GNU bug report logs -
#26109
[PATCH 3/7] gnu: Add dcmtk.
Previous Next
Reported by: John Darrington <jmd <at> gnu.org>
Date: Wed, 15 Mar 2017 20:07:01 UTC
Severity: normal
Tags: patch
Done: Ricardo Wurmus <rekado <at> elephly.net>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 26109 in the body.
You can then email your comments to 26109 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#26109; Package
guix-patches.
(Wed, 15 Mar 2017 20:07:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
John Darrington <jmd <at> gnu.org>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Wed, 15 Mar 2017 20:07:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/image-processing.scm: New file.
* gnu/local.mk (GNU_SYSTEM_MODULES): Add it.
---
gnu/local.mk | 1 +
gnu/packages/image-processing.scm | 75 +++++++++++++++++++++++++++++++++++++++
2 files changed, 76 insertions(+)
create mode 100644 gnu/packages/image-processing.scm
diff --git a/gnu/local.mk b/gnu/local.mk
index c1b076a..15325d3 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -187,6 +187,7 @@ GNU_SYSTEM_MODULES = \
%D%/packages/idris.scm \
%D%/packages/idutils.scm \
%D%/packages/image.scm \
+ %D%/packages/image-processing.scm \
%D%/packages/image-viewers.scm \
%D%/packages/imagemagick.scm \
%D%/packages/indent.scm \
diff --git a/gnu/packages/image-processing.scm b/gnu/packages/image-processing.scm
new file mode 100644
index 0000000..e1ad93e
--- /dev/null
+++ b/gnu/packages/image-processing.scm
@@ -0,0 +1,75 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2017 John Darrington <jmd <at> gnu.org>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu packages image-processing)
+ #:use-module ((guix licenses) #:prefix license:)
+ #:use-module (guix packages)
+ #:use-module (guix utils)
+ #:use-module (guix download)
+ #:use-module (guix build-system gnu)
+ #:use-module (gnu packages)
+ #:use-module (gnu packages compression)
+ #:use-module (gnu packages documentation)
+ #:use-module (gnu packages image)
+ #:use-module (gnu packages perl))
+
+(define-public dcmtk
+ (package
+ (name "dcmtk")
+ (version "3.6.0")
+ (source (origin
+ (method url-fetch)
+ (uri
+ (string-append
+ "ftp://dicom.offis.de/pub/dicom/offis/software/dcmtk/dcmtk"
+ (string-fold (lambda (x prev)
+ (if (eq? x #\.) prev
+ (string-append prev (string x))))
+ "" version)
+ "/dcmtk-"
+ version ".tar.gz"))
+ (sha256
+ (base32
+ "0fnkbq0nz8658svdn1xnjrv8qm618gln1q8ykwszmb9225q0kifg"))))
+ (build-system gnu-build-system)
+ (arguments `(#:parallel-build? #f ; Broken makefile
+ #:tests? #f ; There are no tests
+ #:make-flags `("CXXFLAGS=-fpermissive -fPIC"
+ "CFLAGS=-fPIC")
+ #:phases
+ (modify-phases %standard-phases
+ (replace 'install
+ (lambda* (#:key outputs #:allow-other-keys)
+ (zero? (system* "make"
+ "install-all")))))))
+ (inputs `(("libtiff" ,libtiff)
+ ("libpng" ,libpng)
+ ("doxygen" ,doxygen)
+ ("zlib" ,zlib)))
+ (native-inputs `(("perl" ,perl)))
+ (synopsis "Libraries and programs implementing large parts the DICOM standard")
+ (description "DCMTK is a collection of libraries and applications
+implementing large parts the DICOM standard. It includes software for
+examining, constructing and converting DICOM image files, handling offline
+media, sending and receiving images over a network connection, as well as
+demonstrative image storage and worklist servers.")
