GNU bug report logs -
#26109
[PATCH 3/7] gnu: Add dcmtk.
Previous Next
Reported by: John Darrington <jmd <at> gnu.org>
Date: Wed, 15 Mar 2017 20:07:01 UTC
Severity: normal
Tags: patch
Done: Ricardo Wurmus <rekado <at> elephly.net>
Bug is archived. No further changes may be made.
Full log
Message #17 received at 26109 <at> debbugs.gnu.org (full text, mbox):
[CC guix-devel <at> gnu.org]
So we have to make a choice:
1. Package a released program with a known vulnerability; or
2. Package an unreleased git snapshot.
Which is the lesser evil?
J'
On Sat, Mar 18, 2017 at 12:21:40PM -0400, Kei Kebreau wrote:
> John Darrington <john <at> darrington.wattle.id.au> writes:
>
> > On Fri, Mar 17, 2017 at 04:42:59PM -0400, Kei Kebreau wrote:
> >
> > Judging from the description of the software, it seems like this could
> > fit in gnu/packages/image.scm.
> > Also, the linter says that this package vulnerable to
> > CVE-2015-8979. Supposedly this* upstream patch fixes it. Could you see
> > if that fix works for this package?
> >
> > * https://github.com/commontk/DCMTK/commit/1b6bb76
> >
> >
> > Unfortunately this patch doesn't go in. It seems that as well as fixing this
> > vulnerability it also makes some unrelated changes. Furthermore, it depends
> > on a whole lot of other patches which are not in this release.
> >
> > Do we have a procedure on what to do in cases like this?
> >
> > J'
>
> I don't know if we have an official procedure, though we could try using
> a later git snapshot with the security patch already integrated.
> Hopefully that provides functionality compatible to that of the stable
> release, though it's at least a five year difference between release times.
>
> http://git.cmtk.org/?p=dcmtk.git,a=tags
This bug report was last modified 8 years and 12 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.