On Thu, Sep 29, 2016 at 08:58:29AM +0000, ng0 wrote:
> Leo Famulari <l...@famulari.name> writes:
> > On Wed, Sep 21, 2016 at 06:46:31PM +0000, ng0 wrote:
> >> Subject: [PATCH 1/2] gnu: Add psyclpc.
> >>
> >> * gnu/packages/psyc.scm (psyclpc): New variable.
> >> + (inputs
> >> + `(("zlib" ,zlib)
> >> + ("openssl" ,openssl)))
> >> + ;; pcre is bundled to ensure the version is compatible. XXX: look into
> >> + ;; unbundling it. Upstream should update from pcre 4.5 to 8.38. For
> >> + ;; functionality reasons we can not unbundle it now.
> >> + ;; ("pcre" ,pcre)))
> >
> > That version of PCRE was released in 2003. We might want to add a
> > warning to the package description...
> >
> > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pcre
>
> Update on this: the pcre bundling was inherited from ldmud, current
> ldmud has unbundled pcre, so we will be able to unbundle pcre.
>
> I'd still like to have the patches in their current form and update
> psyclpc when the next version without pcre is out.
I'd like some more opinions on this. Should we add this package even
though we know it contains some security bugs (linked above)?
