[PR PATCH] lurch: revert patch from #26757

[PR PATCH] lurch: revert patch from #26757

[the-maldridge]

[-- Attachment #1: Type: text/plain, Size: 770 bytes --]

There is a new pull request by the-maldridge against master on the void-packages repository

https://github.com/the-maldridge/void-packages revert-26757
https://github.com/void-linux/void-packages/pull/26843

lurch: revert patch from #26757
The patch was erroneously applied after a github user claimed it to be
a security issue, and later it was determined that this user was going
around tricking various projects into applying their patch that had
been exlicitly declined by upstream (xsf/xeps#894).

There's probably a dialog to happen here around relative security of
accepting unverified patches in the name of 'security' but this is
neither the time nor the place.

A patch file from https://github.com/void-linux/void-packages/pull/26843.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-revert-26757-26843.patch --]
[-- Type: text/x-diff, Size: 1394 bytes --]

From f1b0c673cf88c1ca68f82028c0f69b9d21549f11 Mon Sep 17 00:00:00 2001
From: Michael Aldridge <maldridge@VoidLinux.org>
Date: Mon, 30 Nov 2020 13:21:58 -0800
Subject: [PATCH] lurch: revert patch from #26757

The patch was erroneously applied after a github user claimed it to be
a security issue, and later it was determined that this user was going
around tricking various projects into applying their patch that had
been exlicitly declined by upstream (xsf/xeps#894).

There's probably a dialog to happen here around relative security of
accepting unverified patches in the name of 'security' but this is
neither the time nor the place.
---
 srcpkgs/lurch/template | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/srcpkgs/lurch/template b/srcpkgs/lurch/template
index b5f1bd3e4d2..207c49d3ec5 100644
--- a/srcpkgs/lurch/template
+++ b/srcpkgs/lurch/template
@@ -1,7 +1,7 @@
 # Template file for 'lurch'
 pkgname=lurch
 version=0.6.8
-revision=3
+revision=4
 build_style=gnu-makefile
 make_use_env=yes
 hostmakedepends="cmake pkg-config"
@@ -14,7 +14,3 @@ distfiles="https://github.com/gkdr/lurch/releases/download/v${version}/lurch-${v
 checksum=2e2447b5fe6b1ae4f08d8c79a2a846c70290685d6e338bf5ea8f59705bd2b19f
 
 LDFLAGS="-L${XBPS_CROSS_BASE}/usr/lib/purple-2"
-
-post_patch() {
-	vsed -e '/#define OMEMO_AES_GCM_IV_LENGTH/s/16/12/' -i lib/libomemo/src/libomemo.h
-}

Re: lurch: revert patch from #26757

[Vaelatern]

[-- Attachment #1: Type: text/plain, Size: 593 bytes --]

New comment by Vaelatern on void-packages repository

https://github.com/void-linux/void-packages/pull/26843#issuecomment-736074335

Comment:
We should not maintain patches that change functionality, and that go against [expressed upstream wishes](https://github.com/gkdr/libomemo/issues/24#issuecomment-735408224). Approved.

We have been known to accept security patches, referencing identical upstream commits or CVEs. We have been known to expedite upgrades when they include security fixes. Even if upstream chooses to be insecure by some measure, I think it is reasonable to let them.

Re: [PR PATCH] [Merged]: lurch: revert patch from #26757

[the-maldridge]

[-- Attachment #1: Type: text/plain, Size: 602 bytes --]

There's a merged pull request on the void-packages repository

lurch: revert patch from #26757
https://github.com/void-linux/void-packages/pull/26843

Description:
The patch was erroneously applied after a github user claimed it to be
a security issue, and later it was determined that this user was going
around tricking various projects into applying their patch that had
been exlicitly declined by upstream (xsf/xeps#894).

There's probably a dialog to happen here around relative security of
accepting unverified patches in the name of 'security' but this is
neither the time nor the place.