[PATCH] gnu: newsbeuter: Supersede.

  • Done
  • quality assurance status badge
Details
4 participants
  • Leo Famulari
  • Ludovic Courtès
  • Tobias Geerinckx-Rice
  • ng0
Owner
unassigned
Submitted by
Tobias Geerinckx-Rice
Severity
normal
T
T
Tobias Geerinckx-Rice wrote on 4 Jan 2018 03:21
(address . guix-patches@gnu.org)
20180104022157.27354-1-me@tobias.gr
* gnu/packages/syndication.scm (newsbeuter)[properties]: Mark as superseded
by newsboat.
---

Guix,

Newsbeuter has been sufficiently (unpatched-CVE-level) stagnant for long
enough that the last maintainer done went and forked it as Newsboat[0].

While our Newsbeuter shouldn't be outright vulnerable (thanks to Leo and
Efraim), and newsbeuter.org might be only temporarily off-line, what do
we think about blessing its successor? Surely it's but a one-line patch.

Kind regards,

T G-R


gnu/packages/syndication.scm | 97 ++++++++++++++++++++++----------------------
1 file changed, 49 insertions(+), 48 deletions(-)

Toggle diff (114 lines)
diff --git a/gnu/packages/syndication.scm b/gnu/packages/syndication.scm
index 086b132b7..6bfbe77cf 100644
--- a/gnu/packages/syndication.scm
+++ b/gnu/packages/syndication.scm
@@ -31,54 +31,6 @@
#:use-module (gnu packages xml)
#:use-module (gnu packages web))
-(define-public newsbeuter
- (package
- (name "newsbeuter")
- (version "2.9")
- (source
- (origin
- (method url-fetch)
- (uri (string-append "https://newsbeuter.org/downloads/newsbeuter-"
- version ".tar.gz"))
- (patches (search-patches "newsbeuter-CVE-2017-12904.patch"
- "newsbeuter-CVE-2017-14500.patch"))
- (sha256
- (base32
- "1j1x0hgwxz11dckk81ncalgylj5y5fgw5bcmp9qb5hq9kc0vza3l"))))
- (build-system gnu-build-system)
- (arguments
- '(#:phases
- (modify-phases %standard-phases
- (replace 'configure
- (lambda _
- (substitute* "config.sh"
- ;; try to remove this at the next release
- (("ncursesw5") "ncursesw6"))
- #t)))
- #:make-flags (list (string-append "prefix=" (assoc-ref %outputs "out")))
- #:test-target "test"))
- (native-inputs
- `(("gettext" ,gettext-minimal)
- ("perl" ,perl)
- ("pkg-config" ,pkg-config)
- ("ruby" ,ruby))) ; for tests
- (inputs
- `(("curl" ,curl)
- ("json-c" ,json-c-0.12) ; check whether json-c-0.12 can be removed
- ("ncurses" ,ncurses)
- ("stfl" ,stfl)
- ("sqlite" ,sqlite)
- ("libxml2" ,libxml2)))
- (home-page "https://newsbeuter.org/")
- (synopsis "Text mode rss feed reader with podcast support")
- (description "Newsbeuter is an innovative RSS feed reader for the text
-console. It supports OPML import/exports, HTML rendering, podcast (podbeuter),
-offline reading, searching and storing articles to your filesystem, and many
-more features. Its user interface is coherent, easy to use, and might look
-common to users of @command{mutt} and @command{slrn}.")
- (license (list license:gpl2+ ; filter/*
- license:expat)))) ; everything else
-
(define-public newsboat
(package
(name "newsboat")
@@ -128,3 +80,52 @@ file system, and many more features.
It started life as a fork of the currently unmaintained Newsbeuter.")
(license (list license:gpl2+ ; filter/*
license:expat)))) ; everything else
+
+(define-public newsbeuter
+ (package
+ (name "newsbeuter")
+ (version "2.9")
+ (source
+ (origin
+ (method url-fetch)
+ (uri (string-append "https://newsbeuter.org/downloads/newsbeuter-"
+ version ".tar.gz"))
+ (patches (search-patches "newsbeuter-CVE-2017-12904.patch"
+ "newsbeuter-CVE-2017-14500.patch"))
+ (sha256
+ (base32
+ "1j1x0hgwxz11dckk81ncalgylj5y5fgw5bcmp9qb5hq9kc0vza3l"))))
+ (build-system gnu-build-system)
+ (arguments
+ '(#:phases
+ (modify-phases %standard-phases
+ (replace 'configure
+ (lambda _
+ (substitute* "config.sh"
+ ;; try to remove this at the next release
+ (("ncursesw5") "ncursesw6"))
+ #t)))
+ #:make-flags (list (string-append "prefix=" (assoc-ref %outputs "out")))
+ #:test-target "test"))
+ (native-inputs
+ `(("gettext" ,gettext-minimal)
+ ("perl" ,perl)
+ ("pkg-config" ,pkg-config)
+ ("ruby" ,ruby))) ; for tests
+ (inputs
+ `(("curl" ,curl)
+ ("json-c" ,json-c-0.12) ; check whether json-c-0.12 can be removed
+ ("ncurses" ,ncurses)
+ ("stfl" ,stfl)
+ ("sqlite" ,sqlite)
+ ("libxml2" ,libxml2)))
+ (home-page "https://newsbeuter.org/")
+ (synopsis "Text mode rss feed reader with podcast support")
+ (description "Newsbeuter is an innovative RSS feed reader for the text
+console. It supports OPML import/exports, HTML rendering, podcast (podbeuter),
+offline reading, searching and storing articles to your filesystem, and many
+more features. Its user interface is coherent, easy to use, and might look
+common to users of @command{mutt} and @command{slrn}.")
+ (license (list license:gpl2+ ; filter/*
+ license:expat)) ; everything else
+ (properties `((superseded . ,newsboat))))) ; unmaintained
--
2.15.0
L
L
Leo Famulari wrote on 4 Jan 2018 03:59
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)(address . 29973@debbugs.gnu.org)
20180104025937.GA25138@jasmine.lan
On Thu, Jan 04, 2018 at 03:21:57AM +0100, Tobias Geerinckx-Rice wrote:
Toggle quote (19 lines)
> * gnu/packages/syndication.scm (newsbeuter)[properties]: Mark as superseded
> by newsboat.
> ---
>
> Guix,
>
> Newsbeuter has been sufficiently (unpatched-CVE-level) stagnant for long
> enough that the last maintainer done went and forked it as Newsboat[0].
>
> While our Newsbeuter shouldn't be outright vulnerable (thanks to Leo and
> Efraim), and newsbeuter.org might be only temporarily off-line, what do
> we think about blessing its successor? Surely it's but a one-line patch.
>
> Kind regards,
>
> T G-R
>
> [0]: https://groups.google.com/forum/#!topic/newsbeuter/RPtlWX8CPGU

