Hi Daniel, Daniel P. Berrangé <berrange@xxxxxxxxxx> writes: > I've been maintainer of the yajl package in Fedora forever, as it was > a dep of libvirt. > > yajl upstream has been dead since 2015, so the current release tarball > has multiple CVEs, which I've patched downstream by grabbing patches > from github issue comments from third parties or other distros [1]. > > In the libvirt 10.8.0 release that just hit rawhide, we've switched to > using json-c instead. Aside from libvirt in stable Fedora release > branches, there are a few other packages in Fedora still using > yajl that I see: > > Io-language > collectd > crun > grive2 > i3 > i3-gaps > i3status As the maintainer of i3, i3-gaps & i3status, I've brought this issue upstream: https://github.com/i3/i3/issues/6257 > libmodsecurity > mod_security > raptor2 > xen > > If anyone is cares about the above packages enough to want to take > over ownership of 'yajl', either now or in future, please let me > know. > > I'm willing to keep ownership of yajl until the Fedora 41 branch goes > end of life, at which point no version of libvirt will still use it > If no new volunteer has stepped forward by then I'll be orphaning > yajl. I'm not sure if we'll be able to migrate the i3 away from yajl until the EoL of Fedora 41, but if we won't then I'll try to help out. Cheers, Dan -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue