[PATCH 3/7] gnu: Add dcmtk.

  • Done
  • quality assurance status badge
Details
5 participants
  • John Darrington
  • John Darrington
  • Kei Kebreau
  • Leo Famulari
  • Ricardo Wurmus
Owner
unassigned
Submitted by
John Darrington
Severity
normal

Debbugs page

John Darrington wrote 8 years ago
(address . guix-patches@gnu.org)(name . John Darrington)(address . jmd@gnu.org)
1489608324-23632-3-git-send-email-jmd@gnu.org
* gnu/packages/image-processing.scm: New file.
* gnu/local.mk (GNU_SYSTEM_MODULES): Add it.
---
gnu/local.mk | 1 +
gnu/packages/image-processing.scm | 75 +++++++++++++++++++++++++++++++++++++++
2 files changed, 76 insertions(+)
create mode 100644 gnu/packages/image-processing.scm

Toggle diff (95 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index c1b076a..15325d3 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -187,6 +187,7 @@ GNU_SYSTEM_MODULES = \
%D%/packages/idris.scm \
%D%/packages/idutils.scm \
%D%/packages/image.scm \
+ %D%/packages/image-processing.scm \
%D%/packages/image-viewers.scm \
%D%/packages/imagemagick.scm \
%D%/packages/indent.scm \
diff --git a/gnu/packages/image-processing.scm b/gnu/packages/image-processing.scm
new file mode 100644
index 0000000..e1ad93e
--- /dev/null
+++ b/gnu/packages/image-processing.scm
@@ -0,0 +1,75 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2017 John Darrington <jmd@gnu.org>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu packages image-processing)
+ #:use-module ((guix licenses) #:prefix license:)
+ #:use-module (guix packages)
+ #:use-module (guix utils)
+ #:use-module (guix download)
+ #:use-module (guix build-system gnu)
+ #:use-module (gnu packages)
+ #:use-module (gnu packages compression)
+ #:use-module (gnu packages documentation)
+ #:use-module (gnu packages image)
+ #:use-module (gnu packages perl))
+
+(define-public dcmtk
+ (package
+ (name "dcmtk")
+ (version "3.6.0")
+ (source (origin
+ (method url-fetch)
+ (uri
+ (string-append
+ "ftp://dicom.offis.de/pub/dicom/offis/software/dcmtk/dcmtk"
+ (string-fold (lambda (x prev)
+ (if (eq? x #\.) prev
+ (string-append prev (string x))))
+ "" version)
+ "/dcmtk-"
+ version ".tar.gz"))
+ (sha256
+ (base32
+ "0fnkbq0nz8658svdn1xnjrv8qm618gln1q8ykwszmb9225q0kifg"))))
+ (build-system gnu-build-system)
+ (arguments `(#:parallel-build? #f ; Broken makefile
+ #:tests? #f ; There are no tests
+ #:make-flags `("CXXFLAGS=-fpermissive -fPIC"
+ "CFLAGS=-fPIC")
+ #:phases
+ (modify-phases %standard-phases
+ (replace 'install
+ (lambda* (#:key outputs #:allow-other-keys)
+ (zero? (system* "make"
+ "install-all")))))))
+ (inputs `(("libtiff" ,libtiff)
+ ("libpng" ,libpng)
+ ("doxygen" ,doxygen)
+ ("zlib" ,zlib)))
+ (native-inputs `(("perl" ,perl)))
+ (synopsis "Libraries and programs implementing large parts the DICOM standard")
+ (description "DCMTK is a collection of libraries and applications
+implementing large parts the DICOM standard. It includes software for
+examining, constructing and converting DICOM image files, handling offline
+media, sending and receiving images over a network connection, as well as
+demonstrative image storage and worklist servers.")
+ (home-page "http://dcmtk.org")
+ (license (license:fsf-free
+ "file://COPYRIGHT"
+ "A union of the Apache 2.0 licence and various non-copyleft
+licences similar to the Modified BSD licence."))))
--
2.1.4
Kei Kebreau wrote 8 years ago
(name . John Darrington)(address . jmd@gnu.org)(address . 26109@debbugs.gnu.org)
871stv7hyk.fsf@openmailbox.org
John Darrington <jmd@gnu.org> writes:

Toggle quote (3 lines)
> * gnu/packages/image-processing.scm: New file.
> * gnu/local.mk (GNU_SYSTEM_MODULES): Add it.

