On Sat, Mar 18, 2017 at 08:23:35AM +0100, John Darrington wrote:
> On Fri, Mar 17, 2017 at 04:42:59PM -0400, Kei Kebreau wrote:
>      
>      Judging from the description of the software, it seems like this could
>      fit in gnu/packages/image.scm.
>      Also, the linter says that this package vulnerable to
>      CVE-2015-8979. Supposedly this* upstream patch fixes it. Could you see
>      if that fix works for this package?
>      
>      * https://github.com/commontk/DCMTK/commit/1b6bb76
>      
> 
> Unfortunately this patch doesn't go in.  It seems that as well as fixing this
> vulnerability it also makes some unrelated changes.  Furthermore, it depends
> on a whole lot of other patches which are not in this release.
> 
> Do we have a procedure on what to do in cases like this?

We could see what other distros have done. Maybe they have a simpler
patch we could copy. Or, we could try building from an arbitrary Git
commit.