From unknown Sun Sep 21 08:46:49 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#26176 <26176@debbugs.gnu.org> To: bug#26176 <26176@debbugs.gnu.org> Subject: Status: What to do about unmaintained frameworks like webkitgtk@2.4 in Guix? Reply-To: bug#26176 <26176@debbugs.gnu.org> Date: Sun, 21 Sep 2025 15:46:49 +0000 retitle 26176 What to do about unmaintained frameworks like webkitgtk@2.4 i= n Guix? reassign 26176 guix submitter 26176 Leo Famulari severity 26176 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 19 16:44:30 2017 Received: (at submit) by debbugs.gnu.org; 19 Mar 2017 20:44:30 +0000 Received: from localhost ([127.0.0.1]:35516 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cphgk-0004zy-4I for submit@debbugs.gnu.org; Sun, 19 Mar 2017 16:44:30 -0400 Received: from eggs.gnu.org ([208.118.235.92]:58557) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cphgi-0004zk-U3 for submit@debbugs.gnu.org; Sun, 19 Mar 2017 16:44:29 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cphgc-0004QY-Mu for submit@debbugs.gnu.org; Sun, 19 Mar 2017 16:44:23 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:37084) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cphgc-0004QS-Jc for submit@debbugs.gnu.org; Sun, 19 Mar 2017 16:44:22 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:49525) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cphgb-0007Ki-7j for bug-guix@gnu.org; Sun, 19 Mar 2017 16:44:22 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cphgY-0004Q0-6f for bug-guix@gnu.org; Sun, 19 Mar 2017 16:44:21 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:50098) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cphgX-0004Pl-Fo for bug-guix@gnu.org; Sun, 19 Mar 2017 16:44:18 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 81BC22072D; Sun, 19 Mar 2017 16:44:15 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Sun, 19 Mar 2017 16:44:15 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h= content-type:date:from:message-id:mime-version:subject:to :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=9u9 w4fSPAWbqbpheaakZuRCWZmo=; b=vmlmix42N1YtyO5BowKqaerA8D4KvkCXSAh l/mkvKx9lvIL5Z5p9pubdmyr6vKGsuimnxbmzGS1AOWsqT90hmFXLNOjM/hEAYQz VPyhl7ccVf93kns4pIHzTcKGBXqE1sNHeq8vKktzf8JAkylkxBIBm+ZnEWDReu9c wJ8aweYM= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=fm1; bh=9u9w4fSPAWbqbpheaakZuRCWZmo=; b=Zv9BCM2cS cOwoiEyCdyX+eRWrYu8uJ8RaOC+qHcc0FIyz4cN5aC/79cwYLvCfMPo+io7fu1Wb kbLg42VbQZpLwDJIzpzd/Qc7qqXMZ6gLDwP1X8qdFeP3i3oYbfU2B1s+qLwOtKMy R3Zf689bT+lb3W2yyURqN4eguS6SDHdPw8cKOAYdo3kma/q0Es0qyk2/dvqb2IRP Uycyva6IJL/2xVPdmXtQ2EEBgd5eoHugOnDhUkEPMaOVJ7Y6kEFAkf2wqvW9P1Sr gFthmVZHX57dTMG/WOG7biQ8q6EIe9PW1+LZN39OkE4UehgVVTn/99F2xWR9u09I VBfEXfNbf107A== X-ME-Sender: X-Sasl-enc: rOt3NUZz39cafXFxlaz9roVyah5U7bIDOFupGRdEkZpq 1489956255 Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id 3F19D24371 for ; Sun, 19 Mar 2017 16:44:15 -0400 (EDT) Date: Sun, 19 Mar 2017 16:44:14 -0400 From: Leo Famulari To: bug-guix@gnu.org Subject: What to do about unmaintained frameworks like webkitgtk@2.4 in Guix? Message-ID: <20170319204414.GA23467@jasmine> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="XsQoSWH+UP9D9v3l" Content-Disposition: inline User-Agent: Mutt/1.8.0 (2017-02-23) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) --XsQoSWH+UP9D9v3l