GNU bug report logs - #33347
[PATCH 0/4] gnu: teeworlds: Update to 0.7.0 [fixes CVE-2018-18541].

Previous Next

Package: guix-patches;

Reported by: Alex Vong <alexvong1995 <at> gmail.com>

Date: Sun, 11 Nov 2018 19:05:02 UTC

Severity: normal

Tags: patch, security

Done: Alex Vong <alexvong1995 <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #41 received at 33347 <at> debbugs.gnu.org (full text, mbox):

From: Alex Vong <alexvong1995 <at> gmail.com>
To: Leo Famulari <leo <at> famulari.name>
Cc: 33347 <at> debbugs.gnu.org, alexvong1995 <at> gmail.com
Subject: Re: [bug#33347] [PATCH 4/4] gnu: teeworlds: Update to 0.7.0 [fixes
 CVE-2018-18541].
Date: Wed, 14 Nov 2018 21:36:25 +0800

[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:

> On Mon, Nov 12, 2018 at 03:09:39AM +0800, Alex Vong wrote:
>>           (replace 'configure
>>             (lambda* (#:key outputs #:allow-other-keys)
>> +             (define (use-latest-json-parser file)
>> +               (substitute* file
>> +                 (("engine/external/json-parser/json\\.h")
>> +                  "json-parser/json.h")
>> +                 (("json_parse_ex\\(&JsonSettings, pFileData, aError\\);")
>> +                  "json_parse_ex(&JsonSettings,
>> +                                 pFileData,
>> +                                 strlen(pFileData),
>> +                                 aError);")))
>> +
>
> Please add a code comment explaining this.
>
OK

>> -    ;; FIXME: teeworlds bundles the sources of "pnglite", a two-file PNG
>> -    ;; library without a build system.
>
> These sorts of mini-libraries are designed to be copied and pasted into
> host projects rather than packaged on their own. That's why they don't
> include a build system. For example, many cryptographic primitive
> implementations are distributed this way — that's why you never see a
> package for 'SHA256'. Is there a particular reason we should unbundle
> pnglite?

Well, I though we have a policy to remove bundle dependencies in order
to avoid building the same library many times. Do we make exceptions for
shared libraries w/o a build system? (an exception I can think of is
gnulib)

Besides, the FIXME comment seems to suggest future readers to help
remove the bundled pnglite. Debian also removes the bundled pnglite in
teeworlds[0].

Thanks for all the feedback!

[0]: https://packages.debian.org/sid/teeworlds

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 6 years and 239 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.