Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 661356 - media-libs/woff2-1.0.2-r1 keywording (needed for secure net-libs/webkit-gtk version)
Summary: media-libs/woff2-1.0.2-r1 keywording (needed for secure net-libs/webkit-gtk v...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Keywording (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Linux Gnome Desktop Team
URL:
Whiteboard:
Keywords: KEYWORDREQ
: 663174 (view as bug list)
Depends on:
Blocks: CVE-2018-11646, CVE-2018-11712, CVE-2018-11713, CVE-2018-12293, CVE-2018-12294, CVE-2018-4190, CVE-2018-4192, CVE-2018-4199, CVE-2018-4201, CVE-2018-4214, CVE-2018-4218, CVE-2018-4222, CVE-2018-4232, CVE-2018-4233, WSA-2018-0005
  Show dependency tree
 
Reported: 2018-07-16 23:50 UTC by Mart Raudsepp
Modified: 2018-09-08 09:22 UTC (History)
4 users (show)

See Also:
Package list:
media-libs/woff2-1.0.2-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mart Raudsepp gentoo-dev 2018-07-16 23:50:27 UTC
media-libs/woff2 will be a hard requirement of webkit-gtk-2.20+.
Earlier version of this code used to be bundled with webkit-gtk, but now it's finally available as a system library and thus unbundled from webkit-gtk as well.
As it is rather tiny, I will not make it USE optional, albeit theoretically possible, as that loses important web features for no good reason (library is below 100kB).

Target arches: All that have webkit-gtk:4 and want to keep it

webkit-gtk-2.20 will also be rapid stabilized soon for security. That just means x86 will have to fast stable it soon (feel free to go straight to stable on x86). But for the rest it means security vulnerable webkit-gtk until you keyword woff2, so I can re-add your ~arch keywords after new webkit is in tree (tomorrow-ish).
Comment 1 Larry the Git Cow gentoo-dev 2018-07-22 09:00:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f12fd4610318153546bc81fe2bb0d350dc5deb8b

commit f12fd4610318153546bc81fe2bb0d350dc5deb8b
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-07-22 08:39:08 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-07-22 09:00:03 +0000

    media-libs/woff2: keyworded 1.0.2 for sparc
    
    Bug: https://bugs.gentoo.org/661356
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="sparc"

 media-libs/woff2/woff2-1.0.2.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 2 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-07-22 19:09:02 UTC
~arm done
Comment 3 Mart Raudsepp gentoo-dev 2018-07-23 22:54:43 UTC
This is important for security due to dropped keywords in newer webkit-gtk version, which has security fixes, but requires woff2 here.

Feel free to restore your ~arch keywords on net-libs/webkit-gtk-2.20.3 as well while doing woff2. I'm not putting it in package list to avoid scaring arch testers away from this bug due to webkit-gtk showing up in the getatoms or other tooling.
If you don't notice to do that, I will do follow-up commits to webkit-gtk-2.20.x myself, that restore the keywords, but that will delay being security safe in ~arch until I notice (and it's ~arch only for most the architectures here, so it's important to have security safe version available...)
Comment 4 Larry the Git Cow gentoo-dev 2018-07-25 09:05:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a7eca4d12e9d845bd3343771f32586aea3620fd8

commit a7eca4d12e9d845bd3343771f32586aea3620fd8
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2018-07-25 08:48:17 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2018-07-25 09:04:25 +0000

    media-libs/woff2: add Prefix keywords, bug #661356
    
    Bug: https://bugs.gentoo.org/661356
    Package-Manager: Portage-2.3.40.3-prefix, Repoman-2.3.9

 media-libs/woff2/woff2-1.0.2-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 5 Fabian Groffen gentoo-dev 2018-07-25 09:06:03 UTC
prefix done
Comment 6 Carlos Konstanski 2018-07-26 14:54:30 UTC
The new ebuild has been incorrectly checksummed:

!!! Manifest verification failed:
Manifest mismatch for media-libs/woff2/Manifest
  __size__: expected: 904, have: 901
Comment 7 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-07-26 14:58:41 UTC
(In reply to Carlos Konstanski from comment #6)
> The new ebuild has been incorrectly checksummed:
> 
> !!! Manifest verification failed:
> Manifest mismatch for media-libs/woff2/Manifest
>   __size__: expected: 904, have: 901

That's a problem with your mirror.  Try syncing again after some time; if it happens again, report a bug.
Comment 8 Thomas Deutschmann gentoo-dev Security 2018-07-28 13:46:03 UTC
x86 keyworded
Comment 9 Sergei Trofimovich gentoo-dev 2018-08-02 22:26:31 UTC
~ppc64 keyworded
Comment 10 Sergei Trofimovich gentoo-dev 2018-08-12 18:29:50 UTC
~ppc keyworded
Comment 11 Mart Raudsepp gentoo-dev 2018-08-12 18:53:06 UTC
*** Bug 663174 has been marked as a duplicate of this bug. ***
Comment 12 Tobias Klausmann gentoo-dev 2018-08-13 08:15:50 UTC
Keyworded on ~alpha.
Comment 13 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-08-16 21:09:19 UTC
~amd64-fbsd done.
Comment 14 Mart Raudsepp gentoo-dev 2018-08-16 21:14:53 UTC
x86-fbsd is apparently completely stale, so considering this bug fixed.
Comment 15 Larry the Git Cow gentoo-dev 2018-09-08 09:22:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a753e52d96f72ab54bd959982e39b26fafd21076

commit a753e52d96f72ab54bd959982e39b26fafd21076
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2018-09-08 09:19:53 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2018-09-08 09:21:45 +0000

    app-text/dvisvgm: Restore keywords ia64 ppc ppc64 amd64-fbsd
    
    Bug: https://bugs.gentoo.org/663178
    Bug: https://bugs.gentoo.org/663174
    Bug: https://bugs.gentoo.org/661356
    Package-Manager: Portage-2.3.46, Repoman-2.3.10

 app-text/dvisvgm/dvisvgm-2.5.ebuild | 2 +-
 app-text/dvisvgm/dvisvgm-2.6.ebuild | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)