guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Adding packages with vulnerabilities (was Re: [PATCH 1/2] gnu: Add perl-


From: Leo Famulari
Subject: Adding packages with vulnerabilities (was Re: [PATCH 1/2] gnu: Add perl-net-psyc. [pcre])
Date: Sat, 1 Oct 2016 21:50:22 -0400
User-agent: Mutt/1.7.0 (2016-08-17)

On Thu, Sep 29, 2016 at 08:58:29AM +0000, ng0 wrote:
> Leo Famulari <address@hidden> writes:
> > On Wed, Sep 21, 2016 at 06:46:31PM +0000, ng0 wrote:
> >> Subject: [PATCH 1/2] gnu: Add psyclpc.
> >> 
> >> * gnu/packages/psyc.scm (psyclpc): New variable.

> >> +    (inputs
> >> +     `(("zlib" ,zlib)
> >> +       ("openssl" ,openssl)))
> >> +    ;; pcre is bundled to ensure the version is compatible. XXX: look into
> >> +    ;; unbundling it. Upstream should update from pcre 4.5 to 8.38. For
> >> +    ;; functionality reasons we can not unbundle it now.
> >> +    ;; ("pcre" ,pcre)))
> >
> > That version of PCRE was released in 2003. We might want to add a
> > warning to the package description...
> >
> > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pcre
> 
> Update on this: the pcre bundling was inherited from ldmud, current
> ldmud has unbundled pcre, so we will be able to unbundle pcre.
> 
> I'd still like to have the patches in their current form and update
> psyclpc when the next version without pcre is out.

I'd like some more opinions on this. Should we add this package even
though we know it contains some security bugs (linked above)?



reply via email to

[Prev in Thread] Current Thread [Next in Thread]