Judging from the description of the software, it seems like this could
fit in gnu/packages/image.scm.

Toggle quote (68 lines)
> ---
> gnu/local.mk | 1 +
> gnu/packages/image-processing.scm | 75 +++++++++++++++++++++++++++++++++++++++
> 2 files changed, 76 insertions(+)
> create mode 100644 gnu/packages/image-processing.scm
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index c1b076a..15325d3 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -187,6 +187,7 @@ GNU_SYSTEM_MODULES = \
> %D%/packages/idris.scm \
> %D%/packages/idutils.scm \
> %D%/packages/image.scm \
> + %D%/packages/image-processing.scm \
> %D%/packages/image-viewers.scm \
> %D%/packages/imagemagick.scm \
> %D%/packages/indent.scm \
> diff --git a/gnu/packages/image-processing.scm b/gnu/packages/image-processing.scm
> new file mode 100644
> index 0000000..e1ad93e
> --- /dev/null
> +++ b/gnu/packages/image-processing.scm
> @@ -0,0 +1,75 @@
> +;;; GNU Guix --- Functional package management for GNU
> +;;; Copyright © 2017 John Darrington <jmd@gnu.org>
> +;;;
> +;;; This file is part of GNU Guix.
> +;;;
> +;;; GNU Guix is free software; you can redistribute it and/or modify it
> +;;; under the terms of the GNU General Public License as published by
> +;;; the Free Software Foundation; either version 3 of the License, or (at
> +;;; your option) any later version.
> +;;;
> +;;; GNU Guix is distributed in the hope that it will be useful, but
> +;;; WITHOUT ANY WARRANTY; without even the implied warranty of
> +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> +;;; GNU General Public License for more details.
> +;;;
> +;;; You should have received a copy of the GNU General Public License
> +;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
> +
> +(define-module (gnu packages image-processing)
> + #:use-module ((guix licenses) #:prefix license:)
> + #:use-module (guix packages)
> + #:use-module (guix utils)
> + #:use-module (guix download)
> + #:use-module (guix build-system gnu)
> + #:use-module (gnu packages)
> + #:use-module (gnu packages compression)
> + #:use-module (gnu packages documentation)
> + #:use-module (gnu packages image)
> + #:use-module (gnu packages perl))
> +
> +(define-public dcmtk
> + (package
> + (name "dcmtk")
> + (version "3.6.0")
> + (source (origin
> + (method url-fetch)
> + (uri
> + (string-append
> + "ftp://dicom.offis.de/pub/dicom/offis/software/dcmtk/dcmtk"
> + (string-fold (lambda (x prev)
> + (if (eq? x #\.) prev
> + (string-append prev (string x))))
> + "" version)

The same effect is more directly (IMO) accomplished using the following:

(string-join (string-split version #\.) "")

Toggle quote (24 lines)
> + "/dcmtk-"
> + version ".tar.gz"))
> + (sha256
> + (base32
> + "0fnkbq0nz8658svdn1xnjrv8qm618gln1q8ykwszmb9225q0kifg"))))
> + (build-system gnu-build-system)
> + (arguments `(#:parallel-build? #f ; Broken makefile
> + #:tests? #f ; There are no tests
> + #:make-flags `("CXXFLAGS=-fpermissive -fPIC"
> + "CFLAGS=-fPIC")
> + #:phases
> + (modify-phases %standard-phases
> + (replace 'install
> + (lambda* (#:key outputs #:allow-other-keys)
> + (zero? (system* "make"
> + "install-all")))))))
> + (inputs `(("libtiff" ,libtiff)
> + ("libpng" ,libpng)
> + ("doxygen" ,doxygen)
> + ("zlib" ,zlib)))
> + (native-inputs `(("perl" ,perl)))
> + (synopsis "Libraries and programs implementing large parts the DICOM standard")
> + (description "DCMTK is a collection of libraries and applications

Nitpicking again: why the double space between "description" and the
double quote?

Toggle quote (10 lines)
> +implementing large parts the DICOM standard. It includes software for
> +examining, constructing and converting DICOM image files, handling offline
> +media, sending and receiving images over a network connection, as well as
> +demonstrative image storage and worklist servers.")
> + (home-page "http://dcmtk.org")
> + (license (license:fsf-free
> + "file://COPYRIGHT"
> + "A union of the Apache 2.0 licence and various non-copyleft
> +licences similar to the Modified BSD licence."))))

Also, the linter says that this package vulnerable to
CVE-2015-8979. Supposedly this* upstream patch fixes it. Could you see
if that fix works for this package?


Other than the above, LGTM.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEg7ZwOtzKO2lLzi2m5qXuPBlGeg0FAljMSlQACgkQ5qXuPBlG
eg3koRAAphsBi9RwAjjvHUNqDjX8P9b04yrKyjO61XdmfAMNmXkSBHSwDJ5+Ucsb
2ARjloUII93XoR7wH64oZuOH28ynVi21HxxTIqz0bgidVWxwiulXbPHFSS1Cu9/W
MKlK50I5C6vxNoCmNVDanTXm5d/QwhsmTjqJlbSJKwRO49BiRsC5/Xo2dvimKfR4
hJq9NDKTLipF90PemO6B4ywQq3EwQ01hM2iU/UhInls7pmTFAlAahDsLbMNMUwQN
W6HjTfeT7T1zJ+cKHE4lOgCI8uBE/+2fQIvCIrt9lVRKWoOIedZgwWs+2H0HSJaI
3ZKfGYH+Vw9lh6KyTjqAONrHN2UAd3h4zuZxKi52nMoP94e1vDLRqUwqv0HFyFJ0
/b1r0I1aFqEn3/GiZvrPW7xN+GdggcPNWdwJben+8pD2ejR+ulkDGwT+C7LOJUxe
VWzv54gbY7zJD/fp3dMYUS+POytBrSdxCtinaFnuiklAlwpDDA1Lj51LyAPngmxt
J0f6Q9wMv5vt5215Q80I1EePqMis/x/hccQKfZfj2t8DSRdREjiIiQu3di1Il3GH
3zTwRcxXWuYqoZcs0g3ligFnOAHAa/deX7qSkrp45TQFO0J02X3Y5A02P+sxDrda
t7arn7rgUNzuvyVHbZnxRqmQ3tmUUfJ2cINNbbMw1/M3/hVEi4k=
=6YrU
-----END PGP SIGNATURE-----

John Darrington wrote 8 years ago
(name . Kei Kebreau)(address . kei@openmailbox.org)(name . John Darrington)(address . jmd@gnu.org)(address . 26109@debbugs.gnu.org)
20170318072335.GA12217@jocasta.intra
On Fri, Mar 17, 2017 at 04:42:59PM -0400, Kei Kebreau wrote:
Judging from the description of the software, it seems like this could
fit in gnu/packages/image.scm.
Also, the linter says that this package vulnerable to
CVE-2015-8979. Supposedly this* upstream patch fixes it. Could you see
if that fix works for this package?

Unfortunately this patch doesn't go in. It seems that as well as fixing this
vulnerability it also makes some unrelated changes. Furthermore, it depends
on a whole lot of other patches which are not in this release.

Do we have a procedure on what to do in cases like this?

J'

--
Avoid eavesdropping. Send strong encrypted email.
PGP Public key ID: 1024D/2DE827B3
fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.netor any PGP keyserver for public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAljM4HcACgkQimdxnC3oJ7NMHgCggmNLJuX/XyATPluScEqWuWBR
toIAn1shNn6woe9m39+1OquF0AcPv6th
=xeSp
-----END PGP SIGNATURE-----


Kei Kebreau wrote 8 years ago
(name . John Darrington)(address . john@darrington.wattle.id.au)(name . John Darrington)(address . jmd@gnu.org)(address . 26109@debbugs.gnu.org)
87mvci5ze3.fsf@openmailbox.org
John Darrington <john@darrington.wattle.id.au> writes:

Toggle quote (19 lines)
> On Fri, Mar 17, 2017 at 04:42:59PM -0400, Kei Kebreau wrote:
>
> Judging from the description of the software, it seems like this could
> fit in gnu/packages/image.scm.
> Also, the linter says that this package vulnerable to
> CVE-2015-8979. Supposedly this* upstream patch fixes it. Could you see
> if that fix works for this package?
>
> * https://github.com/commontk/DCMTK/commit/1b6bb76
>
>
> Unfortunately this patch doesn't go in. It seems that as well as fixing this
> vulnerability it also makes some unrelated changes. Furthermore, it depends
> on a whole lot of other patches which are not in this release.
>
> Do we have a procedure on what to do in cases like this?
>
> J'

I don't know if we have an official procedure, though we could try using
a later git snapshot with the security patch already integrated.
Hopefully that provides functionality compatible to that of the stable
release, though it's at least a five year difference between release times.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEg7ZwOtzKO2lLzi2m5qXuPBlGeg0FAljNXpQACgkQ5qXuPBlG
eg28NQ/9GuILLKDHTpAOG6llmF59AvZJnHYfKm38pKwvgRJsXV1GOKEWMQsg7yrd
ffEsFaMhGNbyeMSyOXwtjDmmztuVYL2qnu5hhDS7A60T0qo2oArdA8VU3DhjHYZe
rR9v5O6NNlxxCKImdGrpb1wknM20xtiBkTh/ya0dIK1kqaPkDQNOlMiKNzXfCVGL
r5OfZ3NlAW2g3coFZNkuFdBqC25QohXxnaV5ogs04ogj1cOaTKZcZNiG+/kNN+97
IqjVM0x/FwLmN02Y8fSssUHTK5iFG0mFBAFhCJjvMr2NaqGhu18CUyM3w6eoJv8E
pw/Fu/i96pHrw6DK3eLdyG9xyDAerDT0WXWsGHXM5ZdHJkmSrfo73gWovp5fkYGY
fIO7qYUIQvdbgQpc4eD4KTdB42SEJqa2QHpLOPokZ3g8Hd2xHwCIRCeAxlcCXwsX
GFUML+695RNwKJyD0AAonmsiZ46fc6pwTcCyLsMif9WRhVegZh9nj8eLZeAosN0y
g+49H7XvseaQ7P2zz24DMiRtLP40/VFMExNTx28iQXKqhiUCSS+PQZu/zeRuwbTG
jQ4Ufbr6lm6cLdLQlki2kqKKM1xtUr/sM9m64yJjuVek4b4og8WpCvJRXGfEF2gR
ptft3PK3NwHtvLVTxdZWQFGvpj0q3HnfkIlIb32Jgj+dP3fHg9M=
=8JPc
-----END PGP SIGNATURE-----

John Darrington wrote 8 years ago
(name . Kei Kebreau)(address . kei@openmailbox.org)(address . guix-devel@gnu.org)(address . 26109@debbugs.gnu.org)
20170318173630.GA14983@gnu.org
[CC guix-devel@gnu.org]

So we have to make a choice:

1. Package a released program with a known vulnerability; or
2. Package an unreleased git snapshot.

Which is the lesser evil?

J'

On Sat, Mar 18, 2017 at 12:21:40PM -0400, Kei Kebreau wrote:
Toggle quote (27 lines)
> John Darrington <john@darrington.wattle.id.au> writes:
>
> > On Fri, Mar 17, 2017 at 04:42:59PM -0400, Kei Kebreau wrote:
> >
> > Judging from the description of the software, it seems like this could
> > fit in gnu/packages/image.scm.
> > Also, the linter says that this package vulnerable to
> > CVE-2015-8979. Supposedly this* upstream patch fixes it. Could you see
> > if that fix works for this package?
> >
> > * https://github.com/commontk/DCMTK/commit/1b6bb76
> >
> >
> > Unfortunately this patch doesn't go in. It seems that as well as fixing this
> > vulnerability it also makes some unrelated changes. Furthermore, it depends
> > on a whole lot of other patches which are not in this release.
> >
> > Do we have a procedure on what to do in cases like this?
> >
> > J'
>
> I don't know if we have an official procedure, though we could try using
> a later git snapshot with the security patch already integrated.
> Hopefully that provides functionality compatible to that of the stable
> release, though it's at least a five year difference between release times.
>
> http://git.cmtk.org/?p=dcmtk.git,a=tags
Kei Kebreau wrote 8 years ago
(name . John Darrington)(address . jmd@gnu.org)(address . guix-devel@gnu.org)(address . 26109@debbugs.gnu.org)
87pohb4czq.fsf@openmailbox.org
John Darrington <jmd@gnu.org> writes:

Toggle quote (9 lines)
> [CC guix-devel@gnu.org]
>
> So we have to make a choice:
>
> 1. Package a released program with a known vulnerability; or
> 2. Package an unreleased git snapshot.
>
> Which is the lesser evil?

I choose option two. I'm quite uncomfortable with packaging software
that is known to be vulnerable. To me it seems almost malicious if it
can be avoided.

Other opinions?

Toggle quote (31 lines)
>
> J'
>
> On Sat, Mar 18, 2017 at 12:21:40PM -0400, Kei Kebreau wrote:
>> John Darrington <john@darrington.wattle.id.au> writes:
>>
>> > On Fri, Mar 17, 2017 at 04:42:59PM -0400, Kei Kebreau wrote:
>> >
>> > Judging from the description of the software, it seems like this could
>> > fit in gnu/packages/image.scm.
>> > Also, the linter says that this package vulnerable to
>> > CVE-2015-8979. Supposedly this* upstream patch fixes it. Could you see
>> > if that fix works for this package?
>> >
>> > * https://github.com/commontk/DCMTK/commit/1b6bb76
>> >
>> >
>> > Unfortunately this patch doesn't go in. It seems that as well as fixing this
>> > vulnerability it also makes some unrelated changes. Furthermore, it depends
>> > on a whole lot of other patches which are not in this release.
>> >
>> > Do we have a procedure on what to do in cases like this?
>> >
>> > J'
>>
>> I don't know if we have an official procedure, though we could try using
>> a later git snapshot with the security patch already integrated.
>> Hopefully that provides functionality compatible to that of the stable
>> release, though it's at least a five year difference between release times.
>>
>> http://git.cmtk.org/?p=dcmtk.git,a=tags
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEg7ZwOtzKO2lLzi2m5qXuPBlGeg0FAljQhjkACgkQ5qXuPBlG
eg0Jdg//civlt6ts897csGr/tNn+/JoxCyh/IDn1znOvixmbAunCRraUDotdVFxj
9AXO3L1mORGDAKdbHJ1Mbjh5U9ty6z6pjscIup9ykcJaUtu0mFT0p9WUo5jOExt3
gIT5nRZaHDcnAAAtTCMH0wnWnAjmyxfC/aZ4gjGApJQ7wAw1n8nWT4dawDklahqt
d49zyI12Ojbd4WQIO935HN4v215dlfgLiDx+oJTwQTgXOefwC9bLVtfW/wWf4yMO
xhHXl/d6UJs7oP4LS1nRm9ccE57fXo4uCnigInpchzlipJmIPHFkBsZAZ1gh6Igz
T49tb5iezG3PWni5HFg/VU3x8KLcPPOFY9LTyPem3+dT8lZyXVN2hCa3yGh9437v
Cq53AvfO5reYU8KZPPvspU97xipb2VSjw+Rsz1k6IkrlJH7kE9uK0e1gXf2hELQ0
UVSwkdIcsb/rjxG2WTeM6DAHilMMJfqDGTpolkjGZJ58yoCSuNVO/6xIfH/g1sZ6
Pm8EAmYr3EwEHsa7FcVYKrmPyY/O8+W+9GQekuOyJzzM2nZLjdmBXwWTosb+h/pQ
CWxDZlSSsEW5HDugqpCyZnsFiTUBw0PoA/F5SwiJPzBan+mKp4kKr58xP9S4+Ao/
ipXfRp43R8OIR6Kgz6Jpzsd4Ie9KiPI/cJsJCwEEKCQsbH90MYE=
=HAqO
-----END PGP SIGNATURE-----

