How to get tidy updated in various distribution channels?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

How to get tidy updated in various distribution channels?

Geoff McLane
Cross post this on the public list

-------- Forwarded Message --------
Subject: How to get tidy updated in various distribution channels?
Date: Mon, 28 Sep 2015 15:27:11 +0200
From: Geoff McLane [hidden email]
To: Edward Vielmetti [hidden email], Sierk Bornemann [hidden email]
CC: [hidden email], Ryan Schmidt [hidden email]


Hi Sierk,

As Edward points out, thanks largely to him, we have
the Apple platform well covered, but it would be nice
if Apple also weighed in ;=))

But there is a real problem with Ubuntu (Debian)! And
probably LOTS of other package distributions...

I just checked synaptic in my Ubuntu 14.04 LTS, and it
still lists libtidy-0.99, circa 2009 ;=(( YUK!!!

I checked around LaunchPad - https://launchpad.net/tidy -
and found this still points to sourceforge 2009 tidy,
home page and source! UGH!

How do we change that? I do not fully understand how
these things work, having not used them before...

But maybe we should write to Curtis Hovey (maybe
[hidden email]?)? Direct approach... maybe cc
him on this...

Or maybe there is a way to file for a badly needed
package update??? Where?

And the page - https://launchpad.net/ubuntu/trusty/+source/tidy -
also shows 2009 Tidy, despite the fact that an update
(Ha!) was done 2015-07-23!!! Nearly a month after our
5.0.0 release...

We certainly need to STIR something up somewhere ;=))

Important Links:

    site: http://www.html-tidy.org/
    source: https://github.com/htacg/tidy-html5
    binaries: http://www.htacg.org/binaries/
    bugs: https://github.com/htacg/tidy-html5/issues
    list: https://lists.w3.org/Archives/Public/html-tidy/
    api: http://www.htacg.org/tidy-html5/tidylib_api/
    quickref: http://www.htacg.org/tidy-html5/quickref.html

Regards,
Geoff.


On 26/09/15 01:41, Edward Vielmetti wrote:
Sierk - sure take my text and use it if it will help.

My next desire is not so much for Apple to update tidy (since it's readily
available in Macports and fink and Homebrew that platform is OK).
But Debian has an ancient tidy and I think that's addressable
in finite time to improve at least to get tidy-html5 into `sid`.

On Fri, Sep 25, 2015 at 5:52 PM, Sierk Bornemann <[hidden email]> wrote:
Hi Geoff,
hi Edward,
hi Ryan!

Tidy is part of Apple’s Open Source stack Darwin and so part of their OS X distribution since years [1] as well as part of iOS as well as of their newest OS, watchOS. Unfortunately, it's a very old version:

OS X 10.10.5 (Yosemite)
$ tidy --version
HTML Tidy for Mac OS X released on 31 October 2006 - Apple Inc. build 15.15

Latest security updates for iOS and watchOS contain updates for tidy, concerning CVE-2015-5522 and CVE-2015-5523 vulnerabilities, which are closed in Tidy 4.9.31 and later 5.x.

Apples Tidy is very outdated, is an old version based on the last available version on SourceForge, hasn’t changed and updated for years, isn’t capable of HTML5.
Years ago, Nov 17 2008, I filed a bug "Update HTML Tidy and TidyLib to the latest official version" in Apple’s internal bug database on https://bugreport.apple.com/ and mirrored the bug for transparency purpose on OpenRadar [3]. I updated the bug’s information July 31 2014, reflecting that W3C had forked the dead SF tidy project to give it new life and to urge Apple to please update tidy.
So far no reaction, no update from Apple to their tidy.
Since then, I’ve not updated the bug’s description, to reflect the new situation under HTACG’s umbrella, but want do so shortly.

[1] http://www.opensource.apple.com/
http://www.opensource.apple.com/source/tidy/
http://www.apple.com/opensource/

[2] APPLE-SA-2015-09-16-1 iOS 9
http://lists.apple.com/archives/security-announce/2015/Sep/msg00001.html

tidy
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  A memory corruption issue existed in Tidy. This issues
was addressed through improved memory handling.
CVE-ID
CVE-2015-5522 : Fernando Munoz of NULLGroup.com
CVE-2015-5523 : Fernando Munoz of NULLGroup.com

APPLE-SA-2015-09-21-1 watchOS 2
http://lists.apple.com/archives/security-announce/2015/Sep/msg00005.html

[quote]
tidy
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  A memory corruption issue existed in Tidy. This issues
was addressed through improved memory handling.
CVE-ID
CVE-2015-5522 : Fernando Munoz of NULLGroup.com
CVE-2015-5523 : Fernando Munoz of NULLGroup.com
[/quote]

[3] OpenRadar bug 6376494 (Apple internal rdar://6376494): Update HTML Tidy and TidyLib to the latest official version
http://openradar.appspot.com/6376494



My question to you is: what can be done, what can you/we do, beyond my past efforts in this case, to convince Apple to eventually update its old outdated stock tidy to the most recent stable one of HTACG? Any Idea? Any suggestions?

@Edward Vielmetti:
May I take, with your allowance, just for convenience and instead of writing my own text, your text of fink ticket #1044 http://sourceforge.net/p/fink/package-requests/1044/ and copy it for updating my Apple Rdar-bug 6376494 as well as its OpenRadar equivalent?

Suggestions and help welcome,
Regards,
Sierk Bornemann

--
Sierk Bornemann | web developer | germany

--
Edward Vielmetti +1 734 330 2465