Discussion:
gnucash [aur]->[community]?
(too old to reply)
Ido Rosen
2017-10-10 19:49:27 UTC
Permalink
Raw Message
Gnucash has 44 votes on AUR. It's useful (and very old, stable)
accounting/bookkeeping software. Would any TUs be willing to migrate it
from AUR to [community]?

https://aur.archlinux.org/packages/gnucash/
Morten Linderud
2017-10-10 19:57:04 UTC
Permalink
Raw Message
Post by Ido Rosen
Gnucash has 44 votes on AUR. It's useful (and very old, stable)
accounting/bookkeeping software. Would any TUs be willing to migrate it
from AUR to [community]?
https://aur.archlinux.org/packages/gnucash/
It was moved from [extra] on the 30th of june because it still depends on
webkitgtk2, which is flawed and has multiple security issues.
--
Morten Linderud

PGP: 9C02FF419FECBE16
Eric Blau
2017-10-10 20:34:35 UTC
Permalink
Raw Message
Post by Morten Linderud
Post by Ido Rosen
Gnucash has 44 votes on AUR. It's useful (and very old, stable)
accounting/bookkeeping software. Would any TUs be willing to migrate it
from AUR to [community]?
https://aur.archlinux.org/packages/gnucash/
It was moved from [extra] on the 30th of june because it still depends on
webkitgtk2, which is flawed and has multiple security issues.
While it is true that webkitgtk2 has security vulnerabilities and
should not be used for web browsing, web apps, etc., gnucash merely
uses it to generate reports based on your own data. As such, it's
likely not vulnerable to the same security issues as other web
applications based on it.

I know the developers are in the process of migrating away from it,
but until that time, I think it should be supported and not dropped
for the above reason.

Regards,
Eric
Morten Linderud
2017-10-10 20:45:31 UTC
Permalink
Raw Message
Post by Eric Blau
Post by Morten Linderud
Post by Ido Rosen
Gnucash has 44 votes on AUR. It's useful (and very old, stable)
accounting/bookkeeping software. Would any TUs be willing to migrate it
from AUR to [community]?
https://aur.archlinux.org/packages/gnucash/
It was moved from [extra] on the 30th of june because it still depends on
webkitgtk2, which is flawed and has multiple security issues.
While it is true that webkitgtk2 has security vulnerabilities and
should not be used for web browsing, web apps, etc., gnucash merely
uses it to generate reports based on your own data. As such, it's
likely not vulnerable to the same security issues as other web
applications based on it.
I know the developers are in the process of migrating away from it,
but until that time, I think it should be supported and not dropped
for the above reason.
webkitgtk2 would have do be added back to the repos for this to happen, and that
won't happen. It was a big deal to remove it in the first place.

https://www.archlinux.org/todo/phasing-out-webkitgtk2/
--
Morten Linderud

PGP: 9C02FF419FECBE16
Eric Blau
2017-10-10 21:01:33 UTC
Permalink
Raw Message
Post by Morten Linderud
Post by Eric Blau
While it is true that webkitgtk2 has security vulnerabilities and
should not be used for web browsing, web apps, etc., gnucash merely
uses it to generate reports based on your own data. As such, it's
likely not vulnerable to the same security issues as other web
applications based on it.
I know the developers are in the process of migrating away from it,
but until that time, I think it should be supported and not dropped
for the above reason.
webkitgtk2 would have do be added back to the repos for this to happen, and that
won't happen. It was a big deal to remove it in the first place.
https://www.archlinux.org/todo/phasing-out-webkitgtk2/
OK, thanks for the response. It's a shame that gnucash is lumped with
other packages with real attacks possible against them, but I
understand why it had to be done. Hopefully gnucash can migrate off
webkitgtk2 quickly and make it back in to the repos.

-Eric
Ryan Petris via arch-general
2017-10-11 22:39:39 UTC
Permalink
Raw Message
Gnucash 2.7.0 uses webkit2gtk for non-windows builds, though it's
"unstable". I'd imagine it could get moved back to community after that
version is stable.

https://github.com/Gnucash/gnucash/commit/0004a44f5f188d910cf7ab155ed1f0ce7fa1949a
Post by Eric Blau
Post by Morten Linderud
Post by Eric Blau
While it is true that webkitgtk2 has security vulnerabilities and
should not be used for web browsing, web apps, etc., gnucash merely
uses it to generate reports based on your own data. As such, it's
likely not vulnerable to the same security issues as other web
applications based on it.
I know the developers are in the process of migrating away from it,
but until that time, I think it should be supported and not dropped
for the above reason.
webkitgtk2 would have do be added back to the repos for this to happen, and that
won't happen. It was a big deal to remove it in the first place.
https://www.archlinux.org/todo/phasing-out-webkitgtk2/
OK, thanks for the response. It's a shame that gnucash is lumped with
other packages with real attacks possible against them, but I
understand why it had to be done. Hopefully gnucash can migrate off
webkitgtk2 quickly and make it back in to the repos.
-Eric
Antonio Rojas
2017-10-10 19:58:34 UTC
Permalink
Raw Message
Post by Ido Rosen
Gnucash has 44 votes on AUR. It's useful (and very old, stable)
accounting/bookkeeping software. Would any TUs be willing to migrate it
from AUR to [community]?
https://aur.archlinux.org/packages/gnucash/
Not until it is ported away from webkitgtk, which is why it was dropped in the first place
Loading...