Leo Famulari <l...@famulari.name> skribis:

> On Thu, Nov 03, 2016 at 10:17:18PM -0500, Eric Bavier wrote:
>> On Thu, 03 Nov 2016 18:54:55 -0400
>> Kei Kebreau <k...@openmailbox.org> wrote:
>> 
>> > From b837111e3ddf406a3b9235538f63af678e3ac741 Mon Sep 17 00:00:00 2001
>> > From: Kei Kebreau <k...@openmailbox.org>
>> > Date: Thu, 3 Nov 2016 17:58:48 -0400
>> > Subject: [PATCH] gnu: w3m: Switch to Debian's actively maintained fork of 
>> > w3m.
>> > 
>> > Fixes some security issues seen here:
>> > <http://www.openwall.com/lists/oss-security/2016/11/03/3>
>> > 
>> > * gnu/packages/patches/w3m-upstream-20120522.patch: New file.
>> > * gnu/packages/patches/w3m-debian-updates.patch: New file.
>> > * gnu/packages/w3m.scm (w3m): Switch to Debian's actively maintained
>> > fork of w3m.
>> > [source]: Use Debian's tarball and patches. Remove obsolete patches.
>> > [arguments]: Remove unnecessary modification of %standard-phases.
>> > * gnu/local.mk (dist_patch_DATA): Register new patches. Remove obsolete
>> > patches.
>> > ---
>> >  gnu/local.mk                                       |     6 +-
>> >  gnu/packages/patches/w3m-debian-updates.patch      | 28498 
>> > +++++++++++++++++++
>> 
>> So theirs is the only actively maintained version of w3m and all they
>> can provide is a 28.5 thousand line patch?  No VCS repository?  There
>> must be some point at which it would be better for us to fetch the
>> patch in an origin rather than importing it into our repo.
>
> I think we build from their Git repo:
>
> https://anonscm.debian.org/cgit/collab-maint/w3m.git
>
> They even offer non-Debian-ized release tags, such as
> <v0.5.3+git20161031>.

Then we should use that instead of importing all the patches in our own
repo, IMO.

Kei: would that work for you?

Thanks,
Ludo’.

Reply via email to