610434 – app-accessibility/pocketsphinx-0.8: removal (was: uses security vulnerable gstreamer:0.10)

Bug 610434 - app-accessibility/pocketsphinx-0.8: removal (was: uses security vulnerable gstreamer:0.10)

Summary: app-accessibility/pocketsphinx-0.8: removal (was: uses security vulnerable gs...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Accessibility Team

URL:
Whiteboard:	Pending removal: 2018-12-04
Keywords:	PMASKED

Depends on:
Blocks:	gst-0.10-removal
	Show dependency tree

Reported:	2017-02-22 00:22 UTC by Mart Raudsepp
Modified:	2018-12-04 13:43 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
pocketsphinx-0.8.ebuild (pocketsphinx-0.8.ebuild,962 bytes, text/plain) 2018-11-06 22:34 UTC, Samuel Bauer	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mart Raudsepp gentoo-dev

2017-02-22 00:22:08 UTC

Some gstreamer 0.10 demuxers and codecs are known vulnerable and it is time to move on and not try to backport patches of bugs that happened to have a CVE stamped on it (many of which aren't easily exploitable at all, while other things might be that don't have a CVE number as it's a dead version).

However app-accessibility/pocketsphinx still hard-requires it.
So the package needs to go away, or a new snapshot packaged, with the 0.8 version removed soon.
Upstream has ported to the new gstreamer series at end of 2014, and that support seems to have received fixes until end of 2015 (at which point I presume it's matured enough), however there has been no proper release still. Only release available after 0.8 is a "5prealpha", which however would be new enough for gstreamer purposes, but might require sphinxbase-5prealpha as well.

Comment 1 Mart Raudsepp gentoo-dev

2017-09-02 04:31:27 UTC

ping

Comment 2 Andreas Sturmlechner gentoo-dev

2018-06-03 11:13:55 UTC

If no one answers then maybe it should be treecleaned?

PS: At least Debian seems to have packaged '0.8+5prealpha' - still available in Buster - so it can't be that bad.

Comment 3 Samuel Bauer 2018-11-06 22:34:58 UTC

Created attachment 554324 [details]
pocketsphinx-0.8.ebuild

I dropped gstreamer mandatory dependencies from pocketsphinx ebuild, after seeing that: emerge -1 --nodeps pocketsphinx, was a success (other dependencies were already installed, gstreamer not).

It isn't obvious to see that this dependency is not mandatory, as ./configure doesn't expose a switch.

sphinxbase also pushes not so mandatory dependencies (see: #476424)

P.S.: Another free speech recognition engine alternative is nice, as there's not quite a lot. I would be glad to fill this comment using a speech recognition as an input method.

Comment 4 Larry the Git Cow gentoo-dev

2018-12-04 13:43:44 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e7087a2bac91c5b30dfc576dc7543268fff0ef9

commit 1e7087a2bac91c5b30dfc576dc7543268fff0ef9
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2018-12-04 13:40:54 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2018-12-04 13:40:54 +0000

    app-accessibility/pocketsphinx: Remove last-rited pkg
    
    Closes: https://bugs.gentoo.org/610434
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 app-accessibility/pocketsphinx/Manifest            |  1 -
 app-accessibility/pocketsphinx/metadata.xml        | 11 -----
 .../pocketsphinx/pocketsphinx-0.8.ebuild           | 50 ----------------------
 profiles/package.mask                              |  6 ---
 4 files changed, 68 deletions(-)