Since 2.67, Asymptote has an ability to download and execute code from the Internet: https://github.com/vectorgraphics/asymptote/commit/45e8475ce686 with URLs specified in import statements like import "https://…" as mypackage; I am not going to say much about security implications of this, as I am not a security expert. Though it sounds problematic to me. Anyway, it creates an unaccounted runtime dependency on net-misc/curl, conditional on net-misc/curl present at build-time. Also, since 2.68, --disable-curl flag can be passed to Asympote's configure script: https://github.com/vectorgraphics/asymptote/pull/182 to disable this feature. I suggest either adding a USE flag (like "curl") for media-gfx/asymptote that conditions net-misc/curl dependency, or disabling support for this feature unconditionally.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c5dea7521772bdd8be77f1f9f910dfdb2cd8848d commit c5dea7521772bdd8be77f1f9f910dfdb2cd8848d Author: Andrey Grozin <grozin@gentoo.org> AuthorDate: 2021-02-28 13:01:53 +0000 Commit: Andrey Grozin <grozin@gentoo.org> CommitDate: 2021-02-28 13:01:53 +0000 media-gfx/asymptote: bump to 2.69 xasy is currently broken and temporarily removed Closes: https://bugs.gentoo.org/716036 Closes: https://bugs.gentoo.org/766279 Closes: https://bugs.gentoo.org/737122 Package-Manager: Portage-3.0.16, Repoman-3.0.2 Signed-off-by: Andrey Grozin <grozin@gentoo.org> media-gfx/asymptote/Manifest | 1 + media-gfx/asymptote/asymptote-2.69.ebuild | 205 +++++++++++++++++++++ .../asymptote/files/asymptote-2.69-info.patch | 13 ++ .../asymptote/files/asymptote-2.69-xdg-utils.patch | 23 +++ media-gfx/asymptote/metadata.xml | 2 + 5 files changed, 244 insertions(+)
