| View previous topic :: View next topic |
| Author |
Message |
Spargeltarzan
Guru
Joined: 23 Jul 2017
Posts: 317
|
 Posted: Sun Nov 19, 2017 11:08 pm Post subject: [SOLVED] GLSA - Gnome 3.26 depends on Webkit-GTK 2.4.11 |
 |
|
Hi,
I recently installed Gnome 3.26 (dantrell, openrc) and realised that the instant messenger becomes installed by gnome-core-apps. Empathy depends on Webkit-GTK 2.4.11-r2 with GLSA
-) 201706-15 [N] WebKitGTK+: Multiple vulnerabilities ( net-libs/webkit-gtk )
-) 201709-03 [N] WebKitGTK+: Multiple vulnerabilities ( net-libs/webkit-gtk )
With Gnome 3.22 and 3.24 empathy wasn't a dependency.
Someone experienced the same and found a way how to fix it?
Regards
Spargeltarzan
Last edited by Spargeltarzan on Tue Nov 21, 2017 5:22 pm; edited 1 time in total |
|
| Back to top |
|
 |
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9677
Location: almost Mile High in the USA
|
| Posted: Mon Nov 20, 2017 12:43 am Post subject: |
|
|
This post should belong in the "unsupported" forum as Gnome 3.26 isn't part of mainline yet.
You should ask dantrell to remove empathy from the dependency list if the overlay is telling your machine to install empathy.
There are other things that use webkit-gtk however, I'm not sure if any others require that specific version of webkit-gtk.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
Spargeltarzan
Guru
Joined: 23 Jul 2017
Posts: 317
|
| Posted: Mon Nov 20, 2017 2:14 pm Post subject: |
|
|
in my setup only empathy pulls the outdated webkit-gtk.
wrote a message to dantrell. |
|
| Back to top |
|
|
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9677
Location: almost Mile High in the USA
|
| Posted: Mon Nov 20, 2017 6:03 pm Post subject: |
|
|
For now you can hack the ebuild to remove empathy from gnome-core-apps, but I think you should be OK - it sounds like you don't use empathy, as long at it's not running, you're safe in terms of the GLSA. You could just force emerge --unmerge it too, but it will come back without the ebuild change.
I would not hack the ebuild because you're already working with an overlay. Hacking the ebuild is just another overlay over an overlay and that's a recipe for losing track of hacked ebuilds...
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
dantrell
l33t
Joined: 01 Jun 2007
Posts: 915
Location: Earth
|
| Posted: Tue Nov 21, 2017 2:30 pm Post subject: |
|
|
| Spargeltarzan wrote: | | With Gnome 3.22 and 3.24 empathy wasn't a dependency. |
GNOME as provided by Gentoo and GNOME as provided by the GNOME Without System project are not the same.
In relation to Empathy, Gentoo dropped it as a dependency from GNOME at some point whereas the GNOME Without System project has carried it as a dependency since GNOME 3.12.
| Spargeltarzan wrote: | | Someone experienced the same and found a way how to fix it? |
| eccerr0r wrote: | | You should ask dantrell to remove empathy from the dependency list if the overlay is telling your machine to install empathy. |
| Spargeltarzan wrote: | | in my setup only empathy pulls the outdated webkit-gtk. |
| eccerr0r wrote: | | For now you can hack the ebuild to remove empathy from gnome-core-apps, but I think you should be OK - it sounds like you don't use empathy, as long at it's not running, you're safe in terms of the GLSA. You could just force emerge --unmerge it too, but it will come back without the ebuild change. |
There are two issues here:
1. Empathy is pulling in WebKitGTK+ 2.4.11 which fails the GLSA check
2. Empathy is not optional
To resolve this, I:
1. Backported support for the most recent version of WebKitGTK+ as appliacable
2. Moved net-im/empathy to gnome-base/gnome-extra-app where it can be managed through the empathy USE flag alongside others.
| eccerr0r wrote: | | There are other things that use webkit-gtk however, I'm not sure if any others require that specific version of webkit-gtk. |
This is correct, but it's very few (~16 packages between GNOME 3.14 and 3.22). I have been dealing when them as I get to them.
Right now, GNOME 3.24 & 3.26 are free of WebKitGTK+ 2.4.11.
On that note, there are other packages provided by the GNOME Without System project that will fail GLSA check, however, in many cases, I have already patched the related CVEs.
| eccerr0r wrote: | | I would not hack the ebuild because you're already working with an overlay. Hacking the ebuild is just another overlay over an overlay and that's a recipe for losing track of hacked ebuilds... |
Yeah, don't do this. Just give me a heads up.
| Spargeltarzan wrote: | | wrote a message to dantrell. |
Anyway, thank you for patience. Your issue was actually easy to resolve but it prompted me to review some other matters and I wanted to implement all of the changes together.
Sync up and you should be good to go. 
_________________
Dantrell B. |
|
| Back to top |
|
|
Spargeltarzan
Guru
Joined: 23 Jul 2017
Posts: 317
|
| Posted: Tue Nov 21, 2017 5:21 pm Post subject: |
|
|
Hi,
Oh wow, you fixed this really fast!!  I just updated and the GLSA is resolved.
Thank you for your great encouragement and making GNOME without systemd possible!!! |
|
| Back to top |
|
|
|
Unsupported Software
