GNU bug report logs -
#26176
What to do about unmaintained frameworks like webkitgtk@2.4 in Guix?
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Sun, 19 Mar 2017 20:45:01 UTC
Severity: normal
Done: Chris Marusich <cmmarusich <at> gmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 26176 in the body.
You can then email your comments to 26176 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org
:
bug#26176
; Package
guix
.
(Sun, 19 Mar 2017 20:45:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>
:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org
.
(Sun, 19 Mar 2017 20:45:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
We do a good job of deploying security updates to webkitgtk <at> 2.14.
Typically, we push the update within 24 hours.
However, several packages still depend on webkitgtk <at> 2.4, which is
unmaintained upstream and surely contains many serious security
vulnerabilities.
$ guix refresh -l webkitgtk <at> 2.4
Building the following 6 packages would ensure 10 dependent packages are
rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1
elixir-1.3.2 kicad-4.0-1.4ee344e audacity-2.1.2
People who install these packages probably do not expect to install
software containing publicly disclosed security vulnerabilities.
We should try to make these packages use a maintained version of
webkitgtk.
If that's not possible, what should we do?
Here is a primer on the tangled world of webkit forks and versions:
https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/
It states that distros should not expect webkitgtk <at> 2.4 to receive
security updates:
------
We could attempt to provide security backports to WebKitGTK+ 2.4. This
would be very time consuming and therefore very expensive, so count this
out.
------
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#26176
; Package
guix
.
(Sun, 19 Mar 2017 21:10:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 26176 <at> debbugs.gnu.org (full text, mbox):
Leo Famulari transcribed 2.1K bytes:
> We do a good job of deploying security updates to webkitgtk <at> 2.14.
> Typically, we push the update within 24 hours.
>
> However, several packages still depend on webkitgtk <at> 2.4, which is
> unmaintained upstream and surely contains many serious security
> vulnerabilities.
>
> $ guix refresh -l webkitgtk <at> 2.4
> Building the following 6 packages would ensure 10 dependent packages are
> rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1
> elixir-1.3.2 kicad-4.0-1.4ee344e audacity-2.1.2
>
> People who install these packages probably do not expect to install
> software containing publicly disclosed security vulnerabilities.
>
> We should try to make these packages use a maintained version of
> webkitgtk.
Maybe those packages are already confirmed to work with 2.14, in some
commit in upstream software. If they aren't, and we can't make them
build with 2.14 in a functional way, it would serve a broad spectrum of
clients including Guix users to get in contact with the affected
package.
> If that's not possible, what should we do?
>
> Here is a primer on the tangled world of webkit forks and versions:
> https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/
>
> It states that distros should not expect webkitgtk <at> 2.4 to receive
> security updates:
> ------
> We could attempt to provide security backports to WebKitGTK+ 2.4. This
> would be very time consuming and therefore very expensive, so count this
> out.
> ------
Information forwarded
to
bug-guix <at> gnu.org
:
bug#26176
; Package
guix
.
(Mon, 20 Mar 2017 06:52:03 GMT)
Full text and
rfc822 format available.
Message #11 received at 26176 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sun, Mar 19, 2017 at 10:17:38PM +0000, ng0 wrote:
> Leo Famulari transcribed 2.1K bytes:
> > We do a good job of deploying security updates to webkitgtk <at> 2.14.
> > Typically, we push the update within 24 hours.
> >
> > However, several packages still depend on webkitgtk <at> 2.4, which is
> > unmaintained upstream and surely contains many serious security
> > vulnerabilities.
> >
> > $ guix refresh -l webkitgtk <at> 2.4
> > Building the following 6 packages would ensure 10 dependent packages are
> > rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1
> > elixir-1.3.2 kicad-4.0-1.4ee344e audacity-2.1.2
> >
> > People who install these packages probably do not expect to install
> > software containing publicly disclosed security vulnerabilities.
> >
> > We should try to make these packages use a maintained version of
> > webkitgtk.
>
> Maybe those packages are already confirmed to work with 2.14, in some
> commit in upstream software. If they aren't, and we can't make them
> build with 2.14 in a functional way, it would serve a broad spectrum of
> clients including Guix users to get in contact with the affected
> package.
>
Good news on that front!
$ guix refresh -l wxwidgets
Building the following 5 packages would ensure 6 dependent packages are
rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1
elixir-1.3.2 audacity-2.1.2
kicad uses wxwidgets built with gtk+-2, and the one that didn't show up
at all, gnucash, uses webkitgtk/gtk+-2, which is the gtk+@2 version of
webkit <at> 2.4.
Wxwidgets currently is built with webkit <at> 2.4, but it looks like it
supports webkit.
I'm currently working on testing wxwidgets built with webkit to see if
that takes care of everything currently relying on webkit <at> ancient other
than gnucash.
--
Efraim Flashner <efraim <at> flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#26176
; Package
guix
.
(Mon, 20 Mar 2017 22:28:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 26176 <at> debbugs.gnu.org (full text, mbox):
Howdy!
Efraim Flashner <efraim <at> flashner.co.il> skribis:
> Good news on that front!
>
> $ guix refresh -l wxwidgets
> Building the following 5 packages would ensure 6 dependent packages are
> rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1
> elixir-1.3.2 audacity-2.1.2
BTW, I used:
guix graph -t reverse-package webkitgtk <at> 2.4
to find out how things ended up depending on it.
> kicad uses wxwidgets built with gtk+-2, and the one that didn't show up
> at all, gnucash, uses webkitgtk/gtk+-2, which is the gtk+@2 version of
> webkit <at> 2.4.
>
> Wxwidgets currently is built with webkit <at> 2.4, but it looks like it
> supports webkit.
>
> I'm currently working on testing wxwidgets built with webkit to see if
> that takes care of everything currently relying on webkit <at> ancient other
> than gnucash.
Looks like it worked pretty well. :-)
Thank you!
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#26176
; Package
guix
.
(Fri, 07 Apr 2017 12:03:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 26176 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Mon, Mar 20, 2017 at 08:50:54AM +0200, Efraim Flashner wrote:
> kicad uses wxwidgets built with gtk+-2, and the one that didn't show up
> at all, gnucash, uses webkitgtk/gtk+-2, which is the gtk+@2 version of
> webkit <at> 2.4.
Good news: the GnuCash developers are actively working make GnuCash
compatible with the latest version of webkitgtk (or to completely remove
the dependency):
https://bugzilla.gnome.org/show_bug.cgi?id=751635
The other good news is that, apparently, GnuCash's use of webkit is
relatively insulated from security issues:
"GnuCash isn't affected by WebKit vulnerabilities, WebKit is used
exclusively to render HTML and interpret Javascript both created by
GnuCash itself."
https://bugzilla.gnome.org/show_bug.cgi?id=751635#c4
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Chris Marusich <cmmarusich <at> gmail.com>
:
You have taken responsibility.
(Sat, 09 Jun 2018 05:12:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>
:
bug acknowledged by developer.
(Sat, 09 Jun 2018 05:12:02 GMT)
Full text and
rfc822 format available.
Message #22 received at 26176-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:
> Several packages still depend on webkitgtk <at> 2.4, which is
> unmaintained upstream and surely contains many serious security
> vulnerabilities.
We've removed webkitgtk-2.4 in commit
38039b4fa917c7516535167fb082ea63850ee578, which has been merged into
master (according to 'git branch --all --contains
38039b4fa917c7516535167fb082ea63850ee578'), so I'm closing this bug
report.
--
Chris
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Sat, 07 Jul 2018 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 5 years and 266 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.