Leo Famulari transcribed 2.1K bytes: > We do a good job of deploying security updates to [email protected]. > Typically, we push the update within 24 hours. > > However, several packages still depend on [email protected], which is > unmaintained upstream and surely contains many serious security > vulnerabilities. > > $ guix refresh -l [email protected] > Building the following 6 packages would ensure 10 dependent packages are > rebuilt: aria-maestosa-1.4.11 wxmaxima-16.04.2 filezilla-3.24.1 > elixir-1.3.2 kicad-4.0-1.4ee344e audacity-2.1.2 > > People who install these packages probably do not expect to install > software containing publicly disclosed security vulnerabilities. > > We should try to make these packages use a maintained version of > webkitgtk.
Maybe those packages are already confirmed to work with 2.14, in some commit in upstream software. If they aren't, and we can't make them build with 2.14 in a functional way, it would serve a broad spectrum of clients including Guix users to get in contact with the affected package. > If that's not possible, what should we do? > > Here is a primer on the tangled world of webkit forks and versions: > https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/ > > It states that distros should not expect [email protected] to receive > security updates: > ------ > We could attempt to provide security backports to WebKitGTK+ 2.4. This > would be very time consuming and therefore very expensive, so count this > out. > ------
