GNU bug report logs - #26109
[PATCH 3/7] gnu: Add dcmtk.

Previous Next

Package: guix-patches;

Reported by: John Darrington <jmd <at> gnu.org>

Date: Wed, 15 Mar 2017 20:07:01 UTC

Severity: normal

Tags: patch

Done: Ricardo Wurmus <rekado <at> elephly.net>

Bug is archived. No further changes may be made.

Full log

Message #20 received at 26109 <at> debbugs.gnu.org (full text, mbox):

From: Kei Kebreau <kei <at> openmailbox.org>
To: John Darrington <jmd <at> gnu.org>
Cc: guix-devel <at> gnu.org, 26109 <at> debbugs.gnu.org
Subject: Re: bug#26109: [PATCH 3/7] gnu: Add dcmtk.
Date: Mon, 20 Mar 2017 21:47:37 -0400

[Message part 1 (text/plain, inline)]
John Darrington <jmd <at> gnu.org> writes:

> [CC guix-devel <at> gnu.org]
>
> So we have to make a choice:
>
> 1. Package a released program with a known vulnerability; or
> 2. Package an unreleased git snapshot.
>
> Which is the lesser evil?

I choose option two. I'm quite uncomfortable with packaging software
that is known to be vulnerable. To me it seems almost malicious if it
can be avoided.

Other opinions?

>
> J'
>
> On Sat, Mar 18, 2017 at 12:21:40PM -0400, Kei Kebreau wrote:
>> John Darrington <john <at> darrington.wattle.id.au> writes:
>> 
>> > On Fri, Mar 17, 2017 at 04:42:59PM -0400, Kei Kebreau wrote:
>> >      
>> >      Judging from the description of the software, it seems like this could
>> >      fit in gnu/packages/image.scm.
>> >      Also, the linter says that this package vulnerable to
>> >      CVE-2015-8979. Supposedly this* upstream patch fixes it. Could you see
>> >      if that fix works for this package?
>> >      
>> >      * https://github.com/commontk/DCMTK/commit/1b6bb76
>> >      
>> >
>> > Unfortunately this patch doesn't go in.  It seems that as well as fixing this
>> > vulnerability it also makes some unrelated changes.  Furthermore, it depends
>> > on a whole lot of other patches which are not in this release.
>> >
>> > Do we have a procedure on what to do in cases like this?
>> >
>> > J'
>> 
>> I don't know if we have an official procedure, though we could try using
>> a later git snapshot with the security patch already integrated.
>> Hopefully that provides functionality compatible to that of the stable
>> release, though it's at least a five year difference between release times.
>> 
>> http://git.cmtk.org/?p=dcmtk.git,a=tags

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 8 years and 12 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.