View previous topic :: View next topic |
Author |
Message |
orionbelt Apprentice
Joined: 05 Apr 2006 Posts: 178
|
Posted: Sun Jan 29, 2012 8:11 am Post subject: texlive blocks removal of freetype-1.4 |
|
|
Code: | % glsa-check -l
201201-09 [N] FreeType: Multiple vulnerabilities ( media-libs/freetype )
% glsa-check -d 201201-09
[...]
Resolution: All FreeType users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose
">=media-libs/freetype-2.4.8"
[...]
% equery list media-libs/freetype
* Searching for freetype in media-libs ...
[IP-] [ ] media-libs/freetype-1.4_pre20080316-r2:1
[IP-] [ ] media-libs/freetype-2.4.8:2
% equery depends =media-libs/freetype-1.4_pre20080316-r2:1
* These packages depend on media-libs/freetype-1.4_pre20080316-r2:
app-text/texlive-2011 (truetype ? media-libs/freetype:1[kpathsea])
kde-base/okular-4.7.4 (media-libs/freetype)
net-im/skype-2.2.0.35-r1 (qt-static ? media-libs/freetype)
sci-geosciences/googleearth-5.1.3535.3218-r1 (x86 ? media-libs/freetype)
www-client/opera-11.61.1250 (media-libs/freetype)
x11-base/xorg-server-1.11.2-r2 (media-libs/freetype)
x11-libs/libXft-2.2.0 (media-libs/freetype)
|
My understanding from the above is that app-text/texlive is the only package that seems to require freetype version 1.
Is this a real requirement or just an oversight in texlive's ebuild? |
|
Back to top |
|
|
Hypnos Advocate
Joined: 18 Jul 2002 Posts: 2889 Location: Omnipresent
|
Posted: Mon Jan 30, 2012 1:44 pm Post subject: |
|
|
It's a real requirement, as texlive needs the "ttf2*" utilities to use TrueType fonts (bug 342691). Texlive has not yet caught up with the times (see FreeType1 page).
Most people don't need TrueType fonts in LaTeX, so they would just disable the "truetype" USE flag for texlive. _________________ Personal overlay | Simple backup scheme |
|
Back to top |
|
|
orionbelt Apprentice
Joined: 05 Apr 2006 Posts: 178
|
Posted: Tue Jan 31, 2012 3:18 am Post subject: |
|
|
Thanks for the reply and for the pointers. I somehow missed this bug report. Even now, when i type "texlive freetype" on bugzilla i get "no bugs found"... Searching for "texlive" alone returns 15 bugs but not bug 342691! What was your magic?
Either way, would it not make more sense if portage, rather than the user, disabled truetype for texlive? Strictly speaking, it is not safe to have truetype functionality with texlive, should the default option not be the safe option? Then the few users who really need truetype can enable it at their own risk. But the way it now stands, unless someone runs glsa-check regularly (probably a small minority) they'll never know...
I wonder how binary distributions that don't give the choice to their users go about it, do they include freetype:1 despite the security risk or not? |
|
Back to top |
|
|
Hypnos Advocate
Joined: 18 Jul 2002 Posts: 2889 Location: Omnipresent
|
Posted: Tue Jan 31, 2012 4:58 am Post subject: |
|
|
orionbelt wrote: | Thanks for the reply and for the pointers. I somehow missed this bug report. Even now, when i type "texlive freetype" on bugzilla i get "no bugs found"... Searching for "texlive" alone returns 15 bugs but not bug 342691! What was your magic? |
To find closed bugs, prepend "ALL" to your search. There are other special tags as well; look in the Bugzilla documentation.
Quote: | Either way, would it not make more sense if portage, rather than the user, disabled truetype for texlive? Strictly speaking, it is not safe to have truetype functionality with texlive, should the default option not be the safe option? Then the few users who really need truetype can enable it at their own risk. But the way it now stands, unless someone runs glsa-check regularly (probably a small minority) they'll never know... |
I think that insecure packages should be masked, forcing users to acknowledge their status before using them. Moreover, packages that depend on them through a USE flag, like texlive, should have that USE flag disabled by default.
Quote: | I wonder how binary distributions that don't give the choice to their users go about it, do they include freetype:1 despite the security risk or not? |
Arch does not, according to their package database. Don't know about other distros. _________________ Personal overlay | Simple backup scheme |
|
Back to top |
|
|
orionbelt Apprentice
Joined: 05 Apr 2006 Posts: 178
|
Posted: Sat Feb 18, 2012 4:14 am Post subject: |
|
|
Thanks for the replies. I added a comment to bugzilla. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|