Re: openjpeg / stretch

To: Mathieu Malaterre <malat@debian.org>, Moritz Muehlenhoff <jmm@debian.org>
Cc: team@security.debian.org, Debian Release <debian-release@lists.debian.org>
Subject: Re: openjpeg / stretch
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Wed, 1 Jun 2016 19:10:19 +0200
Message-id: <[🔎] 1ae4a309-076f-3259-f4b2-47d65943eadd@debian.org>
In-reply-to: <CA+7wUszjSQuFu-3PLDnpZvdUFSFJWC+KFwzHsk0q_AeduWS_TA@mail.gmail.com>
References: <CA+7wUszjSQuFu-3PLDnpZvdUFSFJWC+KFwzHsk0q_AeduWS_TA@mail.gmail.com>

On 31/05/16 12:00, Mathieu Malaterre wrote:
> [adding debian-release]
> 
> Hi,
> 
> On Thu, May 12, 2016 at 12:48 PM, Mathieu Malaterre <malat@debian.org> wrote:
>> Hi,
>>
>> On Thu, May 12, 2016 at 12:16 PM, Moritz Muehlenhoff <jmm@debian.org> wrote:
>>> Hi,
>>> in jessie we have the unfortunate situation of having two copies of
>>> openjpeg in the archive src:openjpeg and src:openjpeg2. Can you get
>>> rid of openjpeg for stretch? We accept two source packages for transition
>>> purposes, but these need to be sorted out by the subsequent release.
>>
>> That does not seems doable [*]. openjpeg 1.x and openjpeg 2.x have
>> different API, and it requires a significant effort to move from one
>> API to the other. Without upstream help from each packages, this
>> cannot possibly be done (at least by me).
>>
>> If someone wants to volunteer, some projects have successfully moved
>> from openjpeg 1.x to openjpeg 2.x (from the top of my head:
>> mupdf/gdal/leptonlib) so some projects may have code so that they
>> compile against either openjpeg 1.x or openjpeg 2.x using #idef
>> triggered during configuration time.
>>
>> The other option is to deactivate JPEG 2000 support from those
>> packages. imagemagick (accidentally) removed support for JPEG 2000
>> (#773530) and no one complained so far.
> 
> Actually the issue is maybe a little more than just a security
> concern. See the bug report #825907.

Is openjpeg not using versioned symbols?

> I'll leave it to debian-release to decide the severity of this bug.
> Meanwhile I'll track package(s) still using OpenJPEG 1.5.x API.

You can do like it is being done for jasper: file bugs with severity:important
against all the rdeps, telling them we want to remove openjpeg from Stretch for
security reasons, and that the bugs will get bumped to RC in some time. Then we
can see how things evolve and what to do next.

See

https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=jasper-rm;users=jmm@debian.org
https://release.debian.org/transitions/html/jasper-rm.html
https://lists.debian.org/debian-release/2016/03/msg00006.html

How does that sound?

Cheers,
Emilio

Reply to:

Follow-Ups:
- Re: openjpeg / stretch
  - From: Mathieu Malaterre <malat@debian.org>

Prev by Date: Re: Regression in policykit-1 0.105-15~deb8u1 (Was Re: Bug#825512: jessie-pu: package policykit-1/0.105-15~deb8u1)
Next by Date: Bug#825342: mips/mipsel: make sure all packages built with fpxx enabled
Previous by thread: Re: [debian-mysql] About packages that depend on mysql-* / mariadb / virtual-mysql-*
Next by thread: Re: openjpeg / stretch
Index(es):
- Date
- Thread