Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

texlive blocks removal of freetype-1.4
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Portage & Programming
View previous topic :: View next topic  
Author Message
orionbelt
Apprentice
Apprentice


Joined: 05 Apr 2006
Posts: 178
PostPosted: Sun Jan 29, 2012 8:11 am    Post subject: texlive blocks removal of freetype-1.4 Reply with quote
Code:
% glsa-check -l
201201-09 [N] FreeType: Multiple vulnerabilities ( media-libs/freetype )

% glsa-check -d 201201-09
[...]
Resolution:        All FreeType users should upgrade to the latest version:
                   # emerge --sync
                   # emerge --ask --oneshot --verbose
                   ">=media-libs/freetype-2.4.8"
[...]

% equery list media-libs/freetype
 * Searching for freetype in media-libs ...
[IP-] [  ] media-libs/freetype-1.4_pre20080316-r2:1
[IP-] [  ] media-libs/freetype-2.4.8:2

% equery depends =media-libs/freetype-1.4_pre20080316-r2:1
 * These packages depend on media-libs/freetype-1.4_pre20080316-r2:
app-text/texlive-2011 (truetype ? media-libs/freetype:1[kpathsea])
kde-base/okular-4.7.4 (media-libs/freetype)
net-im/skype-2.2.0.35-r1 (qt-static ? media-libs/freetype)
sci-geosciences/googleearth-5.1.3535.3218-r1 (x86 ? media-libs/freetype)
www-client/opera-11.61.1250 (media-libs/freetype)
x11-base/xorg-server-1.11.2-r2 (media-libs/freetype)
x11-libs/libXft-2.2.0 (media-libs/freetype)


My understanding from the above is that app-text/texlive is the only package that seems to require freetype version 1.

Is this a real requirement or just an oversight in texlive's ebuild?
Back to top
View user's profile Send private message
Hypnos
Advocate
Advocate


Joined: 18 Jul 2002
Posts: 2889
Location: Omnipresent
PostPosted: Mon Jan 30, 2012 1:44 pm    Post subject: Reply with quote
It's a real requirement, as texlive needs the "ttf2*" utilities to use TrueType fonts (bug 342691). Texlive has not yet caught up with the times (see FreeType1 page).

Most people don't need TrueType fonts in LaTeX, so they would just disable the "truetype" USE flag for texlive.
_________________
Personal overlay | Simple backup scheme
Back to top
View user's profile Send private message
orionbelt
Apprentice
Apprentice


Joined: 05 Apr 2006
Posts: 178
PostPosted: Tue Jan 31, 2012 3:18 am    Post subject: Reply with quote
Thanks for the reply and for the pointers. I somehow missed this bug report. Even now, when i type "texlive freetype" on bugzilla i get "no bugs found"... Searching for "texlive" alone returns 15 bugs but not bug 342691! What was your magic? :)

Either way, would it not make more sense if portage, rather than the user, disabled truetype for texlive? Strictly speaking, it is not safe to have truetype functionality with texlive, should the default option not be the safe option? Then the few users who really need truetype can enable it at their own risk. But the way it now stands, unless someone runs glsa-check regularly (probably a small minority) they'll never know...

I wonder how binary distributions that don't give the choice to their users go about it, do they include freetype:1 despite the security risk or not?
Back to top
View user's profile Send private message
Hypnos
Advocate
Advocate


Joined: 18 Jul 2002
Posts: 2889
Location: Omnipresent
PostPosted: Tue Jan 31, 2012 4:58 am    Post subject: Reply with quote
orionbelt wrote:
Thanks for the reply and for the pointers. I somehow missed this bug report. Even now, when i type "texlive freetype" on bugzilla i get "no bugs found"... Searching for "texlive" alone returns 15 bugs but not bug 342691! What was your magic? :)

To find closed bugs, prepend "ALL" to your search. There are other special tags as well; look in the Bugzilla documentation.

Quote:
Either way, would it not make more sense if portage, rather than the user, disabled truetype for texlive? Strictly speaking, it is not safe to have truetype functionality with texlive, should the default option not be the safe option? Then the few users who really need truetype can enable it at their own risk. But the way it now stands, unless someone runs glsa-check regularly (probably a small minority) they'll never know...

I think that insecure packages should be masked, forcing users to acknowledge their status before using them. Moreover, packages that depend on them through a USE flag, like texlive, should have that USE flag disabled by default.

Quote:
I wonder how binary distributions that don't give the choice to their users go about it, do they include freetype:1 despite the security risk or not?

Arch does not, according to their package database. Don't know about other distros.
_________________
Personal overlay | Simple backup scheme
Back to top
View user's profile Send private message
orionbelt
Apprentice
Apprentice


Joined: 05 Apr 2006
Posts: 178
PostPosted: Sat Feb 18, 2012 4:14 am    Post subject: Reply with quote
Thanks for the replies. I added a comment to bugzilla.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Portage & Programming All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy