On 2018-01-16 15:07, Róbert Čerňanský wrote:
> On Wed, 10 Jan 2018 22:46:04 +0200
> Mart Raudsepp <l...@gentoo.org> wrote:
> > 2.6 is insecure by 400+ ancient webkit-gtk security vulnerabilities,
> > we can't responsibly wait anymore. 2.7.3 was tested by Aaron (who
> > uses it daily) to work quite nicely.
> > I want to last rite gnucash-2.6 used webkit-gtk before the month is
> > over, as the maintainer of webkit-gtk, and if 2.7 isn't there, 2.6
> > will simply be fully masked as well along it.
> 
> I assume that the motivation to get 2.7 stabilized early it to protect
> users from potentional damages caused via webkit-gtk security
> vulnerabilities.  However, provided that I use GnuCash to display only
> local web data (generated reports) I feel much more comfortable
> to entrust my data to the stable 2.6 version rather than unstable 2.7
> about which the upstream says:
> 
> "Unstable (development) releases are for testing purposes only. They
> contain the newest features and improvements, but may also contain
> serious bugs still. Don't install these releases for everyday use." [1]
> 
> "Due to the possibility of data corruption, unstable releases should
> only be used on a copy of live GnuCash data." [2]
> 
> I think generated reports are typical use of webkit in GnuCash.  Are
> attack vectors so severe also in this case?
> 
> Thank you.
> 
> 1. http://gnucash.org/download.phtml
> 2. https://wiki.gnucash.org/wiki/Development_Process
> 
> Robert

You are welcome to keep the insecure/outdated packages on your
machine. You do not have to update. We’re just working towards the long
overdue removal of a security risk from the tree.

Really, it isn’t so much that gnucash is at risk because it uses the old
insecure net-libs/webkit-gtk:2 (it may very well be, but there haven’t
been any reports that I’ve seen), but it is all the other packages that
use webkit-gtk to render HTML from untrusted sources that are at risk.

If we could have, we would have removed net-libs/webkit-gtk:{2,3} long
ago. This is nearly two years overdue. [1]

However, this removal will result in it being impossible for anyone to
build gnucash-2.6, so that must be removed as well.

Given the situation, we have a choice: Remove GnuCash altogether, or
press ahead with recommending a version upstream considers unstable.

[1]: https://bugs.gentoo.org/577068

Attachment: signature.asc
Description: Digital signature

Reply via email to