guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Staying on top of Qt security

From: Leo Famulari
Subject: Re: Staying on top of Qt security
Date: Mon, 22 Feb 2016 15:19:50 -0500
User-agent: Mutt/1.5.24 (2015-08-30) 
On Mon, Feb 22, 2016 at 08:53:39PM +0100, Andreas Enge wrote:
> Sorry, Chris, that I bothered you with the state of pumpa; I was so convinced
> that you were the packager that I did not even check! I suppose that I have
> read too many of your blog posts to planet gnu; whenever I hear "federation"
> or "pumpsomething" now, I think of you.
> 
> On Sun, Feb 21, 2016 at 09:42:43AM -0800, Christopher Allan Webber wrote:
> > Leo Famulari writes:
> > > Apparently QJson's master branch has supported Qt-5 for some time, so I
> > > asked the maintainers if that is true, and if they plan to issue a new
> > > release [0]. We could try packaging from git.
> > > https://github.com/flavio/qjson/issues/49
> 
> Thanks for the initiative!
> 
> > Sounds good.  If they don't make a new release, I think packaging from
> > git is the best option.
> 
> I am not a big fan of packaging from non-release versions. Maybe you could
> convince upstream that this is enough of an exciting change to make a release,
> Leo? In the end, it is probably more interesting and important to get rid
> of Qt-4 than to not package from git. But there are still other packages
> requiring Qt-4. Maybe we should wait a bit until their number is more 
> reduced, 
> and then take a joint decision for the remaining ones.

I agree that packaging non-release versions is not ideal. We may trade
one security issue for another, since non-release commits are usually
not scrutinized as much by upstream.

My plan is to wait a little bit to see if QJson takes action.

Another option is to persuade the Pumpa upstream to stop using QJson.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]