Bug#874065: unrar-free: Should unrar-free be removed from the archive? Alternatives (libarchive) exists; unmaintained upstream

4 views
Skip to first unread message

Salvatore Bonaccorso

unread,
Sep 2, 2017, 11:30:03 AM9/2/17
to
Source: unrar-free
Severity: important

Hi

Given the discussion from
http://www.openwall.com/lists/oss-security/2017/08/20/1 (I filled
separate bugs about the individual issues), should unrar-free be
removed from unstable and thus not be included in buster?

This has the consequence that there are broken dependencies which
first needs to be either resolved or removed as well along:

----cut---------cut---------cut---------cut---------cut---------cut-----
dak rm --suite=sid -n -R unrar-free
Will remove the following packages from sid:

unrar-free | 1:0.0.1+cvs20140707-1 | source, hurd-i386
unrar-free | 1:0.0.1+cvs20140707-1+b2 | amd64, arm64, armel, armhf, i386, kfreebsd-amd64, kfreebsd-i386, mips, mips64el, mipsel, powerpc, ppc64el, s390x

Maintainer: Ying-Chun Liu (PaulLiu) <pau...@debian.org>

------------------- Reason -------------------

----------------------------------------------

Checking reverse dependencies...
# Broken Depends:
forensics-extra: forensics-extra
python-rarfile: python-rarfile
python3-rarfile

Dependency problem found.

----cut---------cut---------cut---------cut---------cut---------cut-----

Regards,
Salvatore

Hugo Lefeuvre

unread,
Oct 5, 2017, 6:10:03 AM10/5/17
to
Hi,

I have just uploaded python-rarfile 3.0-1, which drops the unrar-free
dependency.

Cheers,
Hugo

--
Hugo Lefeuvre (hle) | www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
signature.asc

Bastian Germann

unread,
Sep 24, 2021, 9:00:03 PMSep 24
to
On Mon, 16 Oct 2017 01:19:18 +0800 "Ying-Chun Liu (PaulLiu)" <pau...@debian.org> wrote:
> severity 874065 important
> Hi all,
>
> I've fixed the security issues happened on unrar-free. Seems not hard.
> But as I explain before that I think programs should move to use unar if
> possible.
>
> But to me I think there's still many programs which depends on the
> command line unrar-nonfree tool thus unrar-free still is needed for
> compatibility. I'm lowering the severity of this bug temporarily and
> will look on how many other programs are still depends on unrar-nonfree.
>
> Yours Sincerely,
> Paul

Hi,

I have ported unrar-free to libarchive at https://gitlab.com/bgermann/unrar-free.
You can import that as a new upstream.

Thanks,
Bastian
Reply all
Reply to author
Forward
0 new messages