[Pidgin] #15285: libxml2 library out of date

Pidgin trac at pidgin.im
Thu Sep 27 01:18:08 EDT 2012 

#15285: libxml2 library out of date
----------------------+------------------------------
 Reporter:  ioerror   |       Owner:  datallah
     Type:  defect    |      Status:  closed
Milestone:  2.10.7    |   Component:  winpidgin (gtk)
  Version:  2.10.6    |  Resolution:  fixed
 Keywords:  security  |
----------------------+------------------------------

Comment (by datallah):

 Replying to [comment:4 ioerror]:
 > Replying to [comment:3 datallah]:
 > > Replying to [comment:2 ioerror]:
 > > > If a vulnerability was found tomorrow in any or all of those
 libraries - how would these get updated?
 > >
 > > I worked with Dieter to figure out how this stuff is built, and I was
 able to build these myself (I did end up using Dieter's binaries though).
 > >
 >
 > Wouldn't it be best if Pidgin offered them from the source forge mirror
 directly?

 We could host them ourselves; we wouldn't put them on SF, I think we could
 just serve them from developer.pidgin.im (these aren't downloaded all that
 much).  The gnome server has been reliable, so it hasn't been necessary.
 I do keep a backup copy of everything we've used in case the gnome site
 were to go down.

 > It would be pretty great if building pidgin for any platform was a
 single checkout, a single tar.gz or some hybrid of source/binary
 components only from the pidgin team.

 There used to be a "Build Environment Fetcher" script that would set up a
 working build environment in an automated fashion, but it got out of date
 and nobody stepped up to maintain it.  One of the complications is that
 these days Apple makes it a huge pain to download the Bonjour SDK
 installer (even though the stuff in it is 3-clause BSD licensed).

 I'm certainly not opposed to making it easier for people to build pidgin
 on Windows, but it is possible to do relatively easily if you follow the
 instructions, so changing it is low on my priority list.

 In a related matter, one of the things I'm working on is making it so that
 the dependency downloads can be verified to some extent (either with a GPG
 signature where possible, or at least with a sha1sum when no signature is
 available).

 >
 > > The build process is documented at
 https://github.com/dieterv/legacynativebuilds/ (it does require jumping
 through some hoops to get the initial setup).
 >
 > Heh. I'm not sure that I'd call that documented but I appreciate that it
 seems to be collected in one place. Looking at that git repo, I have no
 idea where to start - a README would probably be orienting. :)

 Yeah, it isn't easy to follow - it's mostly just a commit of the former
 maintainer's development environment.  The text files in the root
 directory are emails between Dieter and the original maintainer and
 contain enough information to get it working.

 >
 > It would be interesting if dieterv hosted the built files on gnome.org,
 so we'd know the genesis of the hashes in pidgin.

 The latest files are actually hosted on gnome org along with their
 signatures (Dieter's key hash (`0x71D4DDE53F188CBE`) isn't posted anywhere
 publicly yet - he's planning to do so on the gtk download page when he
 finishes his set of updates):
 http://ftp.gnome.org/pub/gnome/binaries/win32/dependencies/?C=M;O=D

-- 
Ticket URL: <https://developer.pidgin.im/ticket/15285#comment:5>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list