Summary: | net-misc/icaclient: still depends on net-libs/webkit-gtk:2 | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Andrea De Pasquale <depasquale.andrea> |
Component: | Current packages | Assignee: | Lars Wendler (Polynomial-C) (RETIRED) <polynomial-c> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | helmut, leio, polynomial-c |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=591816 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 577068 |
Description
Andrea De Pasquale
2017-08-11 16:44:35 UTC
https://github.com/gentoo/gentoo/pull/5391 for the ebuild updates Thanks, Gentoo Security Padawan ChrisADR There is no way webkit-gtk:4 can be correct, as there is a gtk+:2 dependency, not gtk+:3 dependency. Either that is wrong too, or it just happens to work due to webkit-gtk:2 being optional in the binary, as already concluded in bug 580974 and 579722. selfservice component won't work without webkit-gtk:2 or something; it also won't work with webkit-gtk:4, as you can't mix webkit-gtk:4 and gtk+:2. Why is this a security@ bug btw? webkit-gtk:2 cleanup is already tracked in bug 577068 by security@ (In reply to Mart Raudsepp from comment #3) > Why is this a security@ bug btw? webkit-gtk:2 cleanup is already tracked in > bug 577068 by security@ Indeed the cleanup is being in bug 577068 and I'm adding this report to the list. The main reason is that the ebuild contains a vulnerable RDEP (even if it is optional for most of the users) this means that we need to either inform the users that they are installing a package with vulnerable RDEPS or remove that additional feature from the ebuild in order to have a vulnerability free package. Thanks, Gentoo Security Padawan ChrisADR This would also indicate this can work without webkit-gtk https://forums.fedoraforum.org/showthread.php?316157-Citrix-Receiver-(ICAClient)-in-Fedora-27 Yes, it will work fine without webkit-gtk. But probably not the selfservice component. That fedora thread still can't possibly be right about webkit-gtk:4 being useful for it. Maybe just please remove the dependency, if the main functionality then still works, and deal with any fallout (from unusable selfservice component if so, or anything else) by pointing reporters to complain to the binary package upstream this was fixed one month ago and old versions removed |