Re: openjpeg / stretch

To: Emilio Pozuelo Monfort <pochu@debian.org>
Cc: Moritz Muehlenhoff <jmm@debian.org>, team@security.debian.org, Debian Release <debian-release@lists.debian.org>
Subject: Re: openjpeg / stretch
From: Mathieu Malaterre <malat@debian.org>
Date: Thu, 9 Jun 2016 10:37:34 +0200
Message-id: <[🔎] CA+7wUsz-jwU6a7Vu9+fGt5qcNPB_WAdZyvXztngxLQ9Q3Nzxog@mail.gmail.com>
In-reply-to: <[🔎] CA+7wUsy5fgiVt-fg6ZPHEkj3NLYc1q0yqYErioctSm9AgAPa3w@mail.gmail.com>
References: <CA+7wUszjSQuFu-3PLDnpZvdUFSFJWC+KFwzHsk0q_AeduWS_TA@mail.gmail.com> <[🔎] 1ae4a309-076f-3259-f4b2-47d65943eadd@debian.org> <[🔎] CA+7wUsy5fgiVt-fg6ZPHEkj3NLYc1q0yqYErioctSm9AgAPa3w@mail.gmail.com>

On Thu, Jun 2, 2016 at 9:03 AM, Mathieu Malaterre <malat@debian.org> wrote:
> On Wed, Jun 1, 2016 at 7:10 PM, Emilio Pozuelo Monfort <pochu@debian.org> wrote:
>> On 31/05/16 12:00, Mathieu Malaterre wrote:
>>> [adding debian-release]
>>>
>>> Hi,
>>>
>>> On Thu, May 12, 2016 at 12:48 PM, Mathieu Malaterre <malat@debian.org> wrote:
>>>> Hi,
>>>>
>>>> On Thu, May 12, 2016 at 12:16 PM, Moritz Muehlenhoff <jmm@debian.org> wrote:
>>>>> Hi,
>>>>> in jessie we have the unfortunate situation of having two copies of
>>>>> openjpeg in the archive src:openjpeg and src:openjpeg2. Can you get
>>>>> rid of openjpeg for stretch? We accept two source packages for transition
>>>>> purposes, but these need to be sorted out by the subsequent release.
>>>>
>>>> That does not seems doable [*]. openjpeg 1.x and openjpeg 2.x have
>>>> different API, and it requires a significant effort to move from one
>>>> API to the other. Without upstream help from each packages, this
>>>> cannot possibly be done (at least by me).
>>>>
>>>> If someone wants to volunteer, some projects have successfully moved
>>>> from openjpeg 1.x to openjpeg 2.x (from the top of my head:
>>>> mupdf/gdal/leptonlib) so some projects may have code so that they
>>>> compile against either openjpeg 1.x or openjpeg 2.x using #idef
>>>> triggered during configuration time.
>>>>
>>>> The other option is to deactivate JPEG 2000 support from those
>>>> packages. imagemagick (accidentally) removed support for JPEG 2000
>>>> (#773530) and no one complained so far.
>>>
>>> Actually the issue is maybe a little more than just a security
>>> concern. See the bug report #825907.
>>
>> Is openjpeg not using versioned symbols?
>
> No (very very few packages are actually using this trick AFAIK).
>
>>> I'll leave it to debian-release to decide the severity of this bug.
>>> Meanwhile I'll track package(s) still using OpenJPEG 1.5.x API.
>>
>> You can do like it is being done for jasper: file bugs with severity:important
>> against all the rdeps, telling them we want to remove openjpeg from Stretch for
>> security reasons, and that the bugs will get bumped to RC in some time. Then we
>> can see how things evolve and what to do next.
>>
>> See
>>
>> https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=jasper-rm;users=jmm@debian.org
>> https://release.debian.org/transitions/html/jasper-rm.html
>> https://lists.debian.org/debian-release/2016/03/msg00006.html
>>
>> How does that sound?
>
> Sound good! Severity: important is not too annoying for packager, but
> clear enough. I'll do that ASAP.

Done:

https://udd.debian.org/cgi-bin/bts-usertags.cgi?tag=stretch2000&user=malat%40debian.org

Reply to:

Follow-Ups:
- Re: openjpeg / stretch
  - From: Emilio Pozuelo Monfort <pochu@debian.org>

References:
- Re: openjpeg / stretch
  - From: Emilio Pozuelo Monfort <pochu@debian.org>
- Re: openjpeg / stretch
  - From: Mathieu Malaterre <malat@debian.org>

Prev by Date: Re: Bug#825534: jessie-pu: package backuppc/3.3.0-2
Next by Date: Bug#826829: jessie-pu: package vorbis-tools/1.4.0-6+deb8u1
Previous by thread: Re: openjpeg / stretch
Next by thread: Re: openjpeg / stretch
Index(es):
- Date
- Thread