On 2018-01-16 15:07, Róbert Čerňanský wrote: > On Wed, 10 Jan 2018 22:46:04 +0200 > Mart Raudsepp wrote: > > 2.6 is insecure by 400+ ancient webkit-gtk security vulnerabilities, > > we can't responsibly wait anymore. 2.7.3 was tested by Aaron (who > > uses it daily) to work quite nicely. > > I want to last rite gnucash-2.6 used webkit-gtk before the month is > > over, as the maintainer of webkit-gtk, and if 2.7 isn't there, 2.6 > > will simply be fully masked as well along it. > > I assume that the motivation to get 2.7 stabilized early it to protect > users from potentional damages caused via webkit-gtk security > vulnerabilities. However, provided that I use GnuCash to display only > local web data (generated reports) I feel much more comfortable > to entrust my data to the stable 2.6 version rather than unstable 2.7 > about which the upstream says: > > "Unstable (development) releases are for testing purposes only. They > contain the newest features and improvements, but may also contain > serious bugs still. Don't install these releases for everyday use." [1] > > "Due to the possibility of data corruption, unstable releases should > only be used on a copy of live GnuCash data." [2] > > I think generated reports are typical use of webkit in GnuCash. Are > attack vectors so severe also in this case? > > Thank you. > > 1. http://gnucash.org/download.phtml > 2. https://wiki.gnucash.org/wiki/Development_Process > > Robert You are welcome to keep the insecure/outdated packages on your machine. You do not have to update. We’re just working towards the long overdue removal of a security risk from the tree. Really, it isn’t so much that gnucash is at risk because it uses the old insecure net-libs/webkit-gtk:2 (it may very well be, but there haven’t been any reports that I’ve seen), but it is all the other packages that use webkit-gtk to render HTML from untrusted sources that are at risk. If we could have, we would have removed net-libs/webkit-gtk:{2,3} long ago. This is nearly two years overdue. [1] However, this removal will result in it being impossible for anyone to build gnucash-2.6, so that must be removed as well. Given the situation, we have a choice: Remove GnuCash altogether, or press ahead with recommending a version upstream considers unstable. [1]: https://bugs.gentoo.org/577068