There are the other projects as well that would need some relook at its http-parser dependency and see if it can be dropped: julia, cantor, and LabPlot.
Regards, Carlos R.F. On 12/9/24 7:30 AM, Stephen Gallagher wrote:
On Sat, Dec 7, 2024 at 12:21 PM Carlos Rodriguez-Fernandez <carlosrodrifernandez@xxxxxxxxx> wrote:I took sparse, and http-parser. http-parser in particular is a dead project upstream. However, there is a good set of packages depending on it. There are also past contributors. If any of the past contributors want to take it please let me know, I'll be happy to hand it over: dck, mrunge, orphan, patches, sgallagh, vascom.I actually thought I'd removed myself from that package; I've migrated all of the packages I used to maintain with http-parser over to the (supported) llhttp package. The upstream is very dead and it's been strongly implied to me that there are very likely to be security issues with it. I'd argue that we need to remove it from the distribution entirely and either fix or retire the remaining packages depending on it: * AusweisApp2-0:2.2.1-1.fc41.x86_64 * AusweisApp2-0:2.2.2-2.fc41.x86_64 - Upstream still relies on http-parser and needs to be contacted to migrate to a maintained parser. * flamethrower-0:0.11.0-28.fc41.x86_64 - This is actually carrying a Fedora-specific patch to use http-parser instead of upstream's private fork (called url_parser). Given that both of them are effectively unmaintained, I think we want to drop our patch and follow upstream (and contact them about switching to a maintained parser) * http-parser-devel-0:2.9.4-12.fc41.i686 * http-parser-devel-0:2.9.4-12.fc41.x86_64 - Part of http-parser itself and will be removed if we drop it. * jabberd-0:2.6.1-28.fc41.x86_64 - This package is also dead upstream since 2019 and should be dropped from Fedora. * python3-httptools-0:0.6.0-6.fc41.x86_64 - Latest versions have been converted to llhttp * slurm-slurmrestd-0:24.05.2-1.fc41.x86_64 - Upstream is still bound to http-parser, but only for one optional component: slurmrestd. We could stop providing this daemon in Fedora and communicate to upstream that they need to update to a maintained parser.
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue