I’d like to get some clarifying hints on what to do with the “steghide” package. See Vulnerability roundup 100: steghide-0.5.1: 1 advisory [7.5] · Issue #116923 · NixOS/nixpkgs · GitHub for details.
The package got an CVE advisory which basically states that it does not hide stuff as effective as it promises to do. Since the package has not seen upstream activity for 8 years, I suspect that there will be no bug fix. It does not have an nixpkgs maintainer either. I’d suggest to remove it altogether.
How to proceed? Please comment on:
knownVulnerabilitesmeta attribute to 20.09? unstable?
- Remove it completely from unstable?
- Remove it from unstable after the next branch-off so that it will remain in the next release?
- If so: How do we make sure that we don’t forget it as there is no maintainer?