New version of Spotify is available. Reproducible: Always
Created attachment 351512 [details] spotify-0.9.1.55.ebuild
Comment on attachment 351512 [details] spotify-0.9.1.55.ebuild --- spotify-0.9.0.133-r1.ebuild 2013-06-10 22:27:04.000000000 +0200 +++ - 2013-06-21 15:06:19.085604938 +0200 @@ -1,16 +1,15 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/media-sound/spotify/spotify-0.9.0.133-r1.ebuild,v 1.1 2013/06/10 20:27:04 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/media-sound/spotify/spotify-0.8.8.323-r2.ebuild,v 1.2 2013/03/23 19:59:15 vapier Exp $ EAPI=4 inherit eutils fdo-mime gnome2-utils pax-utils unpacker DESCRIPTION="Spotify is a social music platform" HOMEPAGE="https://www.spotify.com/ch-de/download/previews/" -MY_PV="${PV}.gd18ed58.259-1" +MY_PV="${PV}.gbdd3b79.203-1" MY_P="${PN}-client_${MY_PV}" SRC_BASE="http://repository.spotify.com/pool/non-free/${PN:0:1}/${PN}/" -#SRC_BASE="http://download.spotify.com/preview/" SRC_URI=" x86? ( ${SRC_BASE}${MY_P}_i386.deb ) amd64? ( ${SRC_BASE}${MY_P}_amd64.deb )
scanelf: rpath_security_checks(): Security problem NULL DT_RPATH in /var/tmp/portage/media-sound/spotify-0.9.1.55/image/opt/spotify/spotify-client/spotify Auto fixing rpaths for /var/tmp/portage/media-sound/spotify-0.9.1.55/image/opt/spotify/spotify-client/spotify * QA Notice: The following files contain insecure RUNPATHs * Please file a bug about this at http://bugs.gentoo.org/ * with the maintaining herd of the package. * /var/tmp/portage/media-sound/spotify-0.9.1.55/image/opt/spotify/spotify-client/spotify * Not packaging while it has a sec bug, let me see what I can do.
making a note here http://blog.tremily.us/posts/rpath/
*** Bug 475130 has been marked as a duplicate of this bug. ***
Upstream said they have a fix for the next release, hopefully soon...
Note that the old version is not available. Given the mirror restriction, the recent bump to -r1 is uninstallable.
sorry, I can't package something that has a sec vuln. They have stated that they will release a new version soon, hopefully sooner rather then later.
(In reply to Matthew Thode ( prometheanfire ) from comment #8) > sorry, I can't package something that has a sec vuln. They have stated that > they will release a new version soon, hopefully sooner rather then later. You can at least package it and package.mask it. It is better than having a package that is completely uninstallable.
me too.... Fetch failed for 'media-sound/spotify-0.9.0.133-r1' THANKS OBAMA....
I've commited the update (without keywords), but I'm going to leave this bug open until I get a good version from upstream.
prometheanfire: I work at Spotify and have access to some development versions. How do I check if this was fixed? Is it "scanelf -r"? What should be the output?
(In reply to Lukas Polacek from comment #12) > prometheanfire: I work at Spotify and have access to some development > versions. How do I check if this was fixed? Is it "scanelf -r"? What should > be the output? scanelf -F '%F:%r' -qBR "${ED}" where "${ED}" is the variable containing your install image (the base / you wish to merge with the actual root dir)
The output is supposed to be empty, right? I get a line ending with "spotify:$ORIGIN:$ORIGIN/Data", so I guess this hasn't been fixed yet.
(In reply to Lukas Polacek from comment #14) > The output is supposed to be empty, right? I get a line ending with > "spotify:$ORIGIN:$ORIGIN/Data", so I guess this hasn't been fixed yet. I have a better way for you to see if you fixed it. run 'readelf -d $spotify-binary' BAD - 0x000000000000000f (RPATH) Library rpath: [:$ORIGIN] GOOD + 0x000000000000000f (RPATH) Library rpath: [$ORIGIN] This is typically an error in the build system if that helps. See also http://blog.tremily.us/posts/rpath/
Alright, it's [$ORIGIN:$ORIGIN/Data], so there is no empty path. Let's hope we release a new public version soon.
sounds good to me :D