https://fedoraproject.org/wiki/PcreDeprecation This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == Upstream stopped the support for the old 'pcre' package. It only supports the new 'pcre2' version, so Fedora should deprecate it so it could later be retired and removed from Fedora entirely. == Owner == * Name: [[User:ljavorsk| Lukas Javorsky]] * Email: ljavorsk@xxxxxxxxxx == Detailed Description == Upstream stopped supporting the old 'pcre' package. The 8.45 is marked as a final release and nothing else will be added/fixed in it. This may lead to some unresolved CVEs, which would have to be resolved by the maintainers. Unfortunately, due to our limited capacity, we wouldn't have the time and experience to solve this by ourselves, so we need to deprecate this package. After the deprecation is done, the very next step would be starting the [[PcreRetirement|retirement change]], so the package is removed from Fedora entirely. The new 'pcre2' package is out for more than 7 years now and most of the packages have already been ported to its redefined API. [https://lists.exim.org/lurker/message/20150105.162835.0666407a.en.html Mail] about the changes in the pcre2. === Plan === 1) File the BZ trackers for all of the dependent packages. 2) Document the deprecation. 3) Start the [[PcreRetirement|new change]] with the pcre retirement. == Feedback == The early feedback from the community is in [https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/thread/K3BUC6T5VIG7LXOV4RVFO7IUPE2LGA2J/#OPHSKMRJ4W6IX4KMLRF27K2JMSQQ2GCB this mailing thread] == Benefit to Fedora == Fedora shouldn't support unsupported packages. When the future RHEL versions fork from Fedora, it could lead to less secure RHEL as well. By deprecating this package, we will send the message to the maintainers that their packages should port to new pcre2 package and any new package would have to use only new and supported pcre2 version. == Scope == * Proposal owners: 3 steps mentioned in the [https://fedoraproject.org/wiki/PcreDeprecation#Plan Plan]. * Other developers: Port their package to support the new pcre2. * Release engineering: * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) * Alignment with Objectives: == Upgrade/compatibility impact == The old pcre package will be deprecated, so the new packages are not able to require it and have to require the new pcre2 version of this package. == User Experience == Users will not be exposed to the possible vulnerable pcre package, because the pcre2 is supported by the upstream community. == Dependencies == This list is obtained by using and combining the output of the following commands: dnf repoquery --disablerepo='*' --enablerepo=rawhide --whatrequires 'libpcre.so.1()(64bit)' --whatrequires 'libpcreposix.so.0()(64bit)' -s | pkgname dnf repoquery --disablerepo='*' --enablerepo=rawhide-source --whatrequires pcre-devel | pkgname === List === *389-ds-base *adanaxisgpl *aide *aircrack-ng *anope *apachetop *bti *ccze *cegui *cegui06 *clamav *ClanLib *clisp *clover2 *coccinelle *collada-dom *compton *condor *cppcheck *cyrus-imapd *deepin-file-manager *dogtag-pki *EMBOSS *eterm *Falcon *freeradius *gambas3 *ganglia *ghc-highlighting-kate *ghc-pcre-light *ghc-regex-pcre *GMT *gnote *golang *gource *grep *groonga *gsmartcontrol *haxe *hydra *hyperscan *i3 *i3-gaps *imapfilter *Io-language *kdelibs *kdelibs3 *kdevelop *kf5-kjs *kf5-kplotting *libast *liblognorm *libmodsecurity *lnav *logstalgia *lumail *medusa *mle *mod_auth_openid *mod_auth_openidc *mod_qos *mod_security *monotone *ncid *nekovm *ngrep *nmap *ocaml-pcre *oci-umount *octave *openCOLLADA *openscap *opensips *pads *pcre *pdfgrep *perl-re-engine-PCRE *petsc *php-pecl-apcu *php-pecl-http *php-pecl-oauth *picom *pl *poco *postgis *powwow *prelude-lml *privoxy *proxysql *python-qutepart *python-scss *R *rasqal *regexxer *remctl *renderdoc *rkward *root *rudiments *sigil *slang *sord *sslh *suricata *sway *swig *syncevolution *syslog-ng *the_foundation *the_silver_searcher *Thunar *tin *tintin *tinyfugue *trafficserver *uwsgi *vdr-epgfixer *watchman *wireshark *wmweather+ *xastir *xfce4-verve-plugin *xgrep *xmlcopyeditor *zsh == Contingency Plan == * Contingency mechanism: (What to do? Who will do it?) N/A (not needed for this Change) * Contingency deadline: N/A (not needed for this Change) * Blocks release? No == Documentation == There should be documentation of this change, so the users know that the pcre is no longer supported and cannot be required by any Fedora package. If an existing package requires the pcre package, it is considered as a bug. == Release Notes == Release notes should contain the information about the pcre deprecation so the users know they won't be able to use its libraries anymore. -- Ben Cotton He / Him / His Fedora Program Manager Red Hat TZ=America/Indiana/Indianapolis _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
