From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 913F7138206 for ; Tue, 16 Jan 2018 14:46:09 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 58532E093E; Tue, 16 Jan 2018 14:46:04 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 0096DE0928 for ; Tue, 16 Jan 2018 14:46:03 +0000 (UTC) Received: from localhost (unknown [63.142.135.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: titanofold) by smtp.gentoo.org (Postfix) with ESMTPSA id BA290335C2C for ; Tue, 16 Jan 2018 14:46:02 +0000 (UTC) Received: by localhost (Postfix, from userid 1000) id 191E5712791A; Tue, 16 Jan 2018 09:46:00 -0500 (EST) Date: Tue, 16 Jan 2018 09:45:59 -0500 From: "Aaron W. Swenson" To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] News Item: GnuCash 2.7+ Breaking Change Message-ID: <20180116144559.GA6684@gengoff> Mail-Followup-To: gentoo-dev@lists.gentoo.org References: <20180110183135.GD15225@martineau.grandmasfridge.local> <1515617164.20929.1.camel@gentoo.org> <20180116150745.0000412a@tightmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="zYM0uCDKw75PZbzx" Content-Disposition: inline In-Reply-To: <20180116150745.0000412a@tightmail.com> User-Agent: Mutt/1.7.2 (2016-11-26) X-Archives-Salt: 874c310b-cbf5-4f0e-907e-78b578f0139b X-Archives-Hash: c4b37784022014798989b3a4c966adde --zYM0uCDKw75PZbzx Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2018-01-16 15:07, R=C3=B3bert =C4=8Cer=C5=88ansk=C3=BD wrote: > On Wed, 10 Jan 2018 22:46:04 +0200 > Mart Raudsepp wrote: > > 2.6 is insecure by 400+ ancient webkit-gtk security vulnerabilities, > > we can't responsibly wait anymore. 2.7.3 was tested by Aaron (who > > uses it daily) to work quite nicely. > > I want to last rite gnucash-2.6 used webkit-gtk before the month is > > over, as the maintainer of webkit-gtk, and if 2.7 isn't there, 2.6 > > will simply be fully masked as well along it. >=20 > I assume that the motivation to get 2.7 stabilized early it to protect > users from potentional damages caused via webkit-gtk security > vulnerabilities. However, provided that I use GnuCash to display only > local web data (generated reports) I feel much more comfortable > to entrust my data to the stable 2.6 version rather than unstable 2.7 > about which the upstream says: >=20 > "Unstable (development) releases are for testing purposes only. They > contain the newest features and improvements, but may also contain > serious bugs still. Don't install these releases for everyday use." [1] >=20 > "Due to the possibility of data corruption, unstable releases should > only be used on a copy of live GnuCash data." [2] >=20 > I think generated reports are typical use of webkit in GnuCash. Are > attack vectors so severe also in this case? >=20 > Thank you. >=20 > 1. http://gnucash.org/download.phtml > 2. https://wiki.gnucash.org/wiki/Development_Process >=20 > Robert You are welcome to keep the insecure/outdated packages on your machine. You do not have to update. We=E2=80=99re just working towards the = long overdue removal of a security risk from the tree. Really, it isn=E2=80=99t so much that gnucash is at risk because it uses th= e old insecure net-libs/webkit-gtk:2 (it may very well be, but there haven=E2=80= =99t been any reports that I=E2=80=99ve seen), but it is all the other packages = that use webkit-gtk to render HTML from untrusted sources that are at risk. If we could have, we would have removed net-libs/webkit-gtk:{2,3} long ago. This is nearly two years overdue. [1] However, this removal will result in it being impossible for anyone to build gnucash-2.6, so that must be removed as well. Given the situation, we have a choice: Remove GnuCash altogether, or press ahead with recommending a version upstream considers unstable. [1]: https://bugs.gentoo.org/577068 --zYM0uCDKw75PZbzx Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iNUEAREKAH0WIQRPTtQ2xj0Ap7RjpAAol2NzYdYtXQUCWl4QJ18UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0NEY0 RUQ0MzZDNjNEMDBBN0I0NjNBNDAwMjg5NzYzNzM2MUQ2MkQ1RAAKCRAol2NzYdYt XcS2AP0R8JgCUuYt/DKOlhdoqxhxslAhpjbPK4+bz+DwxNb8kAD/Tqse53+xlbXZ r9hM8jl5V6k4HwEGiaaTwgTpblx+CsM= =H20Z -----END PGP SIGNATURE----- --zYM0uCDKw75PZbzx--