <address@hidden>
and subject line Re: bug#26176: What to do about unmaintained frameworks like 
address@hidden in Guix?
has caused the debbugs.gnu.org bug report #26176,
regarding What to do about unmaintained frameworks like address@hidden in Guix?
to be marked as done.

(If you believe you have received this mail in error, please contact
address@hidden)


-- 
26176: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=26176
GNU Bug Tracking System
Contact address@hidden with problems

--- Begin Message --- Subject: What to do about unmaintained frameworks like address@hidden in Guix? Date: Sun, 19 Mar 2017 16:44:14 -0400 User-agent: Mutt/1.8.0 (2017-02-23)

We do a good job of deploying security updates to address@hidden
Typically, we push the update within 24 hours.

However, several packages still depend on address@hidden, which is
unmaintained upstream and surely contains many serious security
vulnerabilities.

$ guix refresh -l address@hidden
Building the following 6 packages would ensure 10 dependent packages are
rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1
elixir-1.3.2 kicad-4.0-1.4ee344e audacity-2.1.2

People who install these packages probably do not expect to install
software containing publicly disclosed security vulnerabilities.

We should try to make these packages use a maintained version of
webkitgtk.

If that's not possible, what should we do?

Here is a primer on the tangled world of webkit forks and versions:
https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/

It states that distros should not expect address@hidden to receive
security updates:
------
We could attempt to provide security backports to WebKitGTK+ 2.4. This
would be very time consuming and therefore very expensive, so count this
out.
------

signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message --- Subject: Re: bug#26176: What to do about unmaintained frameworks like address@hidden in Guix? Date: Fri, 08 Jun 2018 22:11:10 -0700 User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)
Leo Famulari <address@hidden> writes:

> Several packages still depend on address@hidden, which is
> unmaintained upstream and surely contains many serious security
> vulnerabilities.

We've removed webkitgtk-2.4 in commit
38039b4fa917c7516535167fb082ea63850ee578, which has been merged into
master (according to 'git branch --all --contains
38039b4fa917c7516535167fb082ea63850ee578'), so I'm closing this bug
report.

-- 
Chris
signature.asc
Description: PGP signature

--- End Message ---

[Prev in Thread]

Current Thread

[Next in Thread]

[debbugs-tracker] bug#26176: closed (What to do about unmaintained frameworks like address@hidden in Guix?), GNU bug Tracking System <=

Prev by Date: [debbugs-tracker] bug#31672: closed ([PATCH 0/2] Add Mame)
Next by Date: [debbugs-tracker] bug#25192: closed (guix-0.11.0 fails to compile on modern GuixSD system)
Previous by thread: [debbugs-tracker] bug#31672: closed ([PATCH 0/2] Add Mame)
Next by thread: [debbugs-tracker] bug#25192: closed (guix-0.11.0 fails to compile on modern GuixSD system)
Index(es):
- Date
- Thread