From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 6B699138247 for ; Fri, 8 Nov 2013 15:18:48 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 10EDEE0AD9; Fri, 8 Nov 2013 15:18:37 +0000 (UTC) Received: from mail-ie0-f178.google.com (mail-ie0-f178.google.com [209.85.223.178]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 23149E0ACF for ; Fri, 8 Nov 2013 15:18:35 +0000 (UTC) Received: by mail-ie0-f178.google.com with SMTP id to1so1654109ieb.37 for ; Fri, 08 Nov 2013 07:18:34 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=8OUfuf8qcrHL5Qlda71GJzekzHSJB+6UsSn7hxlcd1c=; b=bV2fwDeL42KTPuKWftdMneVW45c6KThhnFzzrPiRn7v1wcGdp+B/LLxUWJNv5+b7LM HshQvcIqPlF1eutV9x2C8qXU6qla7Ak1A4qjGROADP6m9MyauUeSZowlZny+1+jbdcvu VdKJZQYEPJBO0/laRIRljIXkk1/ZbsYhT2TmymAo5ebtvT9ZPxbgiRIBTsEOZFWmehhh le1Yx8GJ1jYFphLQwh6pQj3VipRltj2TQ9RkqjVEnPP0CXTRHoR0tZBMXUViTfpFL6lr TedvSLmp7n+SXPlwibJsq3mfos3C6IvEosPCeMqSNbi0Ptkbk8Wv2iqT46HxD375Jyw7 dsCA== X-Gm-Message-State: ALoCoQm4D/r2rfXSG9RvEd/Mr2bhHyjDnJYVJpKiK0p6g0/xZbBUGxcWIapi3rpaUzLj/cTzObMG Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 X-Received: by 10.50.30.225 with SMTP id v1mr2778807igh.28.1383923913968; Fri, 08 Nov 2013 07:18:33 -0800 (PST) Received: by 10.64.86.230 with HTTP; Fri, 8 Nov 2013 07:18:33 -0800 (PST) In-Reply-To: <527C7517.3070409@gentoo.org> References: <527C7517.3070409@gentoo.org> Date: Fri, 8 Nov 2013 15:18:33 +0000 Message-ID: Subject: Re: [gentoo-dev] removing vulnerable versions of dev-lang/v8 From: =?UTF-8?Q?Diego_Elio_Petten=C3=B2?= To: "gentoo-dev@lists.gentoo.org" Content-Type: multipart/alternative; boundary=047d7ba97a944b7a6604eaabe544 X-Archives-Salt: c235d9f6-d869-4b27-8548-901c59dcca38 X-Archives-Hash: 1e084f16015133299815fb461d72072f --047d7ba97a944b7a6604eaabe544 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Fri, Nov 8, 2013 at 5:22 AM, "Pawe=C5=82 Hajdan, Jr." wrote: > Problem #1 is that sci-geosciences/osgearth-2.4 depends on > =3Ddev-lang/v8-3.18.5.14 (see > for context). It > doesn't work with more recent v8, but it can be made to not depend on v8. > If "made not to depend" means "bundle", is the bundled version any safer than the ebuild there? If the answer is no, you're now increasing the security issue. Diego Elio Petten=C3=B2 =E2=80=94 Flameeyes flameeyes@flameeyes.eu =E2=80=94 http://blog.flameeyes.eu/ --047d7ba97a944b7a6604eaabe544 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

= On Fri, Nov 8, 2013 at 5:22 AM, "Pawe=C5=82 Hajdan, Jr." <ph= ajdan.jr@gentoo.org> wrote:
P= roblem #1 is that sci-geosciences/osgearth-2.4 depends on
=3Ddev-lang/v8-3.18.5.14 (see
<https://bugs.gentoo.org/show_bug.cgi?id=3D484786> for contex= t). It
doesn't work with more recent v8, but it can be made to not depend on v= 8.

If "made not to depend" means = "bundle", is the bundled version any safer than the ebuild there?= If the answer is no, you're now increasing the security issue.

Diego Elio Petten=C3=B2 =E2=80=94 Flameeyes
flameeyes@flameeyes.= eu =E2=80=94 ht= tp://blog.flameeyes.eu/
--047d7ba97a944b7a6604eaabe544--