GNU bug report logs - #28004
Chromium

Previous Next

Package: guix-patches;

Reported by: Marius Bakke <mbakke <at> fastmail.com>

Date: Mon, 7 Aug 2017 20:00:01 UTC

Severity: normal

Done: Marius Bakke <mbakke <at> fastmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Leo Famulari <leo <at> famulari.name>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 28004 <at> debbugs.gnu.org, Marius Bakke <mbakke <at> fastmail.com>, ng0 <ng0 <at> infotropique.org>
Subject: [bug#28004] Chromium
Date: Thu, 12 Oct 2017 15:56:28 -0400

[Message part 1 (text/plain, inline)]
On Wed, Oct 11, 2017 at 09:52:46PM +0200, Ludovic Courtès wrote:
> ng0 <ng0 <at> infotropique.org> skribis:
> > could this patch be merged into master now?
> 
> Probably (I think at the time Marius submitted it the ‘ld’ wrapper
> enhancements were not in ‘master’ yet.)
> 
> For the security aspect though, given that it’s a fairly critical
> component, I’d like to have Leo’s opinion.  Thoughts?

Any questions in particular?

For me, the primary question is maintenance.

As Marius pointed out when sending the patch, major version upgrades may
be difficult, and timely delivery of security updates cannot be
guaranteed. But these caveats apply to every package. [0] They aren't a
reason to exclude Chromium from Guix.

Now, if we add the Chromium package and then let if fall behind for
weeks or months, that will be a problem, and we will need to remove it.
It's relatively easy to remove packages of end-user applications, since
it's rare that other packages depend on them.

As always, I'm willing to help with security updates as much as my
volunteer schedule allows.

The other issue will be bugs caused by the use of non-bundled libraries.
Presumably, important bugs are fixed in the bundled libraries before
they are released by the upstream library (if ever). But again, this is
an issue with all of our packages. We will address these issues when we
find them.

There was a new release last month, 61.0.3163. I'd like to try updating
to it this weekend if I have the disk (does anyone know how much is
required) and computing power. Then we can push :)

[0] Users who really need to rely on the security of Chromium or Chrome
should use the "official" installation from the Chromium or Google
teams, and turn on auto-updates. Every update can be expected to fix
critical bugs.

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 6 years and 154 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.