From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-83520-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 68440138206
	for <garchives@archives.gentoo.org>; Wed, 17 Jan 2018 07:49:40 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 1BD9AE0933;
	Wed, 17 Jan 2018 07:49:33 +0000 (UTC)
Received: from smtp102-3.vfemail.net (onethreethree.vfemail.net [199.16.11.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id C5A72E087D
	for <gentoo-dev@lists.gentoo.org>; Wed, 17 Jan 2018 07:49:32 +0000 (UTC)
Received: (qmail 26022 invoked by uid 89); 17 Jan 2018 07:49:28 -0000
Received: by simscan 1.4.0 ppid: 25997, pid: 26017, t: 0.1995s
         scanners:none
Received: from unknown (HELO bXlzZWw=) (aHNAdmZlbWFpbC5uZXQ=@ODcuMjQ0LjIzMy4xNTM=)
  by 172.16.100.62 with ESMTPSA (DHE-RSA-AES256-GCM-SHA384 encrypted, authenticated); 17 Jan 2018 07:49:28 -0000
X-Received: id 3C16D40055
	for <gentoo-dev@lists.gentoo.org>; Wed, 17 Jan 2018 08:49:29 +0100 (CET)
Date: Wed, 17 Jan 2018 08:49:21 +0100
From: =?utf-8?Q?R=C3=B3bert_=C4=8Cer=C5=88ansk=C3=BD?= <openhs@tightmail.com>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] News Item: GnuCash 2.7+ Breaking Change
Message-ID: <20180117084921.00000287@tightmail.com>
In-Reply-To: <a76cdf3d-7c75-a424-5d3e-b75e9338a1af@iee.org>
References: <20180110183135.GD15225@martineau.grandmasfridge.local>
	<CAE+k_gJLyyO01Bh1DJEDkuYZ1+=49+jOy=qj+o0mwy+xrwCZ1Q@mail.gmail.com>
	<1515617164.20929.1.camel@gentoo.org>
	<20180116150745.0000412a@tightmail.com>
	<20180116144559.GA6684@gengoff>
	<ec9cd05e-30a4-d07b-e1a7-17bc156d5b91@gentoo.org>
	<20180116225602.280cd36e.openhs@tightmail.com>
	<a76cdf3d-7c75-a424-5d3e-b75e9338a1af@iee.org>
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: 8de94705-5224-4852-972b-c9a118cd3ddd
X-Archives-Hash: 878d2f38c496ccb655b20c02f6a12fd5

On Tue, 16 Jan 2018 22:19:15 +0000
"M. J. Everitt" <m.j.everitt@iee.org> wrote:

> On 16/01/18 21:56, R=C3=B3bert =C4=8Cer=C5=88ansk=C3=BD wrote:
> > On Tue, 16 Jan 2018 15:58:11 +0100
> > Kristian Fiskerstrand <k_f@gentoo.org> wrote:
> > =20
> >> On 01/16/2018 03:45 PM, Aaron W. Swenson wrote: =20
> >>> Given the situation, we have a choice: Remove GnuCash altogether,
> >>> or press ahead with recommending a version upstream considers
> >>> unstable.   =20
> >> Or 3, discuss with upstream to see if they can release an updated
> >> version as stable branch. =20
> > 4. Mask the vulnerable webkit-gtk.  This way: A. User is informed.
> > B. Manual action is required to continue using such package.
> >
> > I see this as the most obvious choice considering that I am still
> > unable to find any possible attack vector against GnuCash.  If it
> > is me and only me who enters data.  Webkit reports are generated
> > from those data.  How can anyone hack me through GnuCash?
> >
> > In general, many times users use applications in a way that
> > vulnerabilities does not apply to their use cases.  I would prefer
> > to be informed and allowed to continue using such application as a
> > part of the distro.
> >
> > Robert
> >
> > =20
> Forgive my potential misunderstanding here .. but who's actively
> preventing you from using GnuCash 2.6? You can take a copy locally to
> /usr/local/portage so that When/If finally it gets removed from the
> central package 'tree' it will run for you provided its requirements
> are still met on your system ...

That's correct, nobody is preventing me and I already have copies of
several packages.  But with each additional package Gentoo becomes less
and less valuable.  You can say the same thing about every package.  But
what would be the point of linux distribution then?

I worked with assumption that there is a motivation in Gentoo to provide
a value in a form of stable GnuCash and I merely presented a way which I
see as most pragmatic.  It allows to continue to provide that value and
raises awarenes about webkit-gtk security vulnerabilities.

Of course there is also a possibility that maintainters may have lost
interest/motivation to maintain old webkit-gtk.  Which would be normal
and prefectly fine but completelly different matter than security.

Robert


--=20
R=C3=B3bert =C4=8Cer=C5=88ansk=C3=BD
E-mail: openhs@tightmail.com
Jabber: hs@jabber.sk