+ (home-page "http://dcmtk.org")
+ (license (license:fsf-free
+ "file://COPYRIGHT"
+ "A union of the Apache 2.0 licence and various non-copyleft
+licences similar to the Modified BSD licence."))))
--
2.1.4
Information forwarded
to
guix-patches <at> gnu.org:
bug#26109; Package
guix-patches.
(Fri, 17 Mar 2017 20:44:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 26109 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
John Darrington <jmd <at> gnu.org> writes:
> * gnu/packages/image-processing.scm: New file.
> * gnu/local.mk (GNU_SYSTEM_MODULES): Add it.
Judging from the description of the software, it seems like this could
fit in gnu/packages/image.scm.
> ---
> gnu/local.mk | 1 +
> gnu/packages/image-processing.scm | 75 +++++++++++++++++++++++++++++++++++++++
> 2 files changed, 76 insertions(+)
> create mode 100644 gnu/packages/image-processing.scm
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index c1b076a..15325d3 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -187,6 +187,7 @@ GNU_SYSTEM_MODULES = \
> %D%/packages/idris.scm \
> %D%/packages/idutils.scm \
> %D%/packages/image.scm \
> + %D%/packages/image-processing.scm \
> %D%/packages/image-viewers.scm \
> %D%/packages/imagemagick.scm \
> %D%/packages/indent.scm \
> diff --git a/gnu/packages/image-processing.scm b/gnu/packages/image-processing.scm
> new file mode 100644
> index 0000000..e1ad93e
> --- /dev/null
> +++ b/gnu/packages/image-processing.scm
> @@ -0,0 +1,75 @@
> +;;; GNU Guix --- Functional package management for GNU
> +;;; Copyright © 2017 John Darrington <jmd <at> gnu.org>
> +;;;
> +;;; This file is part of GNU Guix.
> +;;;
> +;;; GNU Guix is free software; you can redistribute it and/or modify it
> +;;; under the terms of the GNU General Public License as published by
> +;;; the Free Software Foundation; either version 3 of the License, or (at
> +;;; your option) any later version.
> +;;;
> +;;; GNU Guix is distributed in the hope that it will be useful, but
> +;;; WITHOUT ANY WARRANTY; without even the implied warranty of
> +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> +;;; GNU General Public License for more details.
> +;;;
> +;;; You should have received a copy of the GNU General Public License
> +;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
> +
> +(define-module (gnu packages image-processing)
> + #:use-module ((guix licenses) #:prefix license:)
> + #:use-module (guix packages)
> + #:use-module (guix utils)
> + #:use-module (guix download)
> + #:use-module (guix build-system gnu)
> + #:use-module (gnu packages)
> + #:use-module (gnu packages compression)
> + #:use-module (gnu packages documentation)
> + #:use-module (gnu packages image)
> + #:use-module (gnu packages perl))
> +
> +(define-public dcmtk
> + (package
> + (name "dcmtk")
> + (version "3.6.0")
> + (source (origin
> + (method url-fetch)
> + (uri
> + (string-append
> + "ftp://dicom.offis.de/pub/dicom/offis/software/dcmtk/dcmtk"
> + (string-fold (lambda (x prev)
> + (if (eq? x #\.) prev
> + (string-append prev (string x))))
> + "" version)
The same effect is more directly (IMO) accomplished using the following:
(string-join (string-split version #\.) "")
> + "/dcmtk-"
> + version ".tar.gz"))
> + (sha256
> + (base32
> + "0fnkbq0nz8658svdn1xnjrv8qm618gln1q8ykwszmb9225q0kifg"))))
> + (build-system gnu-build-system)
> + (arguments `(#:parallel-build? #f ; Broken makefile
> + #:tests? #f ; There are no tests
> + #:make-flags `("CXXFLAGS=-fpermissive -fPIC"
> + "CFLAGS=-fPIC")
> + #:phases
> + (modify-phases %standard-phases
> + (replace 'install
> + (lambda* (#:key outputs #:allow-other-keys)
> + (zero? (system* "make"
> + "install-all")))))))
> + (inputs `(("libtiff" ,libtiff)
> + ("libpng" ,libpng)
> + ("doxygen" ,doxygen)
> + ("zlib" ,zlib)))
> + (native-inputs `(("perl" ,perl)))
> + (synopsis "Libraries and programs implementing large parts the DICOM standard")
> + (description "DCMTK is a collection of libraries and applications
Nitpicking again: why the double space between "description" and the
double quote?
