Re: F38 proposal: Pcre Deprecation (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Ben Cotton wrote:
> == Summary ==
> Upstream stopped the support for the old 'pcre' package. It only
> supports the new 'pcre2' version, so Fedora should deprecate it so it
> could later be retired and removed from Fedora entirely.
> 
> == Owner ==
> * Name: [[User:ljavorsk| Lukas Javorsky]]
> * Email: ljavorsk@xxxxxxxxxx

This is simply a non-starter.

You yourself list dozens of packages using this compatibility library. Some 
of those are themselves compatibility libraries (e.g., kdelibs 3 and 4) and 
will never be fixed by upstream. It is entirely impractical to port them to 
a completely different API. But even current leaf packages such as rkward 
are in the list.

PCRE 1 needs to remain as a fully supported compatibility library for the 
foreseeable future.

> == Detailed Description ==
> Upstream stopped supporting the old 'pcre' package. The 8.45 is marked
> as a final release and nothing else will be added/fixed in it. This
> may lead to some unresolved CVEs, which would have to be resolved by
> the maintainers. Unfortunately, due to our limited capacity, we
> wouldn't have the time and experience to solve this by ourselves, so
> we need to deprecate this package. After the deprecation is done, the
> very next step would be starting the [[PcreRetirement|retirement
> change]], so the package is removed from Fedora entirely.

How different is the code from the pcre2 code? If it is completely 
different, then CVEs found in pcre2 will typically not affect the legacy 
code, and you can expect a steep drop in found CVEs with the upstream drop 
of support. If, on the other hand, it is sufficiently similar for the CVEs 
to apply, then the fixes can also be backported.

In the end, my suggestion if you are unable to deal with the security 
vulnerabilities is to simply orphan the library and let someone else pick it 
up. (If nobody else does, I will, because at least 3 of my packages depend 
on it.)

        Kevin Kofler
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux