GNU bug report logs -
#27120
GraphicsMagick bundles libtiff, libpng, zlib, libxml2, and more
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Sun, 28 May 2017 20:24:01 UTC
Severity: normal
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 27120 in the body.
You can then email your comments to 27120 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#27120; Package
guix.
(Sun, 28 May 2017 20:24:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Sun, 28 May 2017 20:24:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
GraphicsMagick bundles a large number of 3rd party libraries.
We should unbundle and remove the ones that we can. For the rest, we
should try patching their vulnerabilities and leaving code comments
explaining the situation in the GraphicsMagick package definition.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#27120; Package
guix.
(Sun, 28 May 2017 21:27:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 27120 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sun, May 28, 2017 at 04:23:21PM -0400, Leo Famulari wrote:
> GraphicsMagick bundles a large number of 3rd party libraries.
>
> We should unbundle and remove the ones that we can. For the rest, we
> should try patching their vulnerabilities and leaving code comments
> explaining the situation in the GraphicsMagick package definition.
The GraphicsMagick release tarball doesn't include these bundled
libraries. They are only in the Mercurial checkout.
We did not have to adjust our package very much when switching from the
release tarballs to the Mercurial checkout, so they are probably not
used, and it should not be too hard to unbundle them.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#27120; Package
guix.
(Sun, 28 May 2017 22:04:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 27120 <at> debbugs.gnu.org (full text, mbox):
Fixes <https://bugs.gnu.org/27120>.
* gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add a snippet
to delete bundled libraries.
[version]: Bump the package revision counter to 3.
---
gnu/packages/imagemagick.scm | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index bde3ebe40..3f7d95c2e 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -163,7 +163,7 @@ script.")
(define-public graphicsmagick
(let ((changeset "6156b4c2992d855ece6079653b3b93c3229fc4b8") ; fix CVE-2017-6335
- (revision "2"))
+ (revision "3"))
(package
(name "graphicsmagick")
(version (string-append "1.3.25-" revision "."
@@ -180,7 +180,20 @@ script.")
;; "/GraphicsMagick-" version ".tar.xz"))
(sha256
(base32
- "08yfsn8mrqkwpax43vv1crfr55rcf004wwpzsinr5c6m0asqr08b"))))
+ "08yfsn8mrqkwpax43vv1crfr55rcf004wwpzsinr5c6m0asqr08b"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; Remove bundled software. This reduces the size of the
+ ;; build source checkout from 177 MiB to 49 MiB. This should
+ ;; not be necessary when using the GraphicsMagick release
+ ;; tarball, because these files are not distributed there.
+ (for-each delete-file-recursively '("bzlib" "dcraw" "hp2xx"
+ "jbig" "jp2" "jpeg"
+ "lcms" "libxml" "png"
+ "ralcgm" "tiff" "ttf"
+ "webp" "wmf" "xlib"
+ "zlib"))))))
(build-system gnu-build-system)
(arguments
`(#:configure-flags
--
2.13.0
Information forwarded
to
bug-guix <at> gnu.org:
bug#27120; Package
guix.
(Tue, 30 May 2017 15:09:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 27120 <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> skribis:
> Fixes <https://bugs.gnu.org/27120>.
>
> * gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add a snippet
> to delete bundled libraries.
> [version]: Bump the package revision counter to 3.
That was fast!
> + (snippet
> + '(begin
> + ;; Remove bundled software. This reduces the size of the
> + ;; build source checkout from 177 MiB to 49 MiB. This should
> + ;; not be necessary when using the GraphicsMagick release
> + ;; tarball, because these files are not distributed there.
> + (for-each delete-file-recursively '("bzlib" "dcraw" "hp2xx"
> + "jbig" "jp2" "jpeg"
> + "lcms" "libxml" "png"
> + "ralcgm" "tiff" "ttf"
> + "webp" "wmf" "xlib"
> + "zlib"))))))
You can even remove ‘begin’.
LGTM, thank you!
Ludo’.
bug closed, send any further explanations to
27120 <at> debbugs.gnu.org and Leo Famulari <leo <at> famulari.name>
Request was from
Leo Famulari <leo <at> famulari.name>
to
control <at> debbugs.gnu.org.
(Tue, 30 May 2017 17:35:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 28 Jun 2017 11:24:06 GMT)
Full text and
rfc822 format available.
This bug report was last modified 6 years and 302 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.