> +implementing large parts the DICOM standard. It includes software for
> +examining, constructing and converting DICOM image files, handling offline
> +media, sending and receiving images over a network connection, as well as
> +demonstrative image storage and worklist servers.")
> + (home-page "http://dcmtk.org")
> + (license (license:fsf-free
> + "file://COPYRIGHT"
> + "A union of the Apache 2.0 licence and various non-copyleft
> +licences similar to the Modified BSD licence."))))
Also, the linter says that this package vulnerable to
CVE-2015-8979. Supposedly this* upstream patch fixes it. Could you see
if that fix works for this package?
* https://github.com/commontk/DCMTK/commit/1b6bb76
Other than the above, LGTM.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#26109; Package
guix-patches.
(Sat, 18 Mar 2017 07:24:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 26109 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Fri, Mar 17, 2017 at 04:42:59PM -0400, Kei Kebreau wrote:
Judging from the description of the software, it seems like this could
fit in gnu/packages/image.scm.
Also, the linter says that this package vulnerable to
CVE-2015-8979. Supposedly this* upstream patch fixes it. Could you see
if that fix works for this package?
* https://github.com/commontk/DCMTK/commit/1b6bb76
Unfortunately this patch doesn't go in. It seems that as well as fixing this
vulnerability it also makes some unrelated changes. Furthermore, it depends
on a whole lot of other patches which are not in this release.
Do we have a procedure on what to do in cases like this?
J'
--
Avoid eavesdropping. Send strong encrypted email.
PGP Public key ID: 1024D/2DE827B3
fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.net or any PGP keyserver for public key.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#26109; Package
guix-patches.
(Sat, 18 Mar 2017 16:22:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 26109 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
John Darrington <john <at> darrington.wattle.id.au> writes:
> On Fri, Mar 17, 2017 at 04:42:59PM -0400, Kei Kebreau wrote:
>
> Judging from the description of the software, it seems like this could
> fit in gnu/packages/image.scm.
> Also, the linter says that this package vulnerable to
> CVE-2015-8979. Supposedly this* upstream patch fixes it. Could you see
> if that fix works for this package?
>
> * https://github.com/commontk/DCMTK/commit/1b6bb76
>
>
> Unfortunately this patch doesn't go in. It seems that as well as fixing this
> vulnerability it also makes some unrelated changes. Furthermore, it depends
> on a whole lot of other patches which are not in this release.
>
> Do we have a procedure on what to do in cases like this?
>
> J'
I don't know if we have an official procedure, though we could try using
a later git snapshot with the security patch already integrated.
Hopefully that provides functionality compatible to that of the stable
release, though it's at least a five year difference between release times.
http://git.cmtk.org/?p=dcmtk.git,a=tags
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#26109; Package
guix-patches.
(Sat, 18 Mar 2017 17:37:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 26109 <at> debbugs.gnu.org (full text, mbox):
[CC guix-devel <at> gnu.org]
So we have to make a choice:
1. Package a released program with a known vulnerability; or
2. Package an unreleased git snapshot.
Which is the lesser evil?
J'
On Sat, Mar 18, 2017 at 12:21:40PM -0400, Kei Kebreau wrote:
> John Darrington <john <at> darrington.wattle.id.au> writes:
>
> > On Fri, Mar 17, 2017 at 04:42:59PM -0400, Kei Kebreau wrote:
> >
> > Judging from the description of the software, it seems like this could
> > fit in gnu/packages/image.scm.
> > Also, the linter says that this package vulnerable to
> > CVE-2015-8979. Supposedly this* upstream patch fixes it. Could you see
> > if that fix works for this package?
> >
> > * https://github.com/commontk/DCMTK/commit/1b6bb76
> >
> >
> > Unfortunately this patch doesn't go in. It seems that as well as fixing this
> > vulnerability it also makes some unrelated changes. Furthermore, it depends
> > on a whole lot of other patches which are not in this release.
> >
> > Do we have a procedure on what to do in cases like this?
> >
> > J'
>
> I don't know if we have an official procedure, though we could try using
> a later git snapshot with the security patch already integrated.
> Hopefully that provides functionality compatible to that of the stable
> release, though it's at least a five year difference between release times.
>
> http://git.cmtk.org/?p=dcmtk.git,a=tags
Information forwarded
to
guix-patches <at> gnu.org:
bug#26109; Package
guix-patches.
(Tue, 21 Mar 2017 01:48:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 26109 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
John Darrington <jmd <at> gnu.org> writes:
> [CC guix-devel <at> gnu.org]
>
> So we have to make a choice:
>
> 1. Package a released program with a known vulnerability; or
> 2. Package an unreleased git snapshot.
>
> Which is the lesser evil?
I choose option two. I'm quite uncomfortable with packaging software
that is known to be vulnerable. To me it seems almost malicious if it
can be avoided.
Other opinions?
>
> J'
>
> On Sat, Mar 18, 2017 at 12:21:40PM -0400, Kei Kebreau wrote:
>> John Darrington <john <at> darrington.wattle.id.au> writes:
>>
>> > On Fri, Mar 17, 2017 at 04:42:59PM -0400, Kei Kebreau wrote:
>> >
>> > Judging from the description of the software, it seems like this could
>> > fit in gnu/packages/image.scm.
>> > Also, the linter says that this package vulnerable to
>> > CVE-2015-8979. Supposedly this* upstream patch fixes it. Could you see
>> > if that fix works for this package?
>> >
>> > * https://github.com/commontk/DCMTK/commit/1b6bb76
>> >
>> >
>> > Unfortunately this patch doesn't go in. It seems that as well as fixing this
>> > vulnerability it also makes some unrelated changes. Furthermore, it depends
>> > on a whole lot of other patches which are not in this release.
>> >
>> > Do we have a procedure on what to do in cases like this?
>> >
>> > J'
>>
>> I don't know if we have an official procedure, though we could try using
>> a later git snapshot with the security patch already integrated.
>> Hopefully that provides functionality compatible to that of the stable
>> release, though it's at least a five year difference between release times.
>>
>> http://git.cmtk.org/?p=dcmtk.git,a=tags
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#26109; Package
guix-patches.
(Tue, 21 Mar 2017 02:13:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 26109 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sat, Mar 18, 2017 at 08:23:35AM +0100, John Darrington wrote:
> On Fri, Mar 17, 2017 at 04:42:59PM -0400, Kei Kebreau wrote:
>
> Judging from the description of the software, it seems like this could
> fit in gnu/packages/image.scm.
> Also, the linter says that this package vulnerable to
> CVE-2015-8979. Supposedly this* upstream patch fixes it. Could you see
> if that fix works for this package?
>
> * https://github.com/commontk/DCMTK/commit/1b6bb76
>
>
> Unfortunately this patch doesn't go in. It seems that as well as fixing this
> vulnerability it also makes some unrelated changes. Furthermore, it depends
> on a whole lot of other patches which are not in this release.
>
> Do we have a procedure on what to do in cases like this?
We could see what other distros have done. Maybe they have a simpler
patch we could copy. Or, we could try building from an arbitrary Git
commit.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#26109; Package
guix-patches.
(Tue, 21 Mar 2017 02:14:01 GMT)
Full text and
rfc822 format available.