Leo Famulari wrote 8 years ago
(name . John Darrington)(address . john@darrington.wattle.id.au)(name . John Darrington)(address . jmd@gnu.org)(name . Kei Kebreau)(address . kei@openmailbox.org)(address . 26109@debbugs.gnu.org)
20170321021240.GA29321@jasmine
On Sat, Mar 18, 2017 at 08:23:35AM +0100, John Darrington wrote:
Toggle quote (17 lines)
> On Fri, Mar 17, 2017 at 04:42:59PM -0400, Kei Kebreau wrote:
>
> Judging from the description of the software, it seems like this could
> fit in gnu/packages/image.scm.
> Also, the linter says that this package vulnerable to
> CVE-2015-8979. Supposedly this* upstream patch fixes it. Could you see
> if that fix works for this package?
>
> * https://github.com/commontk/DCMTK/commit/1b6bb76
>
>
> Unfortunately this patch doesn't go in. It seems that as well as fixing this
> vulnerability it also makes some unrelated changes. Furthermore, it depends
> on a whole lot of other patches which are not in this release.
>
> Do we have a procedure on what to do in cases like this?

We could see what other distros have done. Maybe they have a simpler
patch we could copy. Or, we could try building from an arbitrary Git
commit.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAljQjBUACgkQJkb6MLrK
fwj+iRAA1xViixnshWIFzZo47gXqVdyne01doKg+XqkY7dUzfSGj/D1fdBKKxI7M
ELe/uQZAkdkVu9vh/dND/8zdM1ts4uW6v6cBkmYY34BT+l4Hn/L1l04pyPpo3rmr
RCux0u2FfsOgIDhL/DNti6R/SlHMF1hTlqu3Rs1EJqDay9Lqd975rMI6/YEk9Egs
4lLeSV2xUV2UeIxoasThLt7oprZ/+7ZiEd4cPeXLs1jFBcooGxxaFzARpQ+RtL/8
bMu6bP8XOJaHSOJVYJfZDvrpuI6nIWI2+vN2xurGLHfWPgJGP1cxjIT1Wo/AENFA
WBzadpNys3mle6gYtw96JGbLa/qhj8MS13Z7lpdgjWhKbGjrDiVNG69r6IvmYGQJ
qApm9sN126TtiI6/C2D1R9isObyzcUlrK0gRc2NGDavwCQgokXMaBnt7NmZRJU+3
8davjz9H64FlE25pHgjkbMkxUGy+tXO0XsodsHyn3ypcnu1Xj2E9ePdO58DgJDPV
4UwcGgQj5C6FOV07/9WBdwJ0hxIA0HMQVuMiKK5tvqQNLxrTG4RIsL2PEhKsaJCj
/is7lwuF8l+FzSe6M0YrIk5318igaMCP2uF8/zYepILPS1DV6AgCdxLP90fLgYOE
nlA24ohTu97O+RW+eq8bYSMLqWZSr51fj1qXZZb9DbWpJnIuKCc=
=yS6O
-----END PGP SIGNATURE-----


