Greetings, as discussed in bug #541744, www-apps/tt-rss has moved from tarball releases to "regular git-pull"-releases. Closing the bug, Thomas Kahle (now retired) proposed and implemented a 4-times-a-year own packaging for Gentoo. The last package is forβ20160930 so we're a little behind schedule (there have been ~240 commits since). :) Is the task of updating the ebuild requiring a mantainer?
I was looking at this as I do use the software myself. There is a pending security issue in the way that we package it that is tricky to fix, hence the delay.
(In reply to James Le Cuirot from comment #1) > I was looking at this as I do use the software myself. There is a pending > security issue in the way that we package it that is tricky to fix, hence > the delay. I know this is not a chat, but could you elaborate more or give me some quicklinks to understand the security issue and see if I can help fixing it?
(In reply to Luca Santarelli from comment #2) > I know this is not a chat, but could you elaborate more or give me some > quicklinks to understand the security issue and see if I can help fixing it? Sorry, the bug report has been marked confidential. It's not that I can't fix it, I've just had my plate full. My new desktop constantly freezing this past week didn't help. ;) Thankfully it's stopped doing that now.
Just to let you know I've been looking at this. I'm getting some feedback for my suggested security fix.
Any news? :)
Certainly not forgotten. This always seems to be the third thing on my list. I'm currently making changes to Portage for EAPI 7 that I need to test before things are set in stone so that's taken priority for now.
Not sure if anyone does not have the pdo useflag enabled but I also wanted to make you aware of the new pdo requirement https://discourse.tt-rss.org/t/pdo-is-coming-heres-what-you-need-to-know/689
(In reply to James Le Cuirot from comment #6) > Certainly not forgotten. This always seems to be the third thing on my list. > I'm currently making changes to Portage for EAPI 7 that I need to test > before things are set in stone so that's taken priority for now. With all due respect and since you have your plate full, would you accept some help? From what you wrote in comment #1 I understand that my current install of TT-RSS has been insecure for more than 15 months, which is worrying me more than it being obsolete.
(In reply to Luca Santarelli from comment #8) > (In reply to James Le Cuirot from comment #6) > > Certainly not forgotten. This always seems to be the third thing on my list. > > I'm currently making changes to Portage for EAPI 7 that I need to test > > before things are set in stone so that's taken priority for now. > > With all due respect and since you have your plate full, would you accept > some help? From what you wrote in comment #1 I understand that my current > install of TT-RSS has been insecure for more than 15 months, which is > worrying me more than it being obsolete. Thank you for the offer. It's okay though, I've now managed to bat other things out of the way and I've been spending some time on this. Just a few more changes to make so I'll try to push something out in the next few days.
I'm more or less done now but I'd like to road test it by doing the migration of TT-RSS from my desktop to my ARM box that I've been meaning to do for ages. Should need just a couple more days.
(In reply to James Le Cuirot from comment #10) > I'm more or less done now but I'd like to road test it by doing the > migration of TT-RSS from my desktop to my ARM box that I've been meaning to > do for ages. Should need just a couple more days. I've done the migration and it's working but I've had more feedback on my security fix and it needs some fine tuning. The issue is not in TT-RSS itself but in the way that we package it and it's surprisingly hard to get right.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9605ea072743f9a1a27eaf8437de2a41a263bdaf commit 9605ea072743f9a1a27eaf8437de2a41a263bdaf Author: James Le Cuirot <chewi@gentoo.org> AuthorDate: 2018-01-18 13:39:08 +0000 Commit: James Le Cuirot <chewi@gentoo.org> CommitDate: 2018-01-18 13:43:48 +0000 www-apps/tt-rss: Bump to 20180105, security fix, other fixes * Addresses unsafe use of recursive chown/chmod in the init script whilst also dealing with poor permissions handling that may have led to issues in the past. * Fixes "postgresql" misspelling in the init script. * Fixes logrotate issue using delaycompress directive. * Allows options to be passed to the daemon. Bug: https://bugs.gentoo.org/603518 Closes: https://bugs.gentoo.org/609044 Closes: https://bugs.gentoo.org/620878 Closes: https://bugs.gentoo.org/627048 Closes: https://bugs.gentoo.org/639918 Package-Manager: Portage-2.3.19, Repoman-2.3.6 www-apps/tt-rss/Manifest | 1 + www-apps/tt-rss/files/permissions | 25 ++++++ .../tt-rss/files/postinstall-en-with-daemon-r1.txt | 14 ++++ .../tt-rss/files/postinstall-en-with-daemon.txt | 2 +- www-apps/tt-rss/files/postinstall-en.txt | 7 +- www-apps/tt-rss/files/ttrssd.confd-r2 | 47 ++++++++++++ www-apps/tt-rss/files/ttrssd.initd-r3 | 88 ++++++++++++++++++++++ www-apps/tt-rss/files/ttrssd.logrotated | 1 + www-apps/tt-rss/files/ttrssd.logrotated-r1 | 9 +++ www-apps/tt-rss/tt-rss-20180105.ebuild | 84 +++++++++++++++++++++ 10 files changed, 271 insertions(+), 7 deletions(-)
