- From: Geoff McLane <ubuntu@geoffair.info>
- Date: Mon, 28 Sep 2015 15:32:29 +0200
- To: html-tidy@w3.org, curtis@canonical.com
- Message-ID: <5609416D.1030606@geoffair.info>
Cross post this on the public list
-------- Forwarded Message --------
Subject: How to get tidy updated in various distribution channels?
Date: Mon, 28 Sep 2015 15:27:11 +0200
From: Geoff McLane <ubuntu@geoffair.info>
To: Edward Vielmetti <edward.vielmetti@gmail.com>, Sierk Bornemann
<sierkb@gmail.com>
CC: tidy@geoffair.info, Ryan Schmidt <ryandesign@macports.org>
Hi Sierk,
As Edward points out, thanks largely to him, we have
the Apple platform well covered, but it would be nice
if Apple also weighed in ;=))
But there is a real problem with Ubuntu (Debian)! And
probably LOTS of other package distributions...
I just checked synaptic in my Ubuntu 14.04 LTS, and it
still lists libtidy-0.99, circa 2009 ;=(( YUK!!!
I checked around LaunchPad - https://launchpad.net/tidy -
and found this still points to sourceforge 2009 tidy,
home page and source! UGH!
How do we change that? I do not fully understand how
these things work, having not used them before...
But maybe we should write to Curtis Hovey (maybe
curtis@canonical.com?)? Direct approach... maybe cc
him on this...
Or maybe there is a way to file for a badly needed
package update??? Where?
And the page - https://launchpad.net/ubuntu/trusty/+source/tidy -
also shows 2009 Tidy, despite the fact that an update
(Ha!) was done 2015-07-23!!! Nearly a month after our
5.0.0 release...
We certainly need to STIR something up somewhere ;=))
Important Links:
site: http://www.html-tidy.org/
source: https://github.com/htacg/tidy-html5
binaries: http://www.htacg.org/binaries/
bugs: https://github.com/htacg/tidy-html5/issues
list: https://lists.w3.org/Archives/Public/html-tidy/
api: http://www.htacg.org/tidy-html5/tidylib_api/
quickref: http://www.htacg.org/tidy-html5/quickref.html
Regards,
Geoff.
On 26/09/15 01:41, Edward Vielmetti wrote:
> Sierk - sure take my text and use it if it will help.
>
> My next desire is not so much for Apple to update tidy (since it's readily
> available in Macports and fink and Homebrew that platform is OK).
> But Debian has an ancient tidy and I think that's addressable
> in finite time to improve at least to get tidy-html5 into `sid`.
>
> On Fri, Sep 25, 2015 at 5:52 PM, Sierk Bornemann <sierkb@gmail.com
> <mailto:sierkb@gmail.com>> wrote:
>
> Hi Geoff,
> hi Edward,
> hi Ryan!
>
> Tidy is part of Apple’s Open Source stack Darwin and so part of
> their OS X distribution since years [1] as well as part of iOS as
> well as of their newest OS, watchOS. Unfortunately, it's a very
> old version:
>
> OS X 10.10.5 (Yosemite)
> $ tidy --version
> HTML Tidy for Mac OS X released on 31 October 2006 - Apple Inc.
> build 15.15
>
> Latest security updates for iOS and watchOS contain updates for
> tidy, concerning CVE-2015-5522 and CVE-2015-5523 vulnerabilities,
> which are closed in Tidy 4.9.31 and later 5.x.
>
> Apples Tidy is very outdated, is an old version based on the last
> available version on SourceForge, hasn’t changed and updated for
> years, isn’t capable of HTML5.
> Years ago, Nov 17 2008, I filed a bug "Update HTML Tidy and
> TidyLib to the latest official version" in Apple’s internal bug
> database on https://bugreport.apple.com/ and mirrored the bug for
> transparency purpose on OpenRadar [3]. I updated the bug’s
> information July 31 2014, reflecting that W3C had forked the dead
> SF tidy project to give it new life and to urge Apple to please
> update tidy.
> So far no reaction, no update from Apple to their tidy.
> Since then, I’ve not updated the bug’s description, to reflect the
> new situation under HTACG’s umbrella, but want do so shortly.
>
> [1] http://www.opensource.apple.com/
> http://www.opensource.apple.com/source/tidy/
> http://www.apple.com/opensource/
>
> [2] APPLE-SA-2015-09-16-1 iOS 9
> http://lists.apple.com/archives/security-announce/2015/Sep/msg00001.html
>
> tidy
> Available for: iPhone 4s and later,
> iPod touch (5th generation) and later, iPad 2 and later
> Impact: Visiting a maliciously crafted website may lead to arbitrary
> code execution
> Description: A memory corruption issue existed in Tidy. This issues
> was addressed through improved memory handling.
> CVE-ID
> CVE-2015-5522 : Fernando Munoz of NULLGroup.com
> CVE-2015-5523 : Fernando Munoz of NULLGroup.com
>
> APPLE-SA-2015-09-21-1 watchOS 2
> http://lists.apple.com/archives/security-announce/2015/Sep/msg00005.html
>
> [quote]
> tidy
> Available for: Apple Watch Sport, Apple Watch,
> and Apple Watch Edition
> Impact: Visiting a maliciously crafted website may lead to arbitrary
> code execution
> Description: A memory corruption issue existed in Tidy. This issues
> was addressed through improved memory handling.
> CVE-ID
> CVE-2015-5522 : Fernando Munoz of NULLGroup.com
> CVE-2015-5523 : Fernando Munoz of NULLGroup.com
> [/quote]
>
> [3] OpenRadar bug 6376494 (Apple internal rdar://6376494): Update
> HTML Tidy and TidyLib to the latest official version
> http://openradar.appspot.com/6376494
>
>
>
> My question to you is: what can be done, what can you/we do,
> beyond my past efforts in this case, to convince Apple to
> eventually update its old outdated stock tidy to the most recent
> stable one of HTACG? Any Idea? Any suggestions?
>
> @Edward Vielmetti:
> May I take, with your allowance, just for convenience and instead
> of writing my own text, your text of fink ticket #1044
> http://sourceforge.net/p/fink/package-requests/1044/ and copy it
> for updating my Apple Rdar-bug 6376494 as well as its OpenRadar
> equivalent?
>
> Suggestions and help welcome,
> Regards,
> Sierk Bornemann
>
> --
> Sierk Bornemann | web developer | germany
>
> --
> Edward Vielmetti +1 734 330 2465
> edward.vielmetti@gmail.com <mailto:edward.vielmetti@gmail.com>
>
Received on Monday, 28 September 2015 13:33:10 UTC