Leo Famulari wrote 8 years ago
(name . John Darrington)(address . jmd@gnu.org)(address . guix-devel@gnu.org)(name . Kei Kebreau)(address . kei@openmailbox.org)(address . 26109@debbugs.gnu.org)
20170321021331.GB29321@jasmine
On Sat, Mar 18, 2017 at 01:36:31PM -0400, John Darrington wrote:
Toggle quote (6 lines)
> [CC guix-devel@gnu.org]
>
> So we have to make a choice:
>
> 1. Package a released program with a known vulnerability; or

Although all non-trivial software contains bugs, many of which can be
exploited, we should not add new packages with known exploitable
vulnerabilities.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAljQjEoACgkQJkb6MLrK
fwhXgw//ZoDTAmh5fCjRE0DMBt8OBziXO2q1VLL66S3/SkD1PKAJaSyd2+M0RXn6
QOhTm0nec/ZVya0BI5XXO2Bcx6aUejPYL9kD+GhuQf5yZCo2MSwFwNh/QYv2teJa
faX+Z61NafV+L0HR8x3vt1lhuN5b7nwpY5lkJCLTcUxSz3XMNKUbmW+W2CK8Gr5H
6CbBhQtQO9RbUwutBjIcdPDUInGQDcRlCMoFv+GKydtuJpHD1ZrxiMZU6XsF+VhL
utdhR2SOzQqBrKG5kKudI7+8Iemho2OmFoGovQRULjZ59Po1mPpZHNFXUYpkW9Mz
AGrI4QDCQdJxp5Ie2+twyTLsxUrobf7edoB7u2bsJSSTEI0lcZY4zADdc+kOu/wX
Pgq9RmLggYQlDsMrZYrdwDVUIY1bbcQWtGV6sIOdIrwjJ7PxKjhb3Wa6WCB6/0UW
xzPWwKkldQkW4+gBlDdajO42RrPq73Gaa8y6G6H4KPwQya/n+PIF8ooLVNkMPn7o
0PE5NrObzDjWEFRHfqD2S+gEr+qLB6/cUUFYexmkPst6sqZlStz0byI4qpdUqSXF
3nYtebGtStTFG4941NYdw84dHjcfwQv5BGQEHHpAPjkGA6C9NawIt8/q3kUHm8TA
g6x4IcG2hV918DmHfLSsrj8etJD9Xpb8pOlmbqk7HQGJgT49KTU=
=iiG8
-----END PGP SIGNATURE-----


John Darrington wrote 8 years ago
(name . Leo Famulari)(address . leo@famulari.name)(address . 26109@debbugs.gnu.org)
20170321023043.GA455@jocasta.intra
On Mon, Mar 20, 2017 at 10:12:40PM -0400, Leo Famulari wrote:
On Sat, Mar 18, 2017 at 08:23:35AM +0100, John Darrington wrote:
> On Fri, Mar 17, 2017 at 04:42:59PM -0400, Kei Kebreau wrote:
>
> Judging from the description of the software, it seems like this could
> fit in gnu/packages/image.scm.
> Also, the linter says that this package vulnerable to
> CVE-2015-8979. Supposedly this* upstream patch fixes it. Could you see
> if that fix works for this package?
>
>
>
> Unfortunately this patch doesn't go in. It seems that as well as fixing this
> vulnerability it also makes some unrelated changes. Furthermore, it depends
> on a whole lot of other patches which are not in this release.
>
> Do we have a procedure on what to do in cases like this?
We could see what other distros have done. Maybe they have a simpler
patch we could copy.

I did try that too. Unfortunately the Debian patch seems to have combined some non-CVE
fixes into the same patch AND that patch is dependendent upon some other unrelated patches.

I probably could with a lot of trial and error make a patch which works, but IMO that
defeats the purpose. I security patch should be A) as simple as possible; B) not
contain any unrelated fixes; and C) prepared by someone who knows what she is doing.

Or, we could try building from an arbitrary Git commit.

Yes. That is the other option - I think it might be a what we'll have to do.

