Package Details: guitarix-git 0.35.5.r2.g07625ed7-1

Git Clone URL: https://aur.archlinux.org/guitarix-git.git (read-only)
Package Base: guitarix-git
Description: A virtual guitar amplifier for Linux
Upstream URL: http://guitarix.sourceforge.net
Keywords: Amplifier Audio Guitar LV2 Simulation Tube
Licenses: GPL
Conflicts: guitarix, guitarix2, gx_head
Provides: guitarix, guitarix2, gx_head
Submitter: None
Maintainer: Gimmeapill
Last Packager: Gimmeapill
Votes: 10
Popularity: 0.000728
First Submitted: 2012-04-13 09:51
Last Updated: 2017-07-24 20:52

Latest Comments

Gimmeapill commented on 2017-07-21 09:31

Gents, it looks like there's some trouble ahead, possibly related to an ffmpeg or gcc update: https://linuxmusicians.com/viewtopic.php?f=24&t=17329&p=83295#p83295

In case you notice unexpected sound changes with the latest builds, edit the pkgbuild and replace "--convolver-ffmpeg" with "--includeconvolver" (to bypass the Arch ffmpeg package). The AUR pkgbuild might be updated accordingly once we know more.

Gimmeapill commented on 2017-07-10 17:43

@SpotlightKid: Thanks for the heads up, I'll update shortly.

SpotlightKid commented on 2017-07-10 16:12

I seems the '--no-webkit' waf configure flag has been removed again already.

Gimmeapill commented on 2017-07-02 20:00

Hi Ralf, thanks for following up upstream, I was away for a few days.
The pkgbuild is now updated to explictly disable webkit with the "--no-webkit" flag even if webkitgtk2 is found on the system.
This should clear security concerns.
Not being able to download online presets from within guitarix is indeed an acceptable tradeoff until Hermann decides on a long term fix.

BR,

LX

Ralf_Mardorf commented on 2017-07-01 19:28

Upstream added a "--no-webkit" configuration flag. If you should insist in a hared dependency against webkitgtk2, at least consider to add a commented out "--no-webkit" option.

Unfortunately making it an optional dependency, still would require to make it a build dependency ;).

Uncommenting the webkit flag still would require to remove it manually from the dependency list, but the commented out option at least would call attention.

Ralf_Mardorf commented on 2017-07-01 18:42

Update:

[rocketmouse@archlinux ~]$ sudo pacman -Rss gambas3-gb-qt4-webkit qtwebkit webkitgtk webkitgtk2 typhoon wxsvg dvdstyler xombrero
[sudo] password for rocketmouse:
checking dependencies...

Packages (10) ffmpeg0.10-0.10.16-3 xmlto-0.0.28-1 dvdstyler-3.0.3-1 gambas3-gb-qt4-webkit-3.9.2-1
qtwebkit-2.3.4-5 typhoon-0.8.94-2 webkitgtk-2.4.11-6 webkitgtk2-2.4.11-6 wxsvg-1.5.11-1
xombrero-1.6.4-5
[snip]
[rocketmouse@archlinux ~]$ cd /tmp/
[rocketmouse@archlinux tmp]$ cd /tmp/guitarix2/trunk/
[rocketmouse@archlinux trunk]$ makepkg -s
[snip]
Checking for webkit-1.0 : not found
[snip]

The configuration finished successfully and it started to build, but I manually interrupted it.

IMO it's no option to continue using vulnerably software and upstream is willing to fix the issue:

"[snip] the situation leads me to think about removing the internal browser and use the default browser on the host system instead [snip]" - https://sourceforge.net/p/guitarix/bugs/39/

FWIW I filed a deletion request against https://aur.archlinux.org/packages/webkitgtk2/ :

Ralf_Mardorf [1] filed a deletion request for webkitgtk [2]:

This software is a serious security risk. If necessary ask upstream to
fix hard dependencies to this software.

[1] https://aur.archlinux.org/account/Ralf_Mardorf/
[2] https://aur.archlinux.org/pkgbase/webkitgtk/

Regards,
Ralf

Ralf_Mardorf commented on 2017-07-01 17:47

Hi,

for testing purpose, could you please remove webkitgtk2 from the PKGBUILD, perhaps completely or by changing it to webkit2gtk? I can't test it, since one of my packages requires webkitgtk2 [1].

However, the official guitarix2 PKGBUILD from the "extra" repository doesn't mention webkit at all, see my post at https://sourceforge.net/p/guitarix/bugs/39/ .

My guess is that migrating to webkit2gtk doesn't work, but likely removing webkitgtk2 is automatically noticed by the configuration check, to build without webkit.

Regards,
Ralf

[1]
[rocketmouse@archlinux ~]$ cd /tmp
[rocketmouse@archlinux tmp]$ yaourt -Qs webkit
local/gambas3-gb-qt4-webkit 3.9.2-1 (gambas3)
Qt4 toolkit webkit component
community/gambas3-gb-qt5-webkit 3.9.2-7 (gambas3)
Qt5 toolkit webkit component
extra/kdewebkit 5.35.0-1 (kf5)
KDE Integration for QtWebKit
extra/qt5-webkit 5.212.0alpha2-2 (qt qt5)
Classes for a WebKit2 based implementation and a new QML API
local/qtwebkit 2.3.4-5
An open source web browser engine (Qt port)
extra/webkit2gtk 2.16.5-1
GTK+ Web content engine library
local/webkitgtk 2.4.11-6
Legacy Web content engine for GTK+ 3
local/webkitgtk2 2.4.11-6
Legacy Web content engine for GTK+ 2
[rocketmouse@archlinux tmp]$ asp checkout guitarix2 > /dev/null
Cloning into '/tmp/guitarix2'...
done.
[rocketmouse@archlinux tmp]$ cd guitarix2/trunk/
[rocketmouse@archlinux trunk]$ makepkg -s
[snip]
Checking for webkit-1.0 : yes
[snip]
[rocketmouse@archlinux trunk]$ sudo pacman -Rss gambas3-gb-qt4-webkit qtwebkit webkitgtk webkitgtk2
[sudo] password for rocketmouse:
checking dependencies...
error: failed to prepare transaction (could not satisfy dependencies)
:: typhoon: removing webkitgtk breaks dependency 'webkitgtk3'
:: wxsvg: removing webkitgtk2 breaks dependency 'webkitgtk2'
:: xombrero: removing webkitgtk breaks dependency 'webkitgtk'

eduardomezencio commented on 2017-07-01 05:48

It looks like webkitgtk2 is in AUR now

Gimmeapill commented on 2017-06-30 08:52

@Ralf_Mardorf: Thanks. I believe webkitgtk2 *might* be used only by the web interface, and according to the configuration file it is not listed as mandatory:
https://sourceforge.net/p/guitarix/git/ci/master/tree/trunk/wscript

I cannot test right now, but you may be able to disable it by adding:
"--HAVE_WEBKIT=0"
to the python2 waf configure options

Ralf_Mardorf commented on 2017-06-30 07:21

See 2017-01-19 https://git.archlinux.org/svntogit/packages.git/log/trunk?h=packages/claws-mail&showmsg=1 .
See https://wiki.archlinux.org/index.php/List_of_applications/Internet#WebKit-based which links to https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/ .

All comments