Re: Orphaned packages looking for new maintainers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I agree. This dead package has probably security issues waiting to be discovered.

There are the other projects as well that would need some relook at its http-parser dependency and see if it can be dropped: julia, cantor, and LabPlot.


Regards,

Carlos R.F.


On 12/9/24 7:30 AM, Stephen Gallagher wrote:
On Sat, Dec 7, 2024 at 12:21 PM Carlos Rodriguez-Fernandez
<carlosrodrifernandez@xxxxxxxxx> wrote:
I took sparse, and http-parser.

http-parser in particular is a dead project upstream. However, there is a good set of packages depending on it. There are also past contributors. If any of the past contributors want to take it please let me know, I'll be happy to hand it over: dck, mrunge, orphan, patches, sgallagh, vascom.

I actually thought I'd removed myself from that package; I've migrated
all of the packages I used to maintain with http-parser over to the
(supported) llhttp package.

The upstream is very dead and it's been strongly implied to me that
there are very likely to be security issues with it. I'd argue that we
need to remove it from the distribution entirely and either fix or
retire the remaining packages depending on it:

* AusweisApp2-0:2.2.1-1.fc41.x86_64
* AusweisApp2-0:2.2.2-2.fc41.x86_64
- Upstream still relies on http-parser and needs to be contacted to
migrate to a maintained parser.

* flamethrower-0:0.11.0-28.fc41.x86_64
- This is actually carrying a Fedora-specific patch to use http-parser
instead of upstream's private fork (called url_parser). Given that
both of them are effectively unmaintained, I think we want to drop our
patch and follow upstream (and contact them about switching to a
maintained parser)

* http-parser-devel-0:2.9.4-12.fc41.i686
* http-parser-devel-0:2.9.4-12.fc41.x86_64
- Part of http-parser itself and will be removed if we drop it.

* jabberd-0:2.6.1-28.fc41.x86_64
- This package is also dead upstream since 2019 and should be dropped
from Fedora.

* python3-httptools-0:0.6.0-6.fc41.x86_64
- Latest versions have been converted to llhttp

* slurm-slurmrestd-0:24.05.2-1.fc41.x86_64
- Upstream is still bound to http-parser, but only for one optional
component: slurmrestd. We could stop providing this daemon in Fedora
and communicate to upstream that they need to update to a maintained
parser.

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

-- 
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux