1 |
On Tue, 16 Jan 2018 22:19:15 +0000 |
2 |
"M. J. Everitt" <m.j.everitt@×××.org> wrote: |
3 |
|
4 |
> On 16/01/18 21:56, Róbert Čerňanský wrote: |
5 |
> > On Tue, 16 Jan 2018 15:58:11 +0100 |
6 |
> > Kristian Fiskerstrand <k_f@g.o> wrote: |
7 |
> > |
8 |
> >> On 01/16/2018 03:45 PM, Aaron W. Swenson wrote: |
9 |
> >>> Given the situation, we have a choice: Remove GnuCash altogether, |
10 |
> >>> or press ahead with recommending a version upstream considers |
11 |
> >>> unstable. |
12 |
> >> Or 3, discuss with upstream to see if they can release an updated |
13 |
> >> version as stable branch. |
14 |
> > 4. Mask the vulnerable webkit-gtk. This way: A. User is informed. |
15 |
> > B. Manual action is required to continue using such package. |
16 |
> > |
17 |
> > I see this as the most obvious choice considering that I am still |
18 |
> > unable to find any possible attack vector against GnuCash. If it |
19 |
> > is me and only me who enters data. Webkit reports are generated |
20 |
> > from those data. How can anyone hack me through GnuCash? |
21 |
> > |
22 |
> > In general, many times users use applications in a way that |
23 |
> > vulnerabilities does not apply to their use cases. I would prefer |
24 |
> > to be informed and allowed to continue using such application as a |
25 |
> > part of the distro. |
26 |
> > |
27 |
> > Robert |
28 |
> > |
29 |
> > |
30 |
> Forgive my potential misunderstanding here .. but who's actively |
31 |
> preventing you from using GnuCash 2.6? You can take a copy locally to |
32 |
> /usr/local/portage so that When/If finally it gets removed from the |
33 |
> central package 'tree' it will run for you provided its requirements |
34 |
> are still met on your system ... |
35 |
|
36 |
That's correct, nobody is preventing me and I already have copies of |
37 |
several packages. But with each additional package Gentoo becomes less |
38 |
and less valuable. You can say the same thing about every package. But |
39 |
what would be the point of linux distribution then? |
40 |
|
41 |
I worked with assumption that there is a motivation in Gentoo to provide |
42 |
a value in a form of stable GnuCash and I merely presented a way which I |
43 |
see as most pragmatic. It allows to continue to provide that value and |
44 |
raises awarenes about webkit-gtk security vulnerabilities. |
45 |
|
46 |
Of course there is also a possibility that maintainters may have lost |
47 |
interest/motivation to maintain old webkit-gtk. Which would be normal |
48 |
and prefectly fine but completelly different matter than security. |
49 |
|
50 |
Robert |
51 |
|
52 |
|
53 |
-- |
54 |
Róbert Čerňanský |
55 |
E-mail: openhs@×××××××××.com |
56 |
Jabber: hs@××××××.sk |