On Fri, Jul 26, 2024 at 3:52 PM Miro Hrončok <mhroncok@xxxxxxxxxx> wrote: > > On 26. 07. 24 14:23, Andrea Bolognani wrote: > > On Fri, Jul 26, 2024 at 03:13:27PM GMT, David Abdurachmanov wrote: > >> On Tue, Jul 23, 2024 at 5:30 PM Miro Hrončok <mhroncok@xxxxxxxxxx> wrote: > >>> > >>> Dear maintainers. > >>> > >>> Based on the current fail to build from source policy, the following packages > >>> should be retired from Fedora 41 approximately one week before branching. > >> > >> Hi Miro, > >> > >> I suggest including the following two packages: > >> - InsightToolkit > >> - gimp-separate+ > >> > >> These packages failed in mass rebuilds (F40 and F41). These continue > >> to depend on old libtiff (with CVEs). > >> > >> Looking at gimp-separate+ the domain in URL: field is no longer valid. > >> We are using source code from 2010 (final release). There was an > >> attempt for a minor (patch level) release in 2016. They did some alpha > >> tarballs, but I don't see any release. It seems to be dead for a > >> decade or so. > >> > >> InsightToolkit seems to fail compiling VTK bits. We could probably > >> disable the VTK sub-package for now. > >> > >> Then finally stop libtiff incl. old libtiff binaries with CVEs. > > > > For completeness' sake, this is the bug that has been filed a while > > ago against libtiff to highlight the problematic situation David is > > referring to: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2292047 > > > > If the packages that still need libtiff.so.5 were to be retired, > > addressing it would become trivial. > > Hey folks. I cannot retire them while handling the policy, because they were > built in Fedora 39 which is not yet EOL. > > You can follow steps 1-5 from > https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fails_to_install/#_package_removal_for_long_standing_ftbfs_and_fti_bugs > instead. I am a bit surprised here. gimp-separate+ got FTBFS ticket [0] on 2024-01-29 and there has been no response from the maintainer. The rules allow you to nuke the package in 14 (or less) weeks in a specific situation instead of waiting for 13 months. I assume there is no "concerned party" to follow up on FTBFS tickets to get these packages orphaned, and removed more promptly? [0] https://bugzilla.redhat.com/show_bug.cgi?id=2261154 -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue