Re: openjpeg / stretch

To: Emilio Pozuelo Monfort <pochu@debian.org>
Cc: Moritz Muehlenhoff <jmm@debian.org>, team@security.debian.org, Debian Release <debian-release@lists.debian.org>
Subject: Re: openjpeg / stretch
From: Mathieu Malaterre <malat@debian.org>
Date: Thu, 2 Jun 2016 09:03:57 +0200
Message-id: <[🔎] CA+7wUsy5fgiVt-fg6ZPHEkj3NLYc1q0yqYErioctSm9AgAPa3w@mail.gmail.com>
In-reply-to: <[🔎] 1ae4a309-076f-3259-f4b2-47d65943eadd@debian.org>
References: <CA+7wUszjSQuFu-3PLDnpZvdUFSFJWC+KFwzHsk0q_AeduWS_TA@mail.gmail.com> <[🔎] 1ae4a309-076f-3259-f4b2-47d65943eadd@debian.org>

On Wed, Jun 1, 2016 at 7:10 PM, Emilio Pozuelo Monfort <pochu@debian.org> wrote:
> On 31/05/16 12:00, Mathieu Malaterre wrote:
>> [adding debian-release]
>>
>> Hi,
>>
>> On Thu, May 12, 2016 at 12:48 PM, Mathieu Malaterre <malat@debian.org> wrote:
>>> Hi,
>>>
>>> On Thu, May 12, 2016 at 12:16 PM, Moritz Muehlenhoff <jmm@debian.org> wrote:
>>>> Hi,
>>>> in jessie we have the unfortunate situation of having two copies of
>>>> openjpeg in the archive src:openjpeg and src:openjpeg2. Can you get
>>>> rid of openjpeg for stretch? We accept two source packages for transition
>>>> purposes, but these need to be sorted out by the subsequent release.
>>>
>>> That does not seems doable [*]. openjpeg 1.x and openjpeg 2.x have
>>> different API, and it requires a significant effort to move from one
>>> API to the other. Without upstream help from each packages, this
>>> cannot possibly be done (at least by me).
>>>
>>> If someone wants to volunteer, some projects have successfully moved
>>> from openjpeg 1.x to openjpeg 2.x (from the top of my head:
>>> mupdf/gdal/leptonlib) so some projects may have code so that they
>>> compile against either openjpeg 1.x or openjpeg 2.x using #idef
>>> triggered during configuration time.
>>>
>>> The other option is to deactivate JPEG 2000 support from those
>>> packages. imagemagick (accidentally) removed support for JPEG 2000
>>> (#773530) and no one complained so far.
>>
>> Actually the issue is maybe a little more than just a security
>> concern. See the bug report #825907.
>
> Is openjpeg not using versioned symbols?

No (very very few packages are actually using this trick AFAIK).

>> I'll leave it to debian-release to decide the severity of this bug.
>> Meanwhile I'll track package(s) still using OpenJPEG 1.5.x API.
>
> You can do like it is being done for jasper: file bugs with severity:important
> against all the rdeps, telling them we want to remove openjpeg from Stretch for
> security reasons, and that the bugs will get bumped to RC in some time. Then we
> can see how things evolve and what to do next.
>
> See
>
> https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=jasper-rm;users=jmm@debian.org
> https://release.debian.org/transitions/html/jasper-rm.html
> https://lists.debian.org/debian-release/2016/03/msg00006.html
>
> How does that sound?

Sound good! Severity: important is not too annoying for packager, but
clear enough. I'll do that ASAP.

Thanks
-M

Reply to:

Follow-Ups:
- Re: openjpeg / stretch
  - From: Mathieu Malaterre <malat@debian.org>

References:
- Re: openjpeg / stretch
  - From: Emilio Pozuelo Monfort <pochu@debian.org>

Prev by Date: NEW changes in stable-new
Next by Date: Bug#826102: nmu: phonetisaurus_0.7.8-6 opengrm-ngram_1.2.2-1
Previous by thread: Re: openjpeg / stretch
Next by thread: Re: openjpeg / stretch
Index(es):
- Date
- Thread