J'



--
Avoid eavesdropping. Send strong encrypted email.
PGP Public key ID: 1024D/2DE827B3
fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.netor any PGP keyserver for public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAljQkFMACgkQimdxnC3oJ7P9xwCfSPx3uwVYUTvVqm4pzGZcmzEW
CkoAnRIUJumTs/VEtgg1JS7PnRPV73HR
=5vjd
-----END PGP SIGNATURE-----


Leo Famulari wrote 8 years ago
(name . John Darrington)(address . john@darrington.wattle.id.au)(address . 26109@debbugs.gnu.org)
20170321183012.GC28482@jasmine
On Tue, Mar 21, 2017 at 03:30:43AM +0100, John Darrington wrote:
Toggle quote (4 lines)
> On Mon, Mar 20, 2017 at 10:12:40PM -0400, Leo Famulari wrote:
> I did try that too. Unfortunately the Debian patch seems to have combined some non-CVE
> fixes into the same patch AND that patch is dependendent upon some other unrelated patches.

Bah.

Toggle quote (4 lines)
> I probably could with a lot of trial and error make a patch which works, but IMO that
> defeats the purpose. I security patch should be A) as simple as possible; B) not
> contain any unrelated fixes; and C) prepared by someone who knows what she is doing.

Indeed.

Toggle quote (4 lines)
> Or, we could try building from an arbitrary Git commit.
>
> Yes. That is the other option - I think it might be a what we'll have to do.

Okay, let us know how it goes.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAljRcTQACgkQJkb6MLrK
fwjBfg/9HdSclZ28G4UV+ZdBIbxmrnmCi8e5K1CwsELucPBAAbvSzjNEACsmVV4J
ZnwiqWpywJmOOt2TXXDAB1yO0bcSWIJYiIgnXcohioK84y/jDorTAvY5gwDOA5Sx
pvE2LId+7CG0yiLPoEx6HiHa5ReVireUvWb547iOfohZJge4zmRsnUyFljJQg1KM
VP41imbHRWC/ByIUDoLw3sWiinlHMl3I2n7A8YCxrNlF2oh5ARh80PmrEK5qUwbG
U6/W03bNSi9TuAKU4AqEcTPKGGlf1b/GoHKH8r+ZR/ANfsIcS4xO/yF6UMhGnShn
TBsgBfUjaSlFLan22ownJF5DiuOjj6KaVniPzGD5z/iLd4Pr5N7GyOQj6ReOJ557
zVDaX6BIvYIjmVTfFJptAIZJhE7aB/pBmoB9RqaksolbS55fYT8906BRFtrEMWGp
k78Ps7OUh/7fioHFYr3Qb0L7oGC7ZgoSBDUKkT2/gzY6sK42sWLZrchI7mbR1DaK
DsrjzBu9q7M1v+e2pSUn1A2WeSdLLEz5btYpdfav+W/5SEXawpxzRC4XJ3lkQN/y
MhVMLsGJHh1pcHFyuF/T9GKPGrYbnVWE6e2olZ0pjMq8BSxnMMzV4vcp6wTiVPfo
Y7imKikejzw8zAXIBC0dxGbRbigl+vHALg6qzGUUGfxS6g1W83o=
=r1BG
-----END PGP SIGNATURE-----


Ricardo Wurmus wrote 8 years ago
(name . Leo Famulari)(address . leo@famulari.name)(address . 26109-done@debbugs.gnu.org)(name . John Darrington)(address . john@darrington.wattle.id.au)
87h90l6d7n.fsf@elephly.net
Leo Famulari <leo@famulari.name> writes:

Toggle quote (6 lines)
>> Or, we could try building from an arbitrary Git commit.
>>
>> Yes. That is the other option - I think it might be a what we'll have to do.
>
> Okay, let us know how it goes.

I tried extracting a patch but it was virtually impossible to make it
apply without introducing more security problems in the attempt.

So I updated the package to use the latest commit from git.

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 26109@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 26109
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch
You may also tag this issue. See list of standard tags. For example, to set the confirmed and easy tags
mumi command -t +confirmed -t +easy
Or, remove the moreinfo tag and set the help tag
mumi command -t -moreinfo -t +help