GNU bug report logs - #26176
What to do about unmaintained frameworks like webkitgtk@2.4 in Guix?

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Sun, 19 Mar 2017 20:45:01 UTC

Severity: normal

Done: Chris Marusich <cmmarusich <at> gmail.com>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 26176 in the body.
You can then email your comments to 26176 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-guix <at> gnu.org:
bug#26176; Package guix. (Sun, 19 Mar 2017 20:45:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Sun, 19 Mar 2017 20:45:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: bug-guix <at> gnu.org
Subject: What to do about unmaintained frameworks like webkitgtk <at> 2.4 in Guix?
Date: Sun, 19 Mar 2017 16:44:14 -0400
[Message part 1 (text/plain, inline)]
We do a good job of deploying security updates to webkitgtk <at> 2.14.
Typically, we push the update within 24 hours.

However, several packages still depend on webkitgtk <at> 2.4, which is
unmaintained upstream and surely contains many serious security
vulnerabilities.

$ guix refresh -l webkitgtk <at> 2.4
Building the following 6 packages would ensure 10 dependent packages are
rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1
elixir-1.3.2 kicad-4.0-1.4ee344e audacity-2.1.2

People who install these packages probably do not expect to install
software containing publicly disclosed security vulnerabilities.

We should try to make these packages use a maintained version of
webkitgtk.

If that's not possible, what should we do?

Here is a primer on the tangled world of webkit forks and versions:
https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/

It states that distros should not expect webkitgtk <at> 2.4 to receive
security updates:
------
We could attempt to provide security backports to WebKitGTK+ 2.4. This
would be very time consuming and therefore very expensive, so count this
out.
------
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#26176; Package guix. (Sun, 19 Mar 2017 21:10:02 GMT) Full text and rfc822 format available.

Message #8 received at 26176 <at> debbugs.gnu.org (full text, mbox):

From: ng0 <contact.ng0 <at> cryptolab.net>
To: Leo Famulari <leo <at> famulari.name>
Cc: 26176 <at> debbugs.gnu.org
Subject: Re: bug#26176: What to do about unmaintained frameworks like
 webkitgtk <at> 2.4 in Guix?
Date: Sun, 19 Mar 2017 22:17:38 +0000
Leo Famulari transcribed 2.1K bytes:
> We do a good job of deploying security updates to webkitgtk <at> 2.14.
> Typically, we push the update within 24 hours.
> 
> However, several packages still depend on webkitgtk <at> 2.4, which is
> unmaintained upstream and surely contains many serious security
> vulnerabilities.
> 
> $ guix refresh -l webkitgtk <at> 2.4
> Building the following 6 packages would ensure 10 dependent packages are
> rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1
> elixir-1.3.2 kicad-4.0-1.4ee344e audacity-2.1.2
> 
> People who install these packages probably do not expect to install
> software containing publicly disclosed security vulnerabilities.
> 
> We should try to make these packages use a maintained version of
> webkitgtk.

Maybe those packages are already confirmed to work with 2.14, in some
commit in upstream software. If they aren't, and we can't make them
build with 2.14 in a functional way, it would serve a broad spectrum of
clients including Guix users to get in contact with the affected
package.

> If that's not possible, what should we do?
> 
> Here is a primer on the tangled world of webkit forks and versions:
> https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/
> 
> It states that distros should not expect webkitgtk <at> 2.4 to receive
> security updates:
> ------
> We could attempt to provide security backports to WebKitGTK+ 2.4. This
> would be very time consuming and therefore very expensive, so count this
> out.
> ------






Information forwarded to bug-guix <at> gnu.org:
bug#26176; Package guix. (Mon, 20 Mar 2017 06:52:03 GMT) Full text and rfc822 format available.

Message #11 received at 26176 <at> debbugs.gnu.org (full text, mbox):

From: Efraim Flashner <efraim <at> flashner.co.il>
To: Leo Famulari <leo <at> famulari.name>, 26176 <at> debbugs.gnu.org
Subject: Re: bug#26176: What to do about unmaintained frameworks like
 webkitgtk <at> 2.4 in Guix?
Date: Mon, 20 Mar 2017 08:50:54 +0200
[Message part 1 (text/plain, inline)]
On Sun, Mar 19, 2017 at 10:17:38PM +0000, ng0 wrote:
> Leo Famulari transcribed 2.1K bytes:
> > We do a good job of deploying security updates to webkitgtk <at> 2.14.
> > Typically, we push the update within 24 hours.
> > 
> > However, several packages still depend on webkitgtk <at> 2.4, which is
> > unmaintained upstream and surely contains many serious security
> > vulnerabilities.
> > 
> > $ guix refresh -l webkitgtk <at> 2.4
> > Building the following 6 packages would ensure 10 dependent packages are
> > rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1
> > elixir-1.3.2 kicad-4.0-1.4ee344e audacity-2.1.2
> > 
> > People who install these packages probably do not expect to install
> > software containing publicly disclosed security vulnerabilities.
> > 
> > We should try to make these packages use a maintained version of
> > webkitgtk.
> 
> Maybe those packages are already confirmed to work with 2.14, in some
> commit in upstream software. If they aren't, and we can't make them
> build with 2.14 in a functional way, it would serve a broad spectrum of
> clients including Guix users to get in contact with the affected
> package.
> 

Good news on that front! 