I think it's a good idea!
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlpNmJUACgkQJkb6MLrK
fwiJ9BAA0yNU7ZPlAXwqeJJG25UGA/uwi11OvFazgkmlg6vrsAgoiDwOHyMoUezt
mCs/VOVN+4FpX9p6xAfe1kpAZfpNNs/PqEFlqIsQjvN3vJYZskYj/Gf/RZX7IgzR
enLWJ1IrP6OpiYyGBCmvhRP1G9V7rQ5mXfrcprAy1JsLK2cbBr2uwGpvWnCkHRkG
RvkZJhVAm+9x7dD8D7NDOdvT1YSpl/jlE0iX1XEK2M+cdqnQ33N65tTW0DVdsb5I
M9dotbQ98eWbMbgwLzdDW58aZ2Hh6PtDwixjYGYisYldcN+QBNMhehH89lBIBT/N
vGI2s0DdsKd2Zy4wdZTMmrM89rl0bjsufprSh+jfz+7P3VFhZvT7/yfluVj8Io9z
ZA/qFmn9HHMmA3xArsUjcrVLe0Tg9hY9krRtwYv4MNriPP/FVGiCIwcV1QRZRx5u
y/RzJ9AVYGPtdjkv2Ao8I0prtwZTAh2T5o/6PmUcV91WTKCwSQWgCgHEEp2ZkUUh
J20Jw3knGpSFP8NtKO0FH1JveA4fpx01/jDjhMdkbFQouk0NFdGxrmRmHpD/lndN
k/UhFHA5rIGiTsJAtxmGXmRBmEave8KO4y7jfBI7ULu6zlHpTTNrIGEZEdjCGUA7
yrMvVpaSPappN/RSkA7Ew1RolqA9VklxFcBF7a17uead1NS/LY4=
=KIhe
-----END PGP SIGNATURE-----


