Re: bug#26109: [PATCH 3/7] gnu: Add dcmtk.

2017-03-20 Thread Leo Famulari 
On Sat, Mar 18, 2017 at 01:36:31PM -0400, John Darrington wrote:
> [CC guix-devel@gnu.org]
> 
> So we have to make a choice:
> 
> 1. Package a released program with a known vulnerability; or

Although all non-trivial software contains bugs, many of which can be
exploited, we should not add new packages with known exploitable
vulnerabilities.


signature.asc
Description: PGP signature

Re: bug#26109: [PATCH 3/7] gnu: Add dcmtk.

2017-03-20 Thread Kei Kebreau 
John Darrington  writes:

> [CC guix-devel@gnu.org]
>
> So we have to make a choice:
>
> 1. Package a released program with a known vulnerability; or
> 2. Package an unreleased git snapshot.
>
> Which is the lesser evil?

I choose option two. I'm quite uncomfortable with packaging software
that is known to be vulnerable. To me it seems almost malicious if it
can be avoided.

Other opinions?

>
> J'
>
> On Sat, Mar 18, 2017 at 12:21:40PM -0400, Kei Kebreau wrote:
>> John Darrington  writes:
>> 
>> > On Fri, Mar 17, 2017 at 04:42:59PM -0400, Kei Kebreau wrote:
>> >  
>> >  Judging from the description of the software, it seems like this could
>> >  fit in gnu/packages/image.scm.
>> >  Also, the linter says that this package vulnerable to
>> >  CVE-2015-8979. Supposedly this* upstream patch fixes it. Could you see
>> >  if that fix works for this package?
>> >  
>> >  * https://github.com/commontk/DCMTK/commit/1b6bb76
>> >  
>> >
>> > Unfortunately this patch doesn't go in.  It seems that as well as fixing 
>> > this
>> > vulnerability it also makes some unrelated changes.  Furthermore, it 
>> > depends
>> > on a whole lot of other patches which are not in this release.
>> >
>> > Do we have a procedure on what to do in cases like this?
>> >
>> > J'
>> 
>> I don't know if we have an official procedure, though we could try using
>> a later git snapshot with the security patch already integrated.
>> Hopefully that provides functionality compatible to that of the stable
>> release, though it's at least a five year difference between release times.
>> 
>> http://git.cmtk.org/?p=dcmtk.git,a=tags


signature.asc
Description: PGP signature

Re: bug#26109: [PATCH 3/7] gnu: Add dcmtk.

2017-03-18 Thread John Darrington 
[CC guix-devel@gnu.org]

So we have to make a choice:

1. Package a released program with a known vulnerability; or
2. Package an unreleased git snapshot.

Which is the lesser evil?

J'

On Sat, Mar 18, 2017 at 12:21:40PM -0400, Kei Kebreau wrote:
> John Darrington  writes:
> 
> > On Fri, Mar 17, 2017 at 04:42:59PM -0400, Kei Kebreau wrote:
> >  
> >  Judging from the description of the software, it seems like this could
> >  fit in gnu/packages/image.scm.
> >  Also, the linter says that this package vulnerable to
> >  CVE-2015-8979. Supposedly this* upstream patch fixes it. Could you see
> >  if that fix works for this package?
> >  
> >  * https://github.com/commontk/DCMTK/commit/1b6bb76
> >  
> >
> > Unfortunately this patch doesn't go in.  It seems that as well as fixing 
> > this
> > vulnerability it also makes some unrelated changes.  Furthermore, it depends
> > on a whole lot of other patches which are not in this release.
> >
> > Do we have a procedure on what to do in cases like this?
> >
> > J'
> 
> I don't know if we have an official procedure, though we could try using
> a later git snapshot with the security patch already integrated.
> Hopefully that provides functionality compatible to that of the stable
> release, though it's at least a five year difference between release times.
> 
> http://git.cmtk.org/?p=dcmtk.git,a=tags