Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#63649 - [gummi] issues due to packaging GTK3 fork instead of the original GTK2 project
Attached to Project:
Community Packages
Opened by alexm (alexandervdm) - Wednesday, 04 September 2019, 08:53 GMT
Last edited by Alexander F. Rødseth (xyproto) - Wednesday, 04 September 2019, 20:58 GMT
Opened by alexm (alexandervdm) - Wednesday, 04 September 2019, 08:53 GMT
Last edited by Alexander F. Rødseth (xyproto) - Wednesday, 04 September 2019, 20:58 GMT
|
DetailsDescription:
Arch has chosen to package an unmaintained unofficial (gtk3) fork [1] of Gummi instead of the official releases [2] that is currently still on gtk2. The unofficial 0.7.4 version that is being offered by Arch suffers among other things from: * CVE-2015-7758 [3] * Clicking "Project" and then "Open Project" results in segfault [4] The last time this was reported in March of 2016 [5], this change was reverted, but for some reason the unofficial fork got packaged again in February of 2018. [1] https://github.com/aitjcize/Gummi [2] https://github.com/alexandervdm/gummi [3] https://nvd.nist.gov/vuln/detail/CVE-2015-7758 [4] https://github.com/alexandervdm/gummi/issues/112 [5] https://bugs.archlinux.org/task/48495 |
This task depends upon
Closed by Alexander F. Rødseth (xyproto)
Wednesday, 04 September 2019, 20:58 GMT
Reason for closing: Fixed
Wednesday, 04 September 2019, 20:58 GMT
Reason for closing: Fixed
There are hundreds of gtk2 applications in the official repos and zero plans to drop them. Any problems that Wayland users have will be seen in significant parts of the distribution already. There is zero rationale to go outside of upstream for this.
There is no "gtk3 version", to compare "the gtk2 version" to. There is only "the project", and "something that isn't the project, doesn't work like the project does, has security vulnerabilities the project does, and segfaults".
Tagged as a security issue, because that is what it is.
Eli, sometimes it makes sense to use forks, but I agree with you here. If the original code is maintained, but this fork is not, it makes sense to switch back to the original code.
I'm planning to switch back to the original sources (and also test if it works with Sway/Wayland).
Whenever the page will be up, you can check and improve later