T
T
Tobias Geerinckx-Rice wrote on 4 Jan 2018 15:54
(address . leo@famulari.name)(address . 29973@debbugs.gnu.org)
6a8f089c-e60e-c4ad-9ec3-e4a82afde605@tobias.gr
Leo,

Leo Famulari wrote on 04/01/18 at 03:59:
Toggle quote (6 lines)
>> While our Newsbeuter shouldn't be outright vulnerable (thanks to Leo and
>> Efraim), and newsbeuter.org might be only temporarily off-line, what do
>> we think about blessing its successor? Surely it's but a one-line patch.
>
> I think it's a good idea!

Good to hear! Any chance there's a less silly way to make the change?

Kind regards,

T G-R
Attachment: signature.asc
L
L
Leo Famulari wrote on 4 Jan 2018 18:34
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)(address . 29973@debbugs.gnu.org)
20180104173422.GB6465@jasmine.lan
On Thu, Jan 04, 2018 at 03:54:28PM +0100, Tobias Geerinckx-Rice wrote:
Toggle quote (11 lines)
> Leo,
>
> Leo Famulari wrote on 04/01/18 at 03:59:
> >> While our Newsbeuter shouldn't be outright vulnerable (thanks to Leo and
> >> Efraim), and newsbeuter.org might be only temporarily off-line, what do
> >> we think about blessing its successor? Surely it's but a one-line patch.
> >
> > I think it's a good idea!
>
> Good to hear! Any chance there's a less silly way to make the change?

I'm not sure what's silly about it? Is there something that requires the
package definition to be moved?
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlpOZZ4ACgkQJkb6MLrK
fwgSXhAAtwSKjnJUSegxHXg2YDYONtp/tuMkMDRaIMjX9dIkpBhfji+U2EsR0ThI
IOWuPvLY7HOVuv/mYA+CzjyWmxkxrL6iCo0xZj70YkH80ZfyHyCN1sQfvXIoKLqd
ObOVyMPC0q6gXDGuuNhYa+4CrqqDS3fkzldQJDWGDgl/nTclhlRavcQiJTYe8dRs
A6cOjRpY7PA86xXaFHZkmP69CkO3DgbaLaPiS1pcWaaJJtng6HFCCgnb77hM4S26
9EVNXM7eKMWUG9pKvyKFrod5fzXSJ+igRzOBwXynJoLFfQDeGYVsK8MQH6blGXfC
YGvbE9M/kn0SsDTMLedNZmsxoFbaLJ3IyQYSFAH/+NuSLZqDE1I0LqKBWLzyeZma
3tArJx3+LhFdlz0bzzj+OFPBo4/VONsXO1OAXCyyoEmAJcUoV37PjA/phSursRSe
LGxIRUQQJYal6vO1m4W1t9ntqZuv3f+5VxXY/CRSdL3VanWiiA41T4CbW8yvgYgC
MH818+P1NA8UUrj83XsOztsmAV/zAJVw1l4jnmLtv11FrjCjm/oRiwNSwOY2rnP9
ZJd9hQoglgRxar0nlLULWkTIKDaeCKkazczO06qiRbQqkSyyS4qZSHgZXynykPGQ
YMJjk7vHIerxLwkz91xQjFq5BQPmssguG7CCYgyw8H7zdND1B8c=
=ZRio
-----END PGP SIGNATURE-----


N
N
ng0 wrote on 4 Jan 2018 20:22
(name . Leo Famulari)(address . leo@famulari.name)
20180104192253.svadno3qvhsvoq57@abyayala
Leo Famulari transcribed 1.6K bytes:
Toggle quote (15 lines)
> On Thu, Jan 04, 2018 at 03:54:28PM +0100, Tobias Geerinckx-Rice wrote:
> > Leo,
> >
> > Leo Famulari wrote on 04/01/18 at 03:59:
> > >> While our Newsbeuter shouldn't be outright vulnerable (thanks to Leo and
> > >> Efraim), and newsbeuter.org might be only temporarily off-line, what do
> > >> we think about blessing its successor? Surely it's but a one-line patch.
> > >
> > > I think it's a good idea!
> >
> > Good to hear! Any chance there's a less silly way to make the change?
>
> I'm not sure what's silly about it? Is there something that requires the
> package definition to be moved?