$ guix refresh -l wxwidgets
Building the following 5 packages would ensure 6 dependent packages are
rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1
elixir-1.3.2 audacity-2.1.2

kicad uses wxwidgets built with gtk+-2, and the one that didn't show up
at all, gnucash, uses webkitgtk/gtk+-2, which is the gtk+@2 version of
webkit <at> 2.4.

Wxwidgets currently is built with webkit <at> 2.4, but it looks like it
supports webkit.

I'm currently working on testing wxwidgets built with webkit to see if
that takes care of everything currently relying on webkit <at> ancient other
than gnucash.

-- 
Efraim Flashner   <efraim <at> flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#26176; Package guix. (Mon, 20 Mar 2017 22:28:02 GMT) Full text and rfc822 format available.

Message #14 received at 26176 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Efraim Flashner <efraim <at> flashner.co.il>
Cc: 26176 <at> debbugs.gnu.org, Leo Famulari <leo <at> famulari.name>
Subject: Re: bug#26176: What to do about unmaintained frameworks like
 webkitgtk <at> 2.4 in Guix?
Date: Mon, 20 Mar 2017 23:27:16 +0100
Howdy!

Efraim Flashner <efraim <at> flashner.co.il> skribis:

> Good news on that front! 
>
> $ guix refresh -l wxwidgets
> Building the following 5 packages would ensure 6 dependent packages are
> rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1
> elixir-1.3.2 audacity-2.1.2

BTW, I used:

  guix graph -t reverse-package webkitgtk <at> 2.4

to find out how things ended up depending on it.

> kicad uses wxwidgets built with gtk+-2, and the one that didn't show up
> at all, gnucash, uses webkitgtk/gtk+-2, which is the gtk+@2 version of
> webkit <at> 2.4.
>
> Wxwidgets currently is built with webkit <at> 2.4, but it looks like it
> supports webkit.
>
> I'm currently working on testing wxwidgets built with webkit to see if
> that takes care of everything currently relying on webkit <at> ancient other
> than gnucash.

Looks like it worked pretty well.  :-)

Thank you!

Ludo’.




Information forwarded to bug-guix <at> gnu.org:
bug#26176; Package guix. (Fri, 07 Apr 2017 12:03:01 GMT) Full text and rfc822 format available.

Message #17 received at 26176 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Efraim Flashner <efraim <at> flashner.co.il>
Cc: 26176 <at> debbugs.gnu.org
Subject: Re: bug#26176: What to do about unmaintained frameworks like
 webkitgtk <at> 2.4 in Guix?
Date: Fri, 7 Apr 2017 08:02:42 -0400
[Message part 1 (text/plain, inline)]
On Mon, Mar 20, 2017 at 08:50:54AM +0200, Efraim Flashner wrote:
> kicad uses wxwidgets built with gtk+-2, and the one that didn't show up
> at all, gnucash, uses webkitgtk/gtk+-2, which is the gtk+@2 version of
> webkit <at> 2.4.

Good news: the GnuCash developers are actively working make GnuCash
compatible with the latest version of webkitgtk (or to completely remove
the dependency):

https://bugzilla.gnome.org/show_bug.cgi?id=751635

The other good news is that, apparently, GnuCash's use of webkit is
relatively insulated from security issues:

"GnuCash isn't affected by WebKit vulnerabilities, WebKit is used
exclusively to render HTML and interpret Javascript both created by
GnuCash itself."

https://bugzilla.gnome.org/show_bug.cgi?id=751635#c4
[signature.asc (application/pgp-signature, inline)]

Reply sent to Chris Marusich <cmmarusich <at> gmail.com>:
You have taken responsibility. (Sat, 09 Jun 2018 05:12:02 GMT) Full text and rfc822 format available.

Notification sent to Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer. (Sat, 09 Jun 2018 05:12:02 GMT) Full text and rfc822 format available.

Message #22 received at 26176-done <at> debbugs.gnu.org (full text, mbox):

From: Chris Marusich <cmmarusich <at> gmail.com>
To: Leo Famulari <leo <at> famulari.name>
Cc: 26176-done <at> debbugs.gnu.org
Subject: Re: bug#26176: What to do about unmaintained frameworks like
 webkitgtk <at> 2.4 in Guix?
Date: Fri, 08 Jun 2018 22:11:10 -0700
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:

> Several packages still depend on webkitgtk <at> 2.4, which is
> unmaintained upstream and surely contains many serious security
> vulnerabilities.

We've removed webkitgtk-2.4 in commit
38039b4fa917c7516535167fb082ea63850ee578, which has been merged into
master (according to 'git branch --all --contains
38039b4fa917c7516535167fb082ea63850ee578'), so I'm closing this bug
report.

-- 
Chris
[signature.asc (application/pgp-signature, inline)]

bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sat, 07 Jul 2018 11:24:04 GMT) Full text and rfc822 format available.

This bug report was last modified 5 years and 266 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.