On 26. 07. 24 16:32, David Abdurachmanov wrote:
On Fri, Jul 26, 2024 at 3:52 PM Miro Hrončok <mhroncok@xxxxxxxxxx> wrote:
On 26. 07. 24 14:23, Andrea Bolognani wrote:
On Fri, Jul 26, 2024 at 03:13:27PM GMT, David Abdurachmanov wrote:
On Tue, Jul 23, 2024 at 5:30 PM Miro Hrončok <mhroncok@xxxxxxxxxx> wrote:
Dear maintainers.
Based on the current fail to build from source policy, the following packages
should be retired from Fedora 41 approximately one week before branching.
Hi Miro,
I suggest including the following two packages:
- InsightToolkit
- gimp-separate+
These packages failed in mass rebuilds (F40 and F41). These continue
to depend on old libtiff (with CVEs).
Looking at gimp-separate+ the domain in URL: field is no longer valid.
We are using source code from 2010 (final release). There was an
attempt for a minor (patch level) release in 2016. They did some alpha
tarballs, but I don't see any release. It seems to be dead for a
decade or so.
InsightToolkit seems to fail compiling VTK bits. We could probably
disable the VTK sub-package for now.
Then finally stop libtiff incl. old libtiff binaries with CVEs.
For completeness' sake, this is the bug that has been filed a while
ago against libtiff to highlight the problematic situation David is
referring to:
https://bugzilla.redhat.com/show_bug.cgi?id=2292047
If the packages that still need libtiff.so.5 were to be retired,
addressing it would become trivial.
Hey folks. I cannot retire them while handling the policy, because they were
built in Fedora 39 which is not yet EOL.
You can follow steps 1-5 from
https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fails_to_install/#_package_removal_for_long_standing_ftbfs_and_fti_bugs
instead.
I am a bit surprised here.
gimp-separate+ got FTBFS ticket [0] on 2024-01-29 and there has been
no response from the maintainer. The rules allow you to nuke the
package in 14 (or less) weeks in a specific situation instead of
waiting for 13 months. I assume there is no "concerned party" to
follow up on FTBFS tickets to get these packages orphaned, and removed
more promptly?
[0] https://bugzilla.redhat.com/show_bug.cgi?id=2261154
Yeah, if you are a concerned party, you need to follow up at step 3.
I tried to make this automated but it still requires maintenance,
see https://pagure.io/fedora-infra/ansible/pull-request/1632
I'll switch this to f40.
--
Miro Hrončok
--
Phone: +420777974800
Fedora Matrix: mhroncok
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
