Re: openjpeg / stretch

To: Mathieu Malaterre <malat@debian.org>
Cc: Moritz Muehlenhoff <jmm@debian.org>, team@security.debian.org, Debian Release <debian-release@lists.debian.org>
Subject: Re: openjpeg / stretch
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Fri, 10 Jun 2016 00:11:37 +0200
Message-id: <[🔎] 58baa590-1e1a-3598-bd4f-1a00591cca5b@debian.org>
In-reply-to: <[🔎] CA+7wUsz-jwU6a7Vu9+fGt5qcNPB_WAdZyvXztngxLQ9Q3Nzxog@mail.gmail.com>
References: <CA+7wUszjSQuFu-3PLDnpZvdUFSFJWC+KFwzHsk0q_AeduWS_TA@mail.gmail.com> <[🔎] 1ae4a309-076f-3259-f4b2-47d65943eadd@debian.org> <[🔎] CA+7wUsy5fgiVt-fg6ZPHEkj3NLYc1q0yqYErioctSm9AgAPa3w@mail.gmail.com> <[🔎] CA+7wUsz-jwU6a7Vu9+fGt5qcNPB_WAdZyvXztngxLQ9Q3Nzxog@mail.gmail.com>

On 09/06/16 10:37, Mathieu Malaterre wrote:
> On Thu, Jun 2, 2016 at 9:03 AM, Mathieu Malaterre <malat@debian.org> wrote:
>> On Wed, Jun 1, 2016 at 7:10 PM, Emilio Pozuelo Monfort <pochu@debian.org> wrote:
>>> On 31/05/16 12:00, Mathieu Malaterre wrote:
>>>> [adding debian-release]
>>>>
>>>> Hi,
>>>>
>>>> On Thu, May 12, 2016 at 12:48 PM, Mathieu Malaterre <malat@debian.org> wrote:
>>>>> Hi,
>>>>>
>>>>> On Thu, May 12, 2016 at 12:16 PM, Moritz Muehlenhoff <jmm@debian.org> wrote:
>>>>>> Hi,
>>>>>> in jessie we have the unfortunate situation of having two copies of
>>>>>> openjpeg in the archive src:openjpeg and src:openjpeg2. Can you get
>>>>>> rid of openjpeg for stretch? We accept two source packages for transition
>>>>>> purposes, but these need to be sorted out by the subsequent release.
>>>>>
>>>>> That does not seems doable [*]. openjpeg 1.x and openjpeg 2.x have
>>>>> different API, and it requires a significant effort to move from one
>>>>> API to the other. Without upstream help from each packages, this
>>>>> cannot possibly be done (at least by me).
>>>>>
>>>>> If someone wants to volunteer, some projects have successfully moved
>>>>> from openjpeg 1.x to openjpeg 2.x (from the top of my head:
>>>>> mupdf/gdal/leptonlib) so some projects may have code so that they
>>>>> compile against either openjpeg 1.x or openjpeg 2.x using #idef
>>>>> triggered during configuration time.
>>>>>
>>>>> The other option is to deactivate JPEG 2000 support from those
>>>>> packages. imagemagick (accidentally) removed support for JPEG 2000
>>>>> (#773530) and no one complained so far.
>>>>
>>>> Actually the issue is maybe a little more than just a security
>>>> concern. See the bug report #825907.
>>>
>>> Is openjpeg not using versioned symbols?
>>
>> No (very very few packages are actually using this trick AFAIK).
>>
>>>> I'll leave it to debian-release to decide the severity of this bug.
>>>> Meanwhile I'll track package(s) still using OpenJPEG 1.5.x API.
>>>
>>> You can do like it is being done for jasper: file bugs with severity:important
>>> against all the rdeps, telling them we want to remove openjpeg from Stretch for
>>> security reasons, and that the bugs will get bumped to RC in some time. Then we
>>> can see how things evolve and what to do next.
>>>
>>> See
>>>
>>> https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=jasper-rm;users=jmm@debian.org
>>> https://release.debian.org/transitions/html/jasper-rm.html
>>> https://lists.debian.org/debian-release/2016/03/msg00006.html
>>>
>>> How does that sound?
>>
>> Sound good! Severity: important is not too annoying for packager, but
>> clear enough. I'll do that ASAP.
> 
> Done:
> 
> https://udd.debian.org/cgi-bin/bts-usertags.cgi?tag=stretch2000&user=malat%40debian.org

Thanks. I have created

https://release.debian.org/transitions/html/openjpeg-rm.html

Emilio

Reply to:

References:
- Re: openjpeg / stretch
  - From: Emilio Pozuelo Monfort <pochu@debian.org>
- Re: openjpeg / stretch
  - From: Mathieu Malaterre <malat@debian.org>
- Re: openjpeg / stretch
  - From: Mathieu Malaterre <malat@debian.org>

Prev by Date: Bug#826829: jessie-pu: package vorbis-tools/1.4.0-6+deb8u1
Next by Date: NEW changes in stable-new
Previous by thread: Re: openjpeg / stretch
Next by thread: Re: openjpeg / stretch
Index(es):
- Date
- Thread