Content-Type: text/plain; charset=us-ascii Content-Disposition: inline We do a good job of deploying security updates to webkitgtk@2.14. Typically, we push the update within 24 hours. However, several packages still depend on webkitgtk@2.4, which is unmaintained upstream and surely contains many serious security vulnerabilities. $ guix refresh -l webkitgtk@2.4 Building the following 6 packages would ensure 10 dependent packages are rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1 elixir-1.3.2 kicad-4.0-1.4ee344e audacity-2.1.2 People who install these packages probably do not expect to install software containing publicly disclosed security vulnerabilities. We should try to make these packages use a maintained version of webkitgtk. If that's not possible, what should we do? Here is a primer on the tangled world of webkit forks and versions: https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/ It states that distros should not expect webkitgtk@2.4 to receive security updates: ------ We could attempt to provide security backports to WebKitGTK+ 2.4. This would be very time consuming and therefore very expensive, so count this out. ------ --XsQoSWH+UP9D9v3l Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAljO7Z4ACgkQJkb6MLrK fwjkaQ//asWQnoMf0LuTDKWaAkCq2mpKMBrXYExxjUKHFnAogSJdZnte/SzmJzhP sRcErPjPZYY/XGFgeMqHS8KcFOnPFvFMQY8ICb3SsXhqoowKT587hfA9NmGNuU3e HBKzlK7KOwLanlW/qlZ1Ivr1ZrCs0KQk7/LhHfrdX/p8ctjQ35xcQaRSJIKpyriH 5XytZwQ15iabHvDw2dRIPxjmqRzCIY48/5Ayf/+Y5bnwa7ccEhv2XLP7gq7LlmyH rY521WTg1H2ivs1RzBFDk2IrZQt7gNXovjHsoXAS7wI8W6ZXG1twcSoeNznm9gMB TelNz3rJP3mqpCp4EQBd5Aj7/9qqQvc302NO8N8vumoGNV7erG8vQcWTIPmbdoM4 vwTdJEfvvByUv+N9eIcAOYzQnO05JdqcQZgPOL3KJ/3lozS17JXtKjq3wxCthk6k wVlGNsv4WBJ85F31NJN9PaOOUlpDiG8Gs/OvfQeqypET33cEBvTkctZE1DbVj52P 09frEoWmVo5fjdXY7nkzGX67q3Mh5wMbz6hgNoZkN7lVs8uc3/g1laiymg7IOD+i ri0yp8mfbWGYuzh7YxePWH29Y/TpR9iu2Ro70yFF18Wu1hrLEHvc/J0QHjcpdfSL sZGiq3Z6oUUYoXjP1wIPEvQfbxM4OQCNFoYCNsT6CVjSVOkJKE4= =66rg -----END PGP SIGNATURE----- --XsQoSWH+UP9D9v3l-- From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 19 17:09:03 2017 Received: (at 26176) by debbugs.gnu.org; 19 Mar 2017 21:09:03 +0000 Received: from localhost ([127.0.0.1]:35533 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cpi4V-0005d9-7H for submit@debbugs.gnu.org; Sun, 19 Mar 2017 17:09:03 -0400 Received: from perdizione.investici.org ([94.23.50.208]:35690) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cpi4R-0005ch-N1 for 26176@debbugs.gnu.org; Sun, 19 Mar 2017 17:09:00 -0400 Received: from [94.23.50.208] (perdizione [94.23.50.208]) (Authenticated sender: niasterisk@grrlz.net) by localhost (Postfix) with ESMTPSA id 3A24E121212; Sun, 19 Mar 2017 21:08:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptolab.net; s=stigmate; t=1489957738; bh=rLruCLib3NMWVUfkMXQiGSg/eTGSF2T4iGQnHB3AH90=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=GMVp2bRFjnsPfdgrAqrU4+AcOF5b4FT2Bi22S0zLOXr+8kDG7JR0kDQEm86PXqXyG T8K5o8W7cG1H9ecwuo0sjQ9EKr9+1vsvKb1MGeumD5MchmD1Jb1GlLM4x3bonHlsbM 13i0R5sQ1bGCE5yZIq5pgNEWnZYC4CeUnrHS1uyY= Date: Sun, 19 Mar 2017 22:17:38 +0000 From: ng0 To: Leo Famulari Subject: Re: bug#26176: What to do about unmaintained frameworks like webkitgtk@2.4 in Guix? Message-ID: <20170319221738.rjmsoak3y5otq5vu@abyayala> Mail-Followup-To: Leo Famulari , 26176@debbugs.gnu.org References: <20170319204414.GA23467@jasmine> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20170319204414.GA23467@jasmine> X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 26176 Cc: 26176@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) Leo Famulari transcribed 2.1K bytes: > We do a good job of deploying security updates to webkitgtk@2.14. > Typically, we push the update within 24 hours. > > However, several packages still depend on webkitgtk@2.4, which is > unmaintained upstream and surely contains many serious security > vulnerabilities. > > $ guix refresh -l webkitgtk@2.4 > Building the following 6 packages would ensure 10 dependent packages are > rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1 > elixir-1.3.2 kicad-4.0-1.4ee344e audacity-2.1.2 > > People who install these packages probably do not expect to install > software containing publicly disclosed security vulnerabilities. > > We should try to make these packages use a maintained version of > webkitgtk. Maybe those packages are already confirmed to work with 2.14, in some commit in upstream software. If they aren't, and we can't make them build with 2.14 in a functional way, it would serve a broad spectrum of clients including Guix users to get in contact with the affected package. > If that's not possible, what should we do? > > Here is a primer on the tangled world of webkit forks and versions: > https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/ > > It states that distros should not expect webkitgtk@2.4 to receive > security updates: > ------ > We could attempt to provide security backports to WebKitGTK+ 2.4. This > would be very time consuming and therefore very expensive, so count this > out. > ------ From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 20 02:51:05 2017 Received: (at 26176) by debbugs.gnu.org; 20 Mar 2017 06:51:05 +0000 Received: from localhost ([127.0.0.1]:35827 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cpr9l-0004rj-CA for submit@debbugs.gnu.org; Mon, 20 Mar 2017 02:51:05 -0400 Received: from flashner.co.il ([178.62.234.194]:38949) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cpr9k-0004r6-54 for 26176@debbugs.gnu.org; Mon, 20 Mar 2017 02:51:04 -0400 Received: from localhost (85.64.232.168.dynamic.barak-online.net [85.64.232.168]) by flashner.co.il (Postfix) with ESMTPSA id D0A36402C6; Mon, 20 Mar 2017 06:50:57 +0000 (UTC) Date: Mon, 20 Mar 2017 08:50:54 +0200 From: Efraim Flashner To: Leo Famulari , 26176@debbugs.gnu.org Subject: Re: bug#26176: What to do about unmaintained frameworks like webkitgtk@2.4 in Guix? Message-ID: <20170320065054.GE19779@macbook42.flashner.co.il> References: <20170319204414.GA23467@jasmine> <20170319221738.rjmsoak3y5otq5vu@abyayala> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="7LkOrbQMr4cezO2T" Content-Disposition: inline In-Reply-To: <20170319221738.rjmsoak3y5otq5vu@abyayala> User-Agent: Mutt/1.8.0 (2017-02-23) X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 26176 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) --7LkOrbQMr4cezO2T Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Mar 19, 2017 at 10:17:38PM +0000, ng0 wrote: > Leo Famulari transcribed 2.1K bytes: > > We