(+cc ghidra maintainer) On 2023/09/16 14:55, Peter Hessler wrote: > > On 2023 Sep 16 (Sat) at 07:30:46 -0400 (-0400), Ian Darwin wrote: > :On Sat, Sep 16, 2023 at 11:36:08AM +0100, Stuart Henderson wrote: > :> > Unfortunately there is a show-stopper here. We have to fix/update > :> > security/ghidra which is not trivial. > :> > :> The ghidra port is really outdated, even from just a quick look at > :> release notes various of the changes look security-related, not what you > :> want when analysing (possibly malicious) binaries. At this point, > :> especially since it was already noticed >1y ago, I don't think ghidra > :> should stand in the way of updatng gradle, I'd be ok with marking ghidra > :> BROKEN and updating gradle. > : > :I concur. > : > > So to me the only question is timing. Do we disable ghirda before > release because it is so dangerous, or do we disable it after release and > give interested people some time to fix it?
I think it would be reasonable to do that before release. If somebody already has ghidra installed and upgrades, it won't disappear (and because it's java software, shouldn't have compat problems due to syscall changes etc, because the jdk package will still be updated). And if not, at least they won't get a 3yo version if they run "pkg_add ghidra" from scratch. (Also, since current versions of ghidra themselves now use jdk 17, afaik updating gradle will be a prerequisite to updating ghidra anyway).
