On Wed, Aug 24, 2022 at 05:14:33AM +0200, Kevin Kofler via devel wrote: > Ben Cotton wrote: > > == Summary == > > Upstream stopped the support for the old 'pcre' package. It only > > supports the new 'pcre2' version, so Fedora should deprecate it so it > > could later be retired and removed from Fedora entirely. > > > > == Owner == > > * Name: [[User:ljavorsk| Lukas Javorsky]] > > * Email: ljavorsk@xxxxxxxxxx > > This is simply a non-starter. > > You yourself list dozens of packages using this compatibility library. Some > of those are themselves compatibility libraries (e.g., kdelibs 3 and 4) and > will never be fixed by upstream. It is entirely impractical to port them to > a completely different API. But even current leaf packages such as rkward > are in the list. > > PCRE 1 needs to remain as a fully supported compatibility library for the > foreseeable future. > > > == Detailed Description == > > Upstream stopped supporting the old 'pcre' package. The 8.45 is marked > > as a final release and nothing else will be added/fixed in it. This > > may lead to some unresolved CVEs, which would have to be resolved by > > the maintainers. Unfortunately, due to our limited capacity, we > > wouldn't have the time and experience to solve this by ourselves, so > > we need to deprecate this package. After the deprecation is done, the > > very next step would be starting the [[PcreRetirement|retirement > > change]], so the package is removed from Fedora entirely. > > How different is the code from the pcre2 code? If it is completely > different, then CVEs found in pcre2 will typically not affect the legacy > code, and you can expect a steep drop in found CVEs with the upstream drop > of support. If, on the other hand, it is sufficiently similar for the CVEs > to apply, then the fixes can also be backported. pcre will also have a drop in found CVEs simply because far fewer people will be bothering to look at the old code. If no one is looking for bugs then none are going to be reported :-) The number of CVEs (fixed or not) as a metric on its own, tells us little about the security quality of any package. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue