GNU bug report logs - #74060
[PATCH] gnu: Remove allegro-5.0. [security fixes]

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 74060 in the body.
You can then email your comments to 74060 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Nicolas Graves <ngraves <at> ngraves.fr>
To: guix-patches <at> gnu.org
Cc: Nicolas Graves <ngraves <at> ngraves.fr>
Subject: [PATCH] gnu: Remove allegro-5.0. [security fixes]
Date: Mon, 28 Oct 2024 12:27:37 +0100

This package has no dependencies in Guix, is unsupported (see
https://liballeg.org/old.html) and is vulnerable to CVE-2021-36489.

* gnu/packages/game-development.scm (allegro-5.0): Delete variable.
* gnu/local.mk: Deregister patch.
* gnu/packages/patches/allegro-mesa-18.2.5-and-later.patch: Delete file.
---
 gnu/local.mk                                  |  1 -
 gnu/packages/game-development.scm             | 18 --------
 .../allegro-mesa-18.2.5-and-later.patch       | 41 -------------------
 3 files changed, 60 deletions(-)
 delete mode 100644 gnu/packages/patches/allegro-mesa-18.2.5-and-later.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index c432685775..113d8ed68d 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -954,7 +954,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/akonadi-paths.patch		\
   %D%/packages/patches/akonadi-not-relocatable.patch		\
   %D%/packages/patches/akonadi-timestamps.patch		\
-  %D%/packages/patches/allegro-mesa-18.2.5-and-later.patch	\
   %D%/packages/patches/alure-dumb-2.patch			\
   %D%/packages/patches/ibus-anthy-fix-tests.patch		\
   %D%/packages/patches/ibus-table-paths.patch			\
diff --git a/gnu/packages/game-development.scm b/gnu/packages/game-development.scm
index ee869c9cc5..6100e4e94e 100644
--- a/gnu/packages/game-development.scm
+++ b/gnu/packages/game-development.scm
@@ -1132,24 +1132,6 @@ (define-public allegro
     (home-page "https://liballeg.org")
     (license license:bsd-3)))
 
-(define-public allegro-5.0
-  (package (inherit allegro)
-    (name "allegro")
-    (version "5.0.11")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "https://github.com/liballeg/allegro5/releases"
-                                  "/download/" version "/allegro-"
-                                  (if (equal? "0" (string-take-right version 1))
-                                    (string-drop-right version 2)
-                                    version)
-                                  ".tar.gz"))
-              (patches (search-patches
-                        "allegro-mesa-18.2.5-and-later.patch"))
-              (sha256
-               (base32
-                "0cd51qrh97jrr0xdmnivqgwljpmizg8pixsgvc4blqqlaz4i9zj9"))))))
-
 (define-public aseprite
   (package
     (name "aseprite")
diff --git a/gnu/packages/patches/allegro-mesa-18.2.5-and-later.patch b/gnu/packages/patches/allegro-mesa-18.2.5-and-later.patch
deleted file mode 100644
index fa273a5dfa..0000000000
--- a/gnu/packages/patches/allegro-mesa-18.2.5-and-later.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-Fixes compilation with Mesa >= 18.2.5.
-
-Taken from upstream:
-
-https://github.com/liballeg/allegro5/commit/a40d30e21802ecf5c9382cf34af9b01bd3781e47
-
-diff --git a/include/allegro5/allegro_opengl.h b/include/allegro5/allegro_opengl.h
-index 0f86a6768..652dd024e 100644
---- a/include/allegro5/allegro_opengl.h
-+++ b/include/allegro5/allegro_opengl.h
-@@ -103,10 +103,14 @@
-
- /* HACK: Prevent both Mesa and SGI's broken headers from screwing us */
- #define __glext_h_
-+#define __gl_glext_h_
- #define __glxext_h_
-+#define __glx_glxext_h_
- #include <GL/gl.h>
- #undef  __glext_h_
-+#undef  __gl_glext_h_
- #undef  __glxext_h_
-+#undef  __glx_glxext_h_
-
- #endif /* ALLEGRO_MACOSX */
-
-diff --git a/include/allegro5/opengl/GLext/glx_ext_defs.h b/include/allegro5/opengl/GLext/glx_ext_defs.h
-index 49c502091..fba8aea5d 100644
---- a/include/allegro5/opengl/GLext/glx_ext_defs.h
-+++ b/include/allegro5/opengl/GLext/glx_ext_defs.h
-@@ -1,7 +1,9 @@
- /* HACK: Prevent both Mesa and SGI's broken headers from screwing us */
- #define __glxext_h_
-+#define __glx_glxext_h_
- #include <GL/glx.h>
- #undef __glxext_h_
-+#undef __glx_glxext_h_
-
- #ifndef GLX_VERSION_1_3
- #define _ALLEGRO_GLX_VERSION_1_3
---
-2.20.0
-- 
2.46.0

Message #10 received at 74060 <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Nicolas Graves <ngraves <at> ngraves.fr>
Cc: 74060 <at> debbugs.gnu.org
Subject: Re: [bug#74060] [PATCH] gnu: Remove allegro-5.0. [security fixes]
Date: Mon, 11 Nov 2024 21:37:31 +0900

Hi!

Nicolas Graves <ngraves <at> ngraves.fr> writes:

> This package has no dependencies in Guix, is unsupported (see
> https://liballeg.org/old.html) and is vulnerable to CVE-2021-36489.
>
> * gnu/packages/game-development.scm (allegro-5.0): Delete variable.
> * gnu/local.mk: Deregister patch.
> * gnu/packages/patches/allegro-mesa-18.2.5-and-later.patch: Delete file.

We also have an allegro-4.0 variable; is this one not vulnerable?
https://nvd.nist.gov/vuln/detail/CVE-2021-36489 suggest it is (up to
5.2.6).

-- 
Thanks,
Maxim

Message #13 received at 74060 <at> debbugs.gnu.org (full text, mbox):

From: Nicolas Graves <ngraves <at> ngraves.fr>
To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Cc: 74060 <at> debbugs.gnu.org
Subject: Re: [bug#74060] [PATCH] gnu: Remove allegro-5.0. [security fixes]
Date: Mon, 11 Nov 2024 15:17:47 +0100

On 2024-11-11 21:37, Maxim Cournoyer wrote:

> Hi!
>
> Nicolas Graves <ngraves <at> ngraves.fr> writes:
>
>> This package has no dependencies in Guix, is unsupported (see
>> https://liballeg.org/old.html) and is vulnerable to CVE-2021-36489.
>>
>> * gnu/packages/game-development.scm (allegro-5.0): Delete variable.
>> * gnu/local.mk: Deregister patch.
>> * gnu/packages/patches/allegro-mesa-18.2.5-and-later.patch: Delete file.
>
> We also have an allegro-4.0 variable; is this one not vulnerable?
> https://nvd.nist.gov/vuln/detail/CVE-2021-36489 suggest it is (up to
> 5.2.6).

If it is removable easily, we should remove it yes.  I might have
forgotten this one.

They are indeed unsupported versions, I reported that upstream in
https://github.com/liballeg/allegro5/issues/1587
which confirmed that these versions won't receive security patches.

-- 
Best regards,
Nicolas Graves

Message #16 received at 74060 <at> debbugs.gnu.org (full text, mbox):

From: Nicolas Graves <ngraves <at> ngraves.fr>
To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Cc: 74060 <at> debbugs.gnu.org
Subject: Re: [bug#74060] [PATCH] gnu: Remove allegro-5.0. [security fixes]
Date: Tue, 12 Nov 2024 11:58:05 +0100

On 2024-11-11 15:17, Nicolas Graves via Guix-patches via wrote:

> On 2024-11-11 21:37, Maxim Cournoyer wrote:
>
>> Hi!
>>
>> Nicolas Graves <ngraves <at> ngraves.fr> writes:
>>
>>> This package has no dependencies in Guix, is unsupported (see
>>> https://liballeg.org/old.html) and is vulnerable to CVE-2021-36489.
>>>
>>> * gnu/packages/game-development.scm (allegro-5.0): Delete variable.
>>> * gnu/local.mk: Deregister patch.
>>> * gnu/packages/patches/allegro-mesa-18.2.5-and-later.patch: Delete file.
>>
>> We also have an allegro-4.0 variable; is this one not vulnerable?
>> https://nvd.nist.gov/vuln/detail/CVE-2021-36489 suggest it is (up to
>> 5.2.6).
>
> If it is removable easily, we should remove it yes.  I might have
> forgotten this one.
>
> They are indeed unsupported versions, I reported that upstream in
> https://github.com/liballeg/allegro5/issues/1587
> which confirmed that these versions won't receive security patches.

Indeed there's still a package depending on allegro-4 (aseprite). I
think that's the reason why I didn't consider updating it back then.
The issue is that the new version of aseprite seems nonfree (restricts
freedom to share the software, and the freedom to collaborate on the
software).

IMO we should remove both. Users can still use time-machine if they
really want to use that version, or submit a new version of aseprite in
nonguix. WDYT?

-- 
Best regards,
Nicolas Graves

Message #19 received at 74060 <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Nicolas Graves <ngraves <at> ngraves.fr>
Cc: 74060 <at> debbugs.gnu.org
Subject: Re: [bug#74060] [PATCH] gnu: Remove allegro-5.0. [security fixes]
Date: Tue, 12 Nov 2024 21:30:13 +0900

Hi Nicolas,

Nicolas Graves <ngraves <at> ngraves.fr> writes:

> On 2024-11-11 15:17, Nicolas Graves via Guix-patches via wrote:
>
>> On 2024-11-11 21:37, Maxim Cournoyer wrote:
>>
>>> Hi!
>>>
>>> Nicolas Graves <ngraves <at> ngraves.fr> writes:
>>>
>>>> This package has no dependencies in Guix, is unsupported (see
>>>> https://liballeg.org/old.html) and is vulnerable to CVE-2021-36489.
>>>>
>>>> * gnu/packages/game-development.scm (allegro-5.0): Delete variable.
>>>> * gnu/local.mk: Deregister patch.
>>>> * gnu/packages/patches/allegro-mesa-18.2.5-and-later.patch: Delete file.
>>>
>>> We also have an allegro-4.0 variable; is this one not vulnerable?
>>> https://nvd.nist.gov/vuln/detail/CVE-2021-36489 suggest it is (up to
>>> 5.2.6).
>>
>> If it is removable easily, we should remove it yes.  I might have
>> forgotten this one.
>>
>> They are indeed unsupported versions, I reported that upstream in
>> https://github.com/liballeg/allegro5/issues/1587
>> which confirmed that these versions won't receive security patches.
>
> Indeed there's still a package depending on allegro-4 (aseprite). I
> think that's the reason why I didn't consider updating it back then.
> The issue is that the new version of aseprite seems nonfree (restricts
> freedom to share the software, and the freedom to collaborate on the
> software).
>
> IMO we should remove both. Users can still use time-machine if they
> really want to use that version, or submit a new version of aseprite in
> nonguix. WDYT?

Sounds reasonable.  We now have a package removal police (info
'(guix)Deprecation Policy').  For leaf packages, it's as easy as sending
a patch removing a package for review, and giving it one month before
merging it, to let time for anyone to voice their opinion.

-- 
Thanks,
Maxim

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.