do a good job of deploying security updates to webkitgtk@2.14. > > Typically, we push the update within 24 hours. > >=20 > > However, several packages still depend on webkitgtk@2.4, which is > > unmaintained upstream and surely contains many serious security > > vulnerabilities. > >=20 > > $ guix refresh -l webkitgtk@2.4 > > Building the following 6 packages would ensure 10 dependent packages are > > rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1 > > elixir-1.3.2 kicad-4.0-1.4ee344e audacity-2.1.2 > >=20 > > People who install these packages probably do not expect to install > > software containing publicly disclosed security vulnerabilities. > >=20 > > We should try to make these packages use a maintained version of > > webkitgtk. >=20 > Maybe those packages are already confirmed to work with 2.14, in some > commit in upstream software. If they aren't, and we can't make them > build with 2.14 in a functional way, it would serve a broad spectrum of > clients including Guix users to get in contact with the affected > package. >=20 Good news on that front!=20 $ guix refresh -l wxwidgets Building the following 5 packages would ensure 6 dependent packages are rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1 elixir-1.3.2 audacity-2.1.2 kicad uses wxwidgets built with gtk+-2, and the one that didn't show up at all, gnucash, uses webkitgtk/gtk+-2, which is the gtk+@2 version of webkit@2.4. Wxwidgets currently is built with webkit@2.4, but it looks like it supports webkit. I'm currently working on testing wxwidgets built with webkit to see if that takes care of everything currently relying on webkit@ancient other than gnucash. --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --7LkOrbQMr4cezO2T Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEkVdB/rIvpOM7bo+N9MHTkX6s7pMFAljPe8AACgkQ9MHTkX6s 7pPNSA//fmnzCyBOplq5bZmZCu5Qh2be+HiP6ib7sZNMb+iJFhZzsJe0T/NC/Bbt wJN9wK3SBGwnHZz+W+Z3gVvVncdoyKwfbprtEsdlUXfeO+vYoWf/YJB8siboQtz4 v/HMdX6S60rBtruOdWipNyLaJNjMRGVwoZd1pvaBOFDPDWQ7obME5nxCO3FtQrTt JVLnTIdkIK4eOyL7c5So5RClPMh0CU4o7Wfxk2Cl80llBTpbH0w5hOd7b5pCa7LN 73cZaSpuY9pqtoCiN3j0GtkD7Nbiczz8RRJr8diQp9Y84QHriBGiXPHpJqukUu51 7AuStwKcEoiIHxMlnQhy7m+aZg2EEjbwNp0W4QCT7qYv1CB9vUl831LkJkMdqsTX M0E2gkuC1SivtOdNNeFfifMIyJ0NL8zwVpl6NhIaz9AbDlYVndORWiSt4lfd0ozP xvpdwNCio6NFOjlI8azY8aRkW7tWy6T1LuID40wyOJyTXxF4Ekox5AExsPTKeBGs s/wK+wFxRfncoA0FdfWrPJptLY6h2RLrAKdhOfPRbQm/wzNOOe4OaM6bS2z1LUF8 YInjXsWYlBxL5jdkRGEqqjRjSse9gf/DSUjlc+qBA55gyCEiYCtPKJjic2elGvIK A+Yd32kFezLXXtfwJe4j0JLevWSR7yQQ9q4yAbbvecHZU3Em/EA= =uPKI -----END PGP SIGNATURE----- --7LkOrbQMr4cezO2T-- From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 20 18:27:29 2017 Received: (at 26176) by debbugs.gnu.org; 20 Mar 2017 22:27:29 +0000 Received: from localhost ([127.0.0.1]:36869 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cq5lx-000434-Il for submit@debbugs.gnu.org; Mon, 20 Mar 2017 18:27:29 -0400 Received: from eggs.gnu.org ([208.118.235.92]:36932) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cq5lv-00042r-9m for 26176@debbugs.gnu.org; Mon, 20 Mar 2017 18:27:27 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq5lm-0004KK-WF for 26176@debbugs.gnu.org; Mon, 20 Mar 2017 18:27:22 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:41151) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq5lm-0004KC-TG; Mon, 