New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
jasper: delete from nixpkgs. #82564
jasper: delete from nixpkgs. #82564
Conversation
2e2ce27
to
4be2457
Compare
cc @peti to check my cabal2nix update. |
|
Never mind, |
4be2457
to
a5c55dc
Compare
@danderson now that 20.03 is out this should be merged to master so that we stop shipping jasper with 20.09. Would you rebase your PR? |
Pinging for rebase again. |
Heard - thanks for the reminder. Doing this later tonight. |
Jasper has been marked insecure for a while, and upstream has not been responsive to CVEs for over a year. Fixes #55388. Signed-off-by: David Anderson <dave@natulte.net>
a5c55dc
to
3a38cef
Compare
Rebased. @ckauhaus @worldofpeace take a look, and trigger automation if any needs triggering? |
Looks good to me! Can't run this now though. |
Aaargh, |
Probably need to drop this from cabal2nix https://github.com/NixOS/cabal2nix/blob/d3635a7eb003b08579ef41b7b41051699c369e85/src/Distribution/Nixpkgs/Haskell/FromCabal/License.hs#L112, and I think there needs to some code added somewhere to not bring in |
In my original change, I'd hand-edited the haskell nix filesto clean that up as well, but was told to remove it and let haskell folks handle it downstream. Allegedly the package using jasper is already marked broken, so shouldn't be a huge deal in the interim? But I'm out of my depth here. |
@danderson I opened NixOS/cabal2nix#469 and #97588 |
The issue originally linked in the package has been resolved since July, upstream have started being active again and the latest release is mere 9 days old. Maybe this should be reverted and the package updated instead? https://github.com/jasper-software/jasper/releases/tag/version-2.0.20
|
Oh, awesome 👍 |
Motivation for this change
Fixes #55388.
JasPer is unmaintained upstream, and is accumulating unpatched CVEs. The maintainer has said to not expect improvement any time soon. Other distros have already removed this package.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)