All current versions from gnucash in the tree depend on webkit-gtk:2 which is a vulnerable library. There is no official announce in https://github.com/Gnucash/gnucash but seems that they have dropped gtk2 in versions earlier than 2.6.17
There's now a 2.7.0 release: https://sourceforge.net/projects/gnucash/files/gnucash%20%28unstable%29/2.7.0/ It's according to upstream an "unstable" released, but it'd probably be a good idea to get this into the tree asap, as 2.6 is pretty much unusable currently, the old webkit-gtk no longer builds (#621532).
(In reply to Christopher Díaz Riveros from comment #0) > All current versions from gnucash in the tree depend on webkit-gtk:2 which > is a vulnerable library. > > There is no official announce in https://github.com/Gnucash/gnucash but > seems that they have dropped gtk2 in versions earlier than 2.6.17 You have to look at the maint branch. It still uses the older webkit.(In reply to Hanno Boeck from comment #1) > There's now a 2.7.0 release: > https://sourceforge.net/projects/gnucash/files/gnucash%20%28unstable%29/2.7. > 0/ > > It's according to upstream an "unstable" released, but it'd probably be a > good idea to get this into the tree asap, as 2.6 is pretty much unusable > currently, the old webkit-gtk no longer builds (#621532). I don't think the 2.7.x series would be a good candidate for stable. Especially when upstream clearly states not to use it in production. 2.6 is still usable as long as one doesn't unmask icu.
I have 2.7.3 available in my overlay [1]. BACK UP GNUCASH DATA BEFORE USING IT. Changes in the file format are irreversible should you want to switch back to the 2.6 series. There's some issues with 2.7.3 that make it unsuitable for use in production and should only be used for testing. It's been proposed in #gentoo-dev that perhaps the relevant WebKit changes can be backported since they seem to be isolated to reporting. Unfortunately, I no longer have the time to pursue this option beyond maintaining the ebuild and my finances. Patches welcome. I'll help as I can. [1]: https://github.com/titanofold/titanofold-gentoo-x86 P.S.: I do intend to get 2.7.3 in the tree shortly. I need another package (dev-cpp/gtest) to change a bit.
Looked at what other distros are doing with old webkit for gnucash: Fedora - bundles webkit-gtk-2.4.11 in the gnucash package Debian - still has a webkit-gtk-2.4.11 package and gnucash links against that Arch - a bit unclear, but I think they either still have webkit-gtk-2.4, or have (temporarily) removed gnucash package Regarding backport idea, that's probably surely a no-go, as looks like 2.6 can only support gtk2, and backporting gtk3 would be a bit much. There is no security-safe webkit-gtk for gtk2. Looks like 2.7.3 is gearing up for release as 3.0 soon enough, and 2.7.3 is rather recent release, so yeah, probably we will need to just jump to 2.7.3 before 3.0 is out. Possibly monitoring closer for fixes happening upstream
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d5e2aea57f0e218ee8601bdaa4965e5202b0e79a commit d5e2aea57f0e218ee8601bdaa4965e5202b0e79a Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: 2018-01-15 10:13:02 +0000 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: 2018-01-15 10:36:33 +0000 app-office/gnucash: Bump to 2.7.3 Read your news items! This introduces breaking changes in data schemas. Back up your data! No longer uses insecure net-libs/webkit-gtk. Bug: https://bugs.gentoo.org/629114 Package-Manager: Portage-2.3.13, Repoman-2.3.3 app-office/gnucash/Manifest | 1 + .../gnucash/files/gnucash-2.7.3-no-gtest-src.patch | 15 ++ app-office/gnucash/gnucash-2.7.3.ebuild | 151 +++++++++++++++++++++ app-office/gnucash/metadata.xml | 2 + 4 files changed, 169 insertions(+)}
ping, we have had 2.7.4 for a few days now. Can we proceed with stabilization or whatever it takes to remove 2.6? Its deps dosn't even build on stable anymore (webkit-gtk:2 fails with now stable icu 60.2). So please stabilize 2.7.4+ very soon or drop 2.6 and only have p.masked 2.7.4 or ~arch 2.7.4. bug 644794 was discussing those options.
(In reply to Mart Raudsepp from comment #6) > ping, we have had 2.7.4 for a few days now. Can we proceed with > stabilization or whatever it takes to remove 2.6? Its deps dosn't even build > on stable anymore (webkit-gtk:2 fails with now stable icu 60.2). > > So please stabilize 2.7.4+ very soon or drop 2.6 and only have p.masked > 2.7.4 or ~arch 2.7.4. bug 644794 was discussing those options. Yup! I was just about to open a stablereq for it today. I haven't seen any bugs get opened for it and haven't run into any myself, so I think it's fairly safe.
Ok. If it's a separate bug, make it block this one then. I'll help poke at needed arch teams then, to be able to get rid of webkit-gtk:2.
Can I remove gnucash-2.6 right away after 2.7 is finally all stabled, or do I need to put it under p.mask with webkit-gtk:2?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=655684521c2d999f598dfcc8914c39527d7f4208 commit 655684521c2d999f598dfcc8914c39527d7f4208 Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2018-02-23 05:05:53 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2018-02-23 05:10:18 +0000 profiles: p.mask old gnucash for now instead of outright removing them I don't want to remove gnucash-2.6 without an explicit ack from titanofold, but I do want to proceed with p.masking the vulnerable webkit-gtk SLOTs. So put gnucash-2.6 in p.mask for now, until Aaron removed it himself completely, hopefully soon. gnucash-docs is left unmask for users that had it to still have it and upgrade to 3.0 docs later on automatically (there don't appear to be any explicit gnucash deps in gnucash-docs itself). Bug: https://bugs.gentoo.org/629114 profiles/package.mask | 6 ++++++ 1 file changed, 6 insertions(+)}
(In reply to Mart Raudsepp from comment #9) > Can I remove gnucash-2.6 right away after 2.7 is finally all stabled, or do > I need to put it under p.mask with webkit-gtk:2? Sorry I missed this. Let's mask it with webkit-gtk (like you did).
Can we fully remove it now? I want to remove old webkit-gtk ebuilds this weekend. See also bug 650996 though
(In reply to Mart Raudsepp from comment #12) > Can we fully remove it now? I want to remove old webkit-gtk ebuilds this > weekend. > See also bug 650996 though 30 days is this Saturday. I haven't really seen anything that screams we need to keep it beyond the customary 30 days.
So can I remove it now? Do we keep p.mask beyond removal, or remove p.mask together with the ebuild? webkit-gtk p.mask entry will stay with the ebuilds removed for 2 months more, but that's for security considerations only
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7882f1b8009fcad76af98f6f5e16d555de5b6349 commit 7882f1b8009fcad76af98f6f5e16d555de5b6349 Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: 2018-03-25 14:27:26 +0000 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: 2018-03-25 14:27:57 +0000 app-office/gnucash: Remove Security Susceptible Drop last release the relies on obsolete and vulnerable net-libs/webkit-gtk:2. Bug: https://bugs.gentoo.org/629114 Package-Manager: Portage-2.3.24, Repoman-2.3.6 app-office/gnucash/Manifest | 1 - app-office/gnucash/gnucash-2.6.19.ebuild | 131 ------------------------------- app-office/gnucash/metadata.xml | 11 +-- 3 files changed, 6 insertions(+), 137 deletions(-)}