20 Mar 2017 18:27:18 -0400 Received: from reverse-83.fdn.fr ([80.67.176.83]:35728 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1cq5lm-0007xn-5A; Mon, 20 Mar 2017 18:27:18 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Efraim Flashner Subject: Re: bug#26176: What to do about unmaintained frameworks like webkitgtk@2.4 in Guix? References: <20170319204414.GA23467@jasmine> <20170319221738.rjmsoak3y5otq5vu@abyayala> <20170320065054.GE19779@macbook42.flashner.co.il> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 30 =?utf-8?Q?Vent=C3=B4se?= an 225 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-unknown-linux-gnu Date: Mon, 20 Mar 2017 23:27:16 +0100 In-Reply-To: <20170320065054.GE19779@macbook42.flashner.co.il> (Efraim Flashner's message of "Mon, 20 Mar 2017 08:50:54 +0200") Message-ID: <87shm7shx7.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 26176 Cc: 26176@debbugs.gnu.org, Leo Famulari X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Howdy! Efraim Flashner skribis: > Good news on that front!=20 > > $ guix refresh -l wxwidgets > Building the following 5 packages would ensure 6 dependent packages are > rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1 > elixir-1.3.2 audacity-2.1.2 BTW, I used: guix graph -t reverse-package webkitgtk@2.4 to find out how things ended up depending on it. > kicad uses wxwidgets built with gtk+-2, and the one that didn't show up > at all, gnucash, uses webkitgtk/gtk+-2, which is the gtk+@2 version of > webkit@2.4. > > Wxwidgets currently is built with webkit@2.4, but it looks like it > supports webkit. > > I'm currently working on testing wxwidgets built with webkit to see if > that takes care of everything currently relying on webkit@ancient other > than gnucash. Looks like it worked pretty well. :-) Thank you! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 07 08:02:51 2017 Received: (at 26176) by debbugs.gnu.org; 7 Apr 2017 12:02:51 +0000 Received: from localhost ([127.0.0.1]:35810 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cwSbL-00058W-6S for submit@debbugs.gnu.org; Fri, 07 Apr 2017 08:02:51 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:35720) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cwSbJ-00058L-Fb for 26176@debbugs.gnu.org; Fri, 07 Apr 2017 08:02:49 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id E5EA020929; Fri, 7 Apr 2017 08:02:48 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Fri, 07 Apr 2017 08:02:48 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=IViBoqWxCQGsBoNy0aBBr6rY5XPSwlkVbdH+Me +osE0=; b=FBoNAmFp7gUjJiAtDi3zQsZ8QzeMQ+EWqumrFbXaSdWkvt8K2P+ugt xeCxpe/xf/ykS8fDAVAy8agOmq8E813IAk2VCzC0zoWM+jQz8owYsP0PcSeIZgDR qkA86ldc/ZA8V9kQUaHG960XgX3MAui+WrAkT6Tc/X+/Qq7t8NMJQ= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=IViBoqWxCQGsBoNy0a BBr6rY5XPSwlkVbdH+Me+osE0=; b=ZuL7skl62JVWdzXg4VdbLkccpzhP6RExFX /1umbvC34GCWILrCZxWR8g0iia/u24cOnelYnmW70yVmjgT9xMziLSk9xa2YA+nr d3tc0XoCgjrBNyPHyr1IiyVzhaxS1I9O3wE6H3QbC/jDs4XIe3kkh2Y6aQjsvnOt BqkN+f/JBdRDSPSqx8++7cL04asiWOtknuN51f+yL+mhiuYQKK3xAj639DyJvQ/P ijeO2/2pcuLfgcyUn3RqGu2fdE/MejuBXUDoFmxkLJZpWD4iHPJF5f/vNn8BjbGG /fdQxPv4JPPs2iy1dkjNibhtsSLZfcMCb/QwWUCkQA7COFCklI9w== X-ME-Sender: X-Sasl-enc: u1I5lpq6S8jxu2XteTqyl+EelaDNNoN+2Ls6Z0PwP82r 