Can't we use the package property superseded? That's how I imagined 'superseded' would work.
What you are doing is dropping it as far as I remember the first email.

--
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
WWW: https://n0.is/a/ :: https://ea.n0.is
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAlpOfw0ACgkQ4i+bv+40
hYjeWw//XxevBsOTa0eNcWZKWl3Ypvc3BhnLxMwpwRcdK2aDsuDefFfsoLD+1tlo
H+rK2QrMLsSsGYgztmHE7+nsF5aoK3yPDghp1X9Evo7BoQFDL/WrAsNUIukM6O4e
oI+2qV2a9XZC4Q4ORgabe24tudhcemWUVa2ic7IPsSXaJjKGgo8pUaAkgLGjk08A
v4c/L3Z01u7ojDTKrrMmZ6J7PXcOzG6t2uIpxHcdLLEo4nL8DLo0JFl0m5r6Yj4H
GjH9QqlfNZhh0mDjgQZmsYEV0CdxAhui6UIxe8+BZdXIZaxsZ9ZcV3GGXLqCBscf
WFfLpJ1ucYLDwVuDGdYYOruQwv2v93kdkNkVaiVJn4wX1MjNUk3Q0TIkrWd0DyhM
1h1ztdMq9TSTKcO8+gPi8yA9QM2M7EyvkQKIgrLZ1K0Vvr5jLPcg2l/2EmurooUa
/zuVXqt3ZWMLf+s9ksojWlRgM0RrYTaFEF98U31OwUAuq+05mHrmnKXUmikavcv8
gUxRRsN4cGndhKxepbXAq1dVwhbzxBcFoK29E9BROzJef8/7PxpIdLs2ddSeRMvX
MVDhHGoKMshWLg0Sq+SK10poeIUBOUG2l/KNOwEU2Ul6pD7yMKwCDmAZeeSPOvi7
9dJt8mmD3W95TSWMPkzkgpV0r/rGvvX1UYtYokNnr7HagnxMnRo=
=PiwQ
-----END PGP SIGNATURE-----


N
N
ng0 wrote on 4 Jan 2018 20:23
(name . Leo Famulari)(address . leo@famulari.name)
20180104192338.gbdv4pefdbwzkaqf@abyayala
Leo Famulari transcribed 1.6K bytes:
Toggle quote (15 lines)
> On Thu, Jan 04, 2018 at 03:54:28PM +0100, Tobias Geerinckx-Rice wrote:
> > Leo,
> >
> > Leo Famulari wrote on 04/01/18 at 03:59:
> > >> While our Newsbeuter shouldn't be outright vulnerable (thanks to Leo and
> > >> Efraim), and newsbeuter.org might be only temporarily off-line, what do
> > >> we think about blessing its successor? Surely it's but a one-line patch.
> > >
> > > I think it's a good idea!
> >
> > Good to hear! Any chance there's a less silly way to make the change?
>
> I'm not sure what's silly about it? Is there something that requires the
> package definition to be moved?

Oops. Nvm my last email.

--
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
WWW: https://n0.is/a/ :: https://ea.n0.is
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAlpOfzoACgkQ4i+bv+40
hYgqyw//QKCUutSP6xYJqp1ZpJHLf9+aoVW+0wdKWHACTozP2OSymC0ds6YiKDD2
/00GoNDY3w7+LZ5pO3E4BbwpIYCTR6GkAK0ZlaITdwUtrh1zw03nqah1uML1mKTQ
qrGmZqzUbHIUNOYYaAUNNLr9SrsnwSs4aJ06nlU/WmsP7Ap6ScqIHVsdP2wYZleG
sfM0/sHaEhXAgTG/SGz0YkwM8g9+SjoT2M2NYOjdSacahScrGTfuYlH7cnMLN8MD
JJ2o0uKtGfgETI/BESfSbXgFkU6T2zyU9kCuRab/91tyW7BIzcLqF1/bOxRQdjP1
12ON732T9bPltOseB1ImrcSOPsPhO38z34asupBPT09dk07N6oECi/5UzafYC/J2
gYeqdSYHTgmTT7ASqk/kkfaP4g7zyfTFgbAz5eUrXuM4Rl92V9FPonn6XEMnI3DL
7KS83yXAs4n+aaQkSIMaB8wOD5o4rcKiFBmvrxe6dSusaS3TbW3qkwU/oWNQ0x9j
7jQzeJnMgnBmvPVIKosTDOG6qrDuXrbCssPwcichfKglr4Oe6za4wFVbg9KwQYWx
F8oNjJ7+E7Z8K+tyqagBIJQLpbC6v/C2s9zcWij7FlTW5sEOPnZwsRGqR4ncx2t5
WIK8RdlurdafpHo1779oVkAwWY7vvA3Mtd6b7Z198wis96pMzTc=
=uBTS
-----END PGP SIGNATURE-----


