[CC guix-devel@gnu.org] So we have to make a choice:
1. Package a released program with a known vulnerability; or 2. Package an unreleased git snapshot. Which is the lesser evil? J' On Sat, Mar 18, 2017 at 12:21:40PM -0400, Kei Kebreau wrote: > John Darrington <j...@darrington.wattle.id.au> writes: > > > On Fri, Mar 17, 2017 at 04:42:59PM -0400, Kei Kebreau wrote: > > > > Judging from the description of the software, it seems like this could > > fit in gnu/packages/image.scm. > > Also, the linter says that this package vulnerable to > > CVE-2015-8979. Supposedly this* upstream patch fixes it. Could you see > > if that fix works for this package? > > > > * https://github.com/commontk/DCMTK/commit/1b6bb76 > > > > > > Unfortunately this patch doesn't go in. It seems that as well as fixing > > this > > vulnerability it also makes some unrelated changes. Furthermore, it depends > > on a whole lot of other patches which are not in this release. > > > > Do we have a procedure on what to do in cases like this? > > > > J' > > I don't know if we have an official procedure, though we could try using > a later git snapshot with the security patch already integrated. > Hopefully that provides functionality compatible to that of the stable > release, though it's at least a five year difference between release times. > > http://git.cmtk.org/?p=dcmtk.git,a=tags
