[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: bug#26109: [PATCH 3/7] gnu: Add dcmtk.
|
From: |
Kei Kebreau |
|
Subject: |
Re: bug#26109: [PATCH 3/7] gnu: Add dcmtk. |
|
Date: |
Mon, 20 Mar 2017 21:47:37 -0400 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
John Darrington <address@hidden> writes:
> [CC address@hidden
>
> So we have to make a choice:
>
> 1. Package a released program with a known vulnerability; or
> 2. Package an unreleased git snapshot.
>
> Which is the lesser evil?
I choose option two. I'm quite uncomfortable with packaging software
that is known to be vulnerable. To me it seems almost malicious if it
can be avoided.
Other opinions?
>
> J'
>
> On Sat, Mar 18, 2017 at 12:21:40PM -0400, Kei Kebreau wrote:
>> John Darrington <address@hidden> writes:
>>
>> > On Fri, Mar 17, 2017 at 04:42:59PM -0400, Kei Kebreau wrote:
>> >
>> > Judging from the description of the software, it seems like this could
>> > fit in gnu/packages/image.scm.
>> > Also, the linter says that this package vulnerable to
>> > CVE-2015-8979. Supposedly this* upstream patch fixes it. Could you see
>> > if that fix works for this package?
>> >
>> > * https://github.com/commontk/DCMTK/commit/1b6bb76
>> >
>> >
>> > Unfortunately this patch doesn't go in. It seems that as well as fixing
>> > this
>> > vulnerability it also makes some unrelated changes. Furthermore, it
>> > depends
>> > on a whole lot of other patches which are not in this release.
>> >
>> > Do we have a procedure on what to do in cases like this?
>> >
>> > J'
>>
>> I don't know if we have an official procedure, though we could try using
>> a later git snapshot with the security patch already integrated.
>> Hopefully that provides functionality compatible to that of the stable
>> release, though it's at least a five year difference between release times.
>>
>> http://git.cmtk.org/?p=dcmtk.git,a=tags
signature.asc
Description: PGP signature