T
T
Tobias Geerinckx-Rice wrote on 4 Jan 2018 20:42
(address . leo@famulari.name)(address . 29973@debbugs.gnu.org)
11e8b12c-4ab6-002e-6956-90cd5f7f6a36@tobias.gr
Leo Famulari wrote on 04/01/18 at 18:34:
Toggle quote (2 lines)
> Is there something that requires the package definition to be moved?

newsbeuter refers directly to ,newsboat. I get an error message if
newsboat isn't defined before newsbeuter.

Toggle quote (2 lines)
> I'm not sure what's silly about it?

What I meant to say was: there might be a better way to do this than a
100-line patch, but this is the best I can come up with.

I don't really understand why

(define-public foo (package ... (inputs `(("bar" ,bar)))))
(define-public bar ...)

appears to work, while

(define-public foo (package ... (properties `((superseded . ,bar)))))
(define-public bar ...)

seems to fail.

Hence feeling a bit silly, and vague waving of hands, and whispering
‘probably macros I guess?’

I should really pick up that book about making elephants eat cake again.

Kind regards,

T G-R
Attachment: signature.asc
L
L
Ludovic Courtès wrote on 8 Jan 2018 00:13
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)
87wp0tdzyz.fsf@gnu.org
Heya!

Tobias Geerinckx-Rice <me@tobias.gr> skribis:

Toggle quote (15 lines)
> What I meant to say was: there might be a better way to do this than a
> 100-line patch, but this is the best I can come up with.
>
> I don't really understand why
>
> (define-public foo (package ... (inputs `(("bar" ,bar)))))
> (define-public bar ...)
>
> appears to work, while
>
> (define-public foo (package ... (properties `((superseded . ,bar)))))
> (define-public bar ...)
>
> seems to fail.

Indeed.

Unless you really want to keep the ‘newsbeuter’ definition around, you
can also simply:

(define-public newsbeuter
(deprecated-package "newsbeuter" newswhatever))

The only value in keeping the old definition is that power users can
still install it with “guix build -e”.

My 2¢,
Ludo’.
T
T
Tobias Geerinckx-Rice wrote on 8 Jan 2018 14:48
(address . ludo@gnu.org)
25919a25-69bc-b6f4-d5fe-973363e53dab@tobias.gr
Ludo',

Ludovic Courtès wrote on 08/01/18 at 00:13:
Toggle quote (6 lines)
> Unless you really want to keep the ‘newsbeuter’ definition around, you
> can also simply:
>
> (define-public newsbeuter
> (deprecated-package "newsbeuter" newswhatever))

Oh, perfect!

That is of course exactly what I was looking for, but I only knew
(and more importantly: grepped for) “superseded”...

Toggle quote (3 lines)
> The only value in keeping the old definition is that power users can
> still install it with “guix build -e”.

I don't think that's appropriate here, so I'll use the above.

Thanks!

T G-R
T
T
Tobias Geerinckx-Rice wrote on 11 Jan 2018 03:17
[PATCH] gnu: newsbeuter: Supersede.
(address . 29973-done@debbugs.gnu.org)
2c1523a0-7aaf-ff79-d6c4-fa5ab0f13991@tobias.gr
Done in f26fa354f1d76ce9cbc43cc553637af3f0c34cc2.

Thanks,

T G-R
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 29973@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 29973
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch