guix-patches
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#26109: [PATCH 3/7] gnu: Add dcmtk.

From: John Darrington
Subject: bug#26109: [PATCH 3/7] gnu: Add dcmtk.
Date: Sat, 18 Mar 2017 13:36:31 -0400
User-agent: Mutt/1.5.21 (2010-09-15) 
[CC address@hidden

So we have to make a choice:

1. Package a released program with a known vulnerability; or
2. Package an unreleased git snapshot.

Which is the lesser evil?

J'

On Sat, Mar 18, 2017 at 12:21:40PM -0400, Kei Kebreau wrote:
> John Darrington <address@hidden> writes:
> 
> > On Fri, Mar 17, 2017 at 04:42:59PM -0400, Kei Kebreau wrote:
> >      
> >      Judging from the description of the software, it seems like this could
> >      fit in gnu/packages/image.scm.
> >      Also, the linter says that this package vulnerable to
> >      CVE-2015-8979. Supposedly this* upstream patch fixes it. Could you see
> >      if that fix works for this package?
> >      
> >      * https://github.com/commontk/DCMTK/commit/1b6bb76
> >      
> >
> > Unfortunately this patch doesn't go in.  It seems that as well as fixing 
> > this
> > vulnerability it also makes some unrelated changes.  Furthermore, it depends
> > on a whole lot of other patches which are not in this release.
> >
> > Do we have a procedure on what to do in cases like this?
> >
> > J'
> 
> I don't know if we have an official procedure, though we could try using
> a later git snapshot with the security patch already integrated.
> Hopefully that provides functionality compatible to that of the stable
> release, though it's at least a five year difference between release times.
> 
> http://git.cmtk.org/?p=dcmtk.git,a=tags
reply via email to
[Prev in Thread] Current Thread [Next in Thread]