Re: bug#26109: [PATCH 3/7] gnu: Add dcmtk.
On Sat, Mar 18, 2017 at 01:36:31PM -0400, John Darrington wrote: > [CC guix-devel@gnu.org] > > So we have to make a choice: > > 1. Package a released program with a known vulnerability; or Although all non-trivial software contains bugs, many of which can be exploited, we should not add new packages with known exploitable vulnerabilities. signature.asc Description: PGP signature
Re: bug#26109: [PATCH 3/7] gnu: Add dcmtk.
John Darrington writes: > [CC guix-devel@gnu.org] > > So we have to make a choice: > > 1. Package a released program with a known vulnerability; or > 2. Package an unreleased git snapshot. > > Which is the lesser evil? I choose option two. I'm quite uncomfortable with packaging software that is known to be vulnerable. To me it seems almost malicious if it can be avoided. Other opinions? > > J' > > On Sat, Mar 18, 2017 at 12:21:40PM -0400, Kei Kebreau wrote: >> John Darrington writes: >> >> > On Fri, Mar 17, 2017 at 04:42:59PM -0400, Kei Kebreau wrote: >> > >> > Judging from the description of the software, it seems like this could >> > fit in gnu/packages/image.scm. >> > Also, the linter says that this package vulnerable to >> > CVE-2015-8979. Supposedly this* upstream patch fixes it. Could you see >> > if that fix works for this package? >> > >> > * https://github.com/commontk/DCMTK/commit/1b6bb76 >> > >> > >> > Unfortunately this patch doesn't go in. It seems that as well as fixing >> > this >> > vulnerability it also makes some unrelated changes. Furthermore, it >> > depends >> > on a whole lot of other patches which are not in this release. >> > >> > Do we have a procedure on what to do in cases like this? >> > >> > J' >> >> I don't know if we have an official procedure, though we could try using >> a later git snapshot with the security patch already integrated. >> Hopefully that provides functionality compatible to that of the stable >> release, though it's at least a five year difference between release times. >> >> http://git.cmtk.org/?p=dcmtk.git,a=tags signature.asc Description: PGP signature
Re: bug#26109: [PATCH 3/7] gnu: Add dcmtk.
[CC guix-devel@gnu.org] So we have to make a choice: 1. Package a released program with a known vulnerability; or 2. Package an unreleased git snapshot. Which is the lesser evil? J' On Sat, Mar 18, 2017 at 12:21:40PM -0400, Kei Kebreau wrote: > John Darrington writes: > > > On Fri, Mar 17, 2017 at 04:42:59PM -0400, Kei Kebreau wrote: > > > > Judging from the description of the software, it seems like this could > > fit in gnu/packages/image.scm. > > Also, the linter says that this package vulnerable to > > CVE-2015-8979. Supposedly this* upstream patch fixes it. Could you see > > if that fix works for this package? > > > > * https://github.com/commontk/DCMTK/commit/1b6bb76 > > > > > > Unfortunately this patch doesn't go in. It seems that as well as fixing > > this > > vulnerability it also makes some unrelated changes. Furthermore, it depends > > on a whole lot of other patches which are not in this release. > > > > Do we have a procedure on what to do in cases like this? > > > > J' > > I don't know if we have an official procedure, though we could try using > a later git snapshot with the security patch already integrated. > Hopefully that provides functionality compatible to that of the stable > release, though it's at least a five year difference between release times. > > http://git.cmtk.org/?p=dcmtk.git,a=tags