[Buildroot] [PATCH] cups: deprecate package due to security issues

[Buildroot] [PATCH] cups: deprecate package due to security issues

[Gustavo Zacarias]

Also mark packages that depend on cups as deprecated as well for easier
tracking.

It would probably be better to mark it as a legacy option so users get a
warning when migrating configuration files, but it would require a
direct removal for that.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
 package/cups/Config.in             | 2 ++
 package/foomatic-filters/Config.in | 2 ++
 package/gutenprint/Config.in       | 2 ++
 package/hplip/Config.in            | 2 ++
 4 files changed, 8 insertions(+)

diff --git a/package/cups/Config.in b/package/cups/Config.in
index ea1f003..8e60221 100644
--- a/package/cups/Config.in
+++ b/package/cups/Config.in
@@ -1,5 +1,7 @@
 config BR2_PACKAGE_CUPS
 	bool "cups"
+	# serious security issues, needs upgrading
+	depends on BR2_DEPRECATED_SINCE_2015_05
 	# needs fork()
 	depends on BR2_USE_MMU
 	help
diff --git a/package/foomatic-filters/Config.in b/package/foomatic-filters/Config.in
index 377566e..158bf44 100644
--- a/package/foomatic-filters/Config.in
+++ b/package/foomatic-filters/Config.in
@@ -1,4 +1,6 @@
 comment "foomatic-filters needs a toolchain w/ threads"
+	# because of cups security issues
+	depends on BR2_DEPRECATED_SINCE_2015_05
 	depends on BR2_PACKAGE_CUPS
 	depends on !BR2_TOOLCHAIN_HAS_THREADS
 
diff --git a/package/gutenprint/Config.in b/package/gutenprint/Config.in
index f93717c..686dbce 100644
--- a/package/gutenprint/Config.in
+++ b/package/gutenprint/Config.in
@@ -1,5 +1,7 @@
 config BR2_PACKAGE_GUTENPRINT
 	bool "gutenprint"
+	# because of cups security issues
+	depends on BR2_DEPRECATED_SINCE_2015_05
 	depends on BR2_INSTALL_LIBSTDCPP
 	depends on BR2_PACKAGE_CUPS
 	select BR2_PACKAGE_LIBICONV if !BR2_ENABLE_LOCALE
diff --git a/package/hplip/Config.in b/package/hplip/Config.in
index 7565671..a8a5f69 100644
--- a/package/hplip/Config.in
+++ b/package/hplip/Config.in
@@ -1,5 +1,7 @@
 config BR2_PACKAGE_HPLIP
 	bool "hplip"
+	# because of cups security issues
+	depends on BR2_DEPRECATED_SINCE_2015_05
 	depends on BR2_INSTALL_LIBSTDCPP
 	depends on BR2_PACKAGE_CUPS
 	depends on BR2_TOOLCHAIN_HAS_THREADS # libusb
-- 
2.0.5

[Buildroot] [PATCH] cups: deprecate package due to security issues

[Thomas Petazzoni]

Dear Gustavo Zacarias,

On Fri,  6 Mar 2015 10:39:24 -0300, Gustavo Zacarias wrote:
> Also mark packages that depend on cups as deprecated as well for easier
> tracking.
> 
> It would probably be better to mark it as a legacy option so users get a
> warning when migrating configuration files, but it would require a
> direct removal for that.
> 
> Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
> ---
>  package/cups/Config.in             | 2 ++
>  package/foomatic-filters/Config.in | 2 ++
>  package/gutenprint/Config.in       | 2 ++
>  package/hplip/Config.in            | 2 ++
>  4 files changed, 8 insertions(+)
> 
> diff --git a/package/cups/Config.in b/package/cups/Config.in
> index ea1f003..8e60221 100644
> --- a/package/cups/Config.in
> +++ b/package/cups/Config.in
> @@ -1,5 +1,7 @@
>  config BR2_PACKAGE_CUPS
>  	bool "cups"
> +	# serious security issues, needs upgrading
> +	depends on BR2_DEPRECATED_SINCE_2015_05
>  	# needs fork()
>  	depends on BR2_USE_MMU
>  	help
> diff --git a/package/foomatic-filters/Config.in b/package/foomatic-filters/Config.in
> index 377566e..158bf44 100644
> --- a/package/foomatic-filters/Config.in
> +++ b/package/foomatic-filters/Config.in
> @@ -1,4 +1,6 @@
>  comment "foomatic-filters needs a toolchain w/ threads"
> +	# because of cups security issues
> +	depends on BR2_DEPRECATED_SINCE_2015_05

Any reason why this is done on the comment only, and not on the package
itself?

Other than that, I'd personally be in favor of this deprecation.
Hopefully it will encourage someone to step up and upgrade cups.

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH] cups: deprecate package due to security issues

[Gustavo Zacarias]

On 03/06/2015 11:09 AM, Thomas Petazzoni wrote:
> Any reason why this is done on the comment only, and not on the package
> itself?
> 
> Other than that, I'd personally be in favor of this deprecation.
> Hopefully it will encourage someone to step up and upgrade cups.

I just used it as a mark for when/if removing it, since they all depend
on BR2_PACKAGE_CUPS being selected, not needed really.
Ideally something like BR2_LEGACY would be best for the users to get a
big warning, problem is that introducing it for just one package isn't
very useful, and it would set a precedent for other packages to lag
behind as well.
Regards.

[Buildroot] Adding deprecated packages to legacy [was: cups: deprecate package due to security issues]

[Arnout Vandecappelle]

On 06/03/15 14:39, Gustavo Zacarias wrote:
> It would probably be better to mark it as a legacy option so users get a
> warning when migrating configuration files, but it would require a
> direct removal for that.

 Good point! The legacy handling was added to avoid that selected config options
silently disappear when upgrading, but that's exactly what happens with the
deprecation!

 Technically it will be a bit difficult to implement, however. But perhaps
that's just because it's already late and my brain is turned off :-)

 Regards,
 Arnout

-- 
Arnout Vandecappelle                          arnout at mind be
Senior Embedded Software Architect            +32-16-286500
Essensium/Mind                                http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium           BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint:  7CB5 E4CC 6C2E EFD4 6E3D A754 F963 ECAB 2450 2F1F

[Buildroot] [PATCH] cups: deprecate package due to security issues

[Thomas Petazzoni]

Dear Gustavo Zacarias,

On Fri,  6 Mar 2015 10:39:24 -0300, Gustavo Zacarias wrote:
> Also mark packages that depend on cups as deprecated as well for easier
> tracking.
> 
> It would probably be better to mark it as a legacy option so users get a
> warning when migrating configuration files, but it would require a
> direct removal for that.
> 
> Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>

Applied, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com