On Tue, 16 Jan 2018 22:19:15 +0000 "M. J. Everitt" <m.j.ever...@iee.org> wrote:
> On 16/01/18 21:56, Róbert Čerňanský wrote: > > On Tue, 16 Jan 2018 15:58:11 +0100 > > Kristian Fiskerstrand <k...@gentoo.org> wrote: > > > >> On 01/16/2018 03:45 PM, Aaron W. Swenson wrote: > >>> Given the situation, we have a choice: Remove GnuCash altogether, > >>> or press ahead with recommending a version upstream considers > >>> unstable. > >> Or 3, discuss with upstream to see if they can release an updated > >> version as stable branch. > > 4. Mask the vulnerable webkit-gtk. This way: A. User is informed. > > B. Manual action is required to continue using such package. > > > > I see this as the most obvious choice considering that I am still > > unable to find any possible attack vector against GnuCash. If it > > is me and only me who enters data. Webkit reports are generated > > from those data. How can anyone hack me through GnuCash? > > > > In general, many times users use applications in a way that > > vulnerabilities does not apply to their use cases. I would prefer > > to be informed and allowed to continue using such application as a > > part of the distro. > > > > Robert > > > > > Forgive my potential misunderstanding here .. but who's actively > preventing you from using GnuCash 2.6? You can take a copy locally to > /usr/local/portage so that When/If finally it gets removed from the > central package 'tree' it will run for you provided its requirements > are still met on your system ... That's correct, nobody is preventing me and I already have copies of several packages. But with each additional package Gentoo becomes less and less valuable. You can say the same thing about every package. But what would be the point of linux distribution then? I worked with assumption that there is a motivation in Gentoo to provide a value in a form of stable GnuCash and I merely presented a way which I see as most pragmatic. It allows to continue to provide that value and raises awarenes about webkit-gtk security vulnerabilities. Of course there is also a possibility that maintainters may have lost interest/motivation to maintain old webkit-gtk. Which would be normal and prefectly fine but completelly different matter than security. Robert -- Róbert Čerňanský E-mail: ope...@tightmail.com Jabber: h...@jabber.sk