Message #26 received at 26109 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sat, Mar 18, 2017 at 01:36:31PM -0400, John Darrington wrote:
> [CC guix-devel <at> gnu.org]
>
> So we have to make a choice:
>
> 1. Package a released program with a known vulnerability; or
Although all non-trivial software contains bugs, many of which can be
exploited, we should not add new packages with known exploitable
vulnerabilities.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#26109; Package
guix-patches.
(Tue, 21 Mar 2017 02:31:02 GMT)
Full text and
rfc822 format available.
Message #29 received at 26109 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Mon, Mar 20, 2017 at 10:12:40PM -0400, Leo Famulari wrote:
On Sat, Mar 18, 2017 at 08:23:35AM +0100, John Darrington wrote:
> On Fri, Mar 17, 2017 at 04:42:59PM -0400, Kei Kebreau wrote:
>
> Judging from the description of the software, it seems like this could
> fit in gnu/packages/image.scm.
> Also, the linter says that this package vulnerable to
> CVE-2015-8979. Supposedly this* upstream patch fixes it. Could you see
> if that fix works for this package?
>
> * https://github.com/commontk/DCMTK/commit/1b6bb76
>
>
> Unfortunately this patch doesn't go in. It seems that as well as fixing this
> vulnerability it also makes some unrelated changes. Furthermore, it depends
> on a whole lot of other patches which are not in this release.
>
> Do we have a procedure on what to do in cases like this?
We could see what other distros have done. Maybe they have a simpler
patch we could copy.
I did try that too. Unfortunately the Debian patch seems to have combined some non-CVE
fixes into the same patch AND that patch is dependendent upon some other unrelated patches.
I probably could with a lot of trial and error make a patch which works, but IMO that
defeats the purpose. I security patch should be A) as simple as possible; B) not
contain any unrelated fixes; and C) prepared by someone who knows what she is doing.
Or, we could try building from an arbitrary Git commit.
Yes. That is the other option - I think it might be a what we'll have to do.
J'
--
Avoid eavesdropping. Send strong encrypted email.
PGP Public key ID: 1024D/2DE827B3
fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.net or any PGP keyserver for public key.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#26109; Package
guix-patches.
(Tue, 21 Mar 2017 18:31:01 GMT)
Full text and
rfc822 format available.
Message #32 received at 26109 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Tue, Mar 21, 2017 at 03:30:43AM +0100, John Darrington wrote:
> On Mon, Mar 20, 2017 at 10:12:40PM -0400, Leo Famulari wrote:
> I did try that too. Unfortunately the Debian patch seems to have combined some non-CVE
> fixes into the same patch AND that patch is dependendent upon some other unrelated patches.
Bah.
> I probably could with a lot of trial and error make a patch which works, but IMO that
> defeats the purpose. I security patch should be A) as simple as possible; B) not
> contain any unrelated fixes; and C) prepared by someone who knows what she is doing.
Indeed.
> Or, we could try building from an arbitrary Git commit.
>
> Yes. That is the other option - I think it might be a what we'll have to do.
Okay, let us know how it goes.
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Ricardo Wurmus <rekado <at> elephly.net>:
You have taken responsibility.
(Mon, 15 May 2017 21:08:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
John Darrington <jmd <at> gnu.org>:
bug acknowledged by developer.
(Mon, 15 May 2017 21:08:02 GMT)
Full text and
rfc822 format available.
Message #37 received at 26109-done <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> writes:
>> Or, we could try building from an arbitrary Git commit.
>>
>> Yes. That is the other option - I think it might be a what we'll have to do.
>
> Okay, let us know how it goes.
I tried extracting a patch but it was virtually impossible to make it
apply without introducing more security problems in the attempt.
So I updated the package to use the latest commit from git.
--
Ricardo
GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
https://elephly.net
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 13 Jun 2017 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 6 years and 317 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.