We do a good job of deploying security updates to [email protected]. Typically, we push the update within 24 hours.
However, several packages still depend on [email protected], which is unmaintained upstream and surely contains many serious security vulnerabilities. $ guix refresh -l [email protected] Building the following 6 packages would ensure 10 dependent packages are rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1 elixir-1.3.2 kicad-4.0-1.4ee344e audacity-2.1.2 People who install these packages probably do not expect to install software containing publicly disclosed security vulnerabilities. We should try to make these packages use a maintained version of webkitgtk. If that's not possible, what should we do? Here is a primer on the tangled world of webkit forks and versions: https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/ It states that distros should not expect [email protected] to receive security updates: ------ We could attempt to provide security backports to WebKitGTK+ 2.4. This would be very time consuming and therefore very expensive, so count this out. ------
signature.asc
Description: PGP signature
