On Sat, Sep 16, 2023 at 02:52:54PM +0100, Stuart Henderson wrote: > (+cc ghidra maintainer) > > On 2023/09/16 14:55, Peter Hessler wrote: > > > > On 2023 Sep 16 (Sat) at 07:30:46 -0400 (-0400), Ian Darwin wrote: > > :On Sat, Sep 16, 2023 at 11:36:08AM +0100, Stuart Henderson wrote: > > :> > Unfortunately there is a show-stopper here. We have to fix/update > > :> > security/ghidra which is not trivial. > > :> > > :> The ghidra port is really outdated, even from just a quick look at > > :> release notes various of the changes look security-related, not what you > > :> want when analysing (possibly malicious) binaries. At this point, > > :> especially since it was already noticed >1y ago, I don't think ghidra > > :> should stand in the way of updatng gradle, I'd be ok with marking ghidra > > :> BROKEN and updating gradle. > > : > > :I concur. > > : > > > > So to me the only question is timing. Do we disable ghirda before > > release because it is so dangerous, or do we disable it after release and > > give interested people some time to fix it? > > I think it would be reasonable to do that before release. > > If somebody already has ghidra installed and upgrades, it won't > disappear (and because it's java software, shouldn't have compat > problems due to syscall changes etc, because the jdk package will > still be updated). > > And if not, at least they won't get a 3yo version if they run > "pkg_add ghidra" from scratch. > > (Also, since current versions of ghidra themselves now use jdk 17, > afaik updating gradle will be a prerequisite to updating ghidra anyway).
I have marked the Ghidra port as BROKEN. I looked into updating Ghidra sometime ago and it was a lot of work, so I agree that it's best that we mark it as BROKEN before release since it's unlikely that it can be updated before release. phessler, I'm ok with your java/gradle update. Thanks, Lawrence