1491566567 Received: from localhost (unknown [65.210.80.3]) by mail.messagingengine.com (Postfix) with ESMTPA id DDB7F2464B; Fri, 7 Apr 2017 08:02:47 -0400 (EDT) Date: Fri, 7 Apr 2017 08:02:42 -0400 From: Leo Famulari To: Efraim Flashner Subject: Re: bug#26176: What to do about unmaintained frameworks like webkitgtk@2.4 in Guix? Message-ID: <20170407120242.GA21304@jasmine> References: <20170319204414.GA23467@jasmine> <20170319221738.rjmsoak3y5otq5vu@abyayala> <20170320065054.GE19779@macbook42.flashner.co.il> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Kj7319i9nmIyA2yE" Content-Disposition: inline In-Reply-To: <20170320065054.GE19779@macbook42.flashner.co.il> User-Agent: Mutt/1.8.0 (2017-02-23) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 26176 Cc: 26176@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --Kj7319i9nmIyA2yE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Mar 20, 2017 at 08:50:54AM +0200, Efraim Flashner wrote: > kicad uses wxwidgets built with gtk+-2, and the one that didn't show up > at all, gnucash, uses webkitgtk/gtk+-2, which is the gtk+@2 version of > webkit@2.4. Good news: the GnuCash developers are actively working make GnuCash compatible with the latest version of webkitgtk (or to completely remove the dependency): https://bugzilla.gnome.org/show_bug.cgi?id=751635 The other good news is that, apparently, GnuCash's use of webkit is relatively insulated from security issues: "GnuCash isn't affected by WebKit vulnerabilities, WebKit is used exclusively to render HTML and interpret Javascript both created by GnuCash itself." https://bugzilla.gnome.org/show_bug.cgi?id=751635#c4 --Kj7319i9nmIyA2yE Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAljnf+IACgkQJkb6MLrK fwh0hw//YAWut8x3xxMUxWoKKTPFVj0Te9uHmbqRSpUGWeFG+Et1QdAdmifyPh+C fUMqfg7T2w/74awFCGjpbaZ5zTU0ha9PIpVbO0HXUaUc/DV6si/3+PyfG0ZKOm07 dHXQC2Yor1ilBT4aa8lw5N+A4+L4DQ7wvaMMGrNyJxYqG/RgGubKk+2B91+RMNmV YOyw0pW5NztXNt8lOKMaluPsTSf+mJLhgtj7K/3z/zv1Wp31X6JJZA1Wjn7zYySb fJac29kMiuKPRrnSwV27fh22GN7MicZ47o39ItcXeSl+UwYbbhGrgSShqk9a/zQd UYErWYHT+7+vz1n0vMv3JK9ETvCvosGGxcPGdV6ci8vFCGgk6lK0CHbl+0TNGGLE tSyOl+PWrir/ASuTNJl+tJa7D/68L8knEl7LkzRyy9vSOtl3gaOhmdhtaVHfjjne 0NSVyYC20ncyn1jrrKs+veUtm09b7+zfIurUV+4MYVFQM4pQNj6H0ClVinOIxaD0 4HDJoxWpRqkMJyC0sCGGi1IPQpjaaq0QNjumUz/CKj7bbEqzTIs7vsUfBo9hSGWc B67/3e8acbjI9AabVQCO8Uu/XCJuZvJqrnL8tBxAdDOPlhdRN7vfPc4fmWZXRTgd x/tZOBLhrqRJjzBXuBY+TSulLNa0+Tusdce3Uy7182JJhuRiS0Q= =Yu04 -----END PGP SIGNATURE----- --Kj7319i9nmIyA2yE-- From debbugs-submit-bounces@debbugs.gnu.org Sat Jun 09 01:11:25 2018 Received: (at 26176-done) by debbugs.gnu.org; 9 Jun 2018 05:11:25 +0000 Received: from localhost ([127.0.0.1]:40208 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fRW9s-0005sK-VI for submit@debbugs.gnu.org; Sat, 09 Jun 2018 01:11:25 -0400 Received: from mail-pf0-f178.google.com ([209.85.192.178]:39380) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fRW9q-0005s6-Jx for 26176-done@debbugs.gnu.org; Sat, 09 Jun 2018 01:11:23 -0400 Received: by mail-pf0-f178.google.com with SMTP id r11-v6so7604281pfl.6 for <26176-done@debbugs.gnu.org>; Fri, 08 Jun 2018 22:11:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=TCzps4RvDDhwofXPM1l0UrD2yuMCKzXCEr1ehq4rX8w=; b=L93MQ2eH0io8e3Yw/m21iHKFo04SSnx5djztrocY3soW2bcvyjJ433Ug/grx4HFsMI /qYY7Wh6hHV7I5l+YdhrulepL3JonMJcLB84rAjqVMOD/tueN4wE6+fjjnlqm3LClXfJ CuWeUmxJZOtwXjnkeT43oK6QW6BgwNrIGrfHen51tVP+2WJ0y/S7UHVcRnBVxAxKll9U 8b3ZHrvh+96vzQPnm687i39x+j9n/XNdbNBpymmuRY0i9VZjHEj2zHxT7OlqWBlf48zf bu7739kZLx0tnt3YVdgbHafsjpy2CTwnUO8CSkUnkWZZNxXsZ24he/SWpQvTfTtzoijl qOyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=TCzps4RvDDhwofXPM1l0UrD2yuMCKzXCEr1ehq4rX8w=; b=DC/f90FNkP7iVZk2XsctQ4Be2z9PyD4M1rzm1DaUjxuWxYsoRtuPkiskXXII7UZZu8 KC6+E7dRiW/zS8TfE3XPLyheE8SJePk1nreMebKePj34yr78QJiE8k3Gv7TeX1MCrbsB /WQsvCFwVZJIawo+mtPDktP00YHPrm1AD03xRpewCc+3eUTJ6lGAwLbH5/Xkf7FUyUVd 9XYWLLKcV22vuXwD1tErIAfToV/kz7BRdJnAI8rXg4rOXFPoc8h67NAb6ifLwOBe4cru pkLoUh9AEWq/mdGBCQjhFqjc1pITB44cqtoCQEh1J6ru7WC184GhcmawY/2KbSfg4y0z Fa5Q== X-Gm-Message-State: APt69E0wL7TabCrY2FmpovaLimBKG8E1pE5ivJTDOkFsnr3rVbHt1Y1j dZaYyMSoX8J+lEhC3VhbMmdsJg== X-Google-Smtp-Source: ADUXVKJjaN28mlJ11FW9j5gpDbLzOb5DUK6jEL6CwbFe9lQyDanFrrmp2/w/4pRvm/lbP7HPxY2QiQ== X-Received: by 2002:a63:b041:: with SMTP id z1-v6mr7342100pgo.397.1528521076345; Fri, 08 Jun 2018 22:11:16 -0700 (PDT) Received: from garuda.local (c-24-18-253-84.hsd1.wa.comcast.net. [24.18.253.84]) by smtp.gmail.com with ESMTPSA id a1-v6sm159178pgu.81.2018.06.08.22.11.13 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 08 Jun 2018 22:11:14 -0700 (PDT) From: Chris Marusich X-Google-Original-From: Chris Marusich To: Leo Famulari Subject: Re: bug#26176: What to do about unmaintained frameworks like webkitgtk@2.4 in Guix? References: <20170319204414.GA23467@jasmine> Date: Fri, 08 Jun 2018 22:11:10 -0700 In-Reply-To: <20170319204414.GA23467@jasmine> (Leo Famulari's message of "Sun, 19 Mar 2017 16:44:14 -0400") Message-ID: <878t7oee8h.fsf@garuda.local.i-did-not-set--mail-host-address--so-tickle-me> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 26176-done Cc: 26176-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Leo Famulari writes: > Several packages still depend on webkitgtk@2.4, which is > unmaintained upstream and surely contains many serious security > vulnerabilities. We've removed webkitgtk-2.4 in commit 38039b4fa917c7516535167fb082ea63850ee578, which has been merged into master (according to 'git branch --all --contains 38039b4fa917c7516535167fb082ea63850ee578'), so I'm closing this bug report. =2D-=20 Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAlsbYW4ACgkQ3UCaFdgi Rp3+Ng/9G8wfVlvAlToH1F+TtYFR44jR03e/2OkUB9t5kkqIL4pebBq+3MFcvGXq CRubqHiOp/ulE2r1RLZrUpXBBhwJ3D5DhiqTvY4M9509IyQEmZ7tu6yIhxCVdI/J gCC4NJLBtMZzmjnIaIp48FRC7N173S0W2igk2TqwIwdB1RFUCe9mY6mbMAHim+k8 8xam/cQw5gKy0mARpDreq5KiD1L2IHrIhKCG+3ZOVYGgh0/MzjbJD63ap1/A1mJJ eyFKgOOoJeiv2fJXuaURC2OX2DA6f4aUvmIyuREPOoQV/NI7AJ+HgoBvujLtNF7W OH+S9P9p4ZXa7s9AtaA3scgmM/Igk/ih341i2FvTiDjVZWzVi2tNB9VjP6kP/DD+ 1+X+Kr3gGAgVALUjVgog4buCQe9z1qtYoHzOXUPbL32qWH7+g1s+DGxj9ix2K1qL T+GLC4c0oCIVxKpomSvbm7IeogZapfibM2qqFFlB3YYBP3G415U8mbSn50OSS8pk Jv1RWrquPtGjJMkK2xj1gL/ldv6qP+d+v0ijU1zJf6AMv/bLp7NHI+2zvNwaBJIp sfO/Kc45r0GXDcG9QYlYXICz58vmsRH+l83415iL7FiU9FHKrnrcgD9ZMb4xu/Is 0uYbEj046Eiz2z82jbLbmVCHwRU7YlbcnS3i0OSWsggWs+8DVqE= =mryQ -----END PGP SIGNATURE----- --=-=-=-- From unknown Sun Sep 21 08:46:49 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 07 Jul 2018 11:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator