We are using https://launchpad.net/bugs/1792544 currently to track
Ubuntu main packages using pcre3.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/163
Title:
[MIR] pcre2
To manage
Override component to main
pcre2 10.32-3ubuntu1 in disco: universe/misc -> main
libpcre2-16-0 10.32-3ubuntu1 in disco amd64: universe/libs/optional/100% -> main
libpcre2-16-0 10.32-3ubuntu1 in disco arm64: universe/libs/optional/100% -> main
libpcre2-16-0 10.32-3ubuntu1 in disco armhf:
FTR I'm planning to switch selinux in debian to pcre2 after buster
release
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/163
Title:
[MIR] pcre2
To manage notifications about this bug go to:
I have disabled SUPPORT_PCRE2GREP_CALLOUT in
https://launchpad.net/ubuntu/+source/pcre2/10.32-3ubuntu1
The build log now reads:
Enable callouts in pcre2grep ... : no
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
I reviewed pcre2 version 10.32-3 as checked into disco. This shouldn't
be considered a full security audit, but rather a quick gauge of
maintainability.
- pcre2 is a regular expression library
- There are 25 CVEs for pcre2 in our database -- though this may be an
over-count or under-count, as
Moved wget to correct list: wget is built with pcre2 now in Debian, I
reverted to pcre3, but it would be good to not keep that delta.
** Description changed:
Availability
Synced with Debian. Built for all supported architectures.
Rationale
=
Required by
Actually qtbase-opensource-src is now in universe (and uses system
pcre2), so I have removed it from the list.
** Description changed:
Availability
Synced with Debian. Built for all supported architectures.
Rationale
=
Required by vte2.91 0.46+ and
"it has always been up to the package maintainer to look at embedded
dependencies and provide system versions if desired"
The *Ubuntu* package maintainer should not do this for officially
supported packages without prior approval because it affects the
maintenance cost of the package (detailed in
(FWIW, Qt5 was embedding pcre1 before they switched to embedding pcre2,
so I don’t see anything specifically uncool about that move: it has
always been up to the package maintainer to look at embedded
dependencies and provide system versions if desired.)
--
You received this bug notification
Assigning ubuntu-security to perform an audit of pcre2.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/163
Title:
[MIR] pcre2
To manage notifications about this bug go to:
With php7.3's new dependence on pcre2, it is infeasible to back out the
pcre2 patches in php in favor of pcre3 like we do for gnome-terminal. It
is also a shame that packages like libqt5core5a are embedding it (that
was a very uncool move btw); we still end up supporting it after all. At
this
@andersk: you are totally correct, I apologize!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/163
Title:
[MIR] pcre2
To manage notifications about this bug go to:
@andersk: you are totally correct, I apologize!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/163
Title:
[MIR] pcre2
To manage notifications about this bug go to:
@Nish: Remember, that’s neither “revert” nor “back”. pcre3 is misnamed,
it’s the old library; pcre2 is the new one. This MIR is for pcre2.
What I’m saying is, as long as this MIR is rejected, the new dependency
of php7.3 on pcre2 will keep it out of main.
--
You received this bug notification
@andersk: 7.3.0~beta2-2 of php7.3 dropped pcre3 as a dependency and
reverted back to pcre2.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/163
Title:
[MIR] pcre2
To manage notifications about
Apparently journalctl --grep requires pcre2 too (bug 1751006).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/163
Title:
[MIR] pcre2
To manage notifications about this bug go to:
And is this going to mean keeping php7.3 out of main?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/163
Title:
[MIR] pcre2
To manage notifications about this bug go to:
There’s still a bundled copy of PCRE2 in libqt5core5a. Build log:
https://launchpadlibrarian.net/385332013/buildlog_ubuntu-cosmic-amd64
.qtbase-opensource-src_5.11.1+dfsg-7ubuntu1_BUILDING.txt.gz
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed
It is clear that we cannot drop pcre3 any time soon due to the number of
supported packages that only support it and not pcre2. pcre3 has a
*significant* CVE history (52 since 2005 with the latest in 2017 -
granted many of those were the result of fuzzing, but the nature of pcre
means it will
The requested analysis, relevant or not, has now been provided on bug
1792544.
** Changed in: pcre2 (Ubuntu)
Status: Incomplete => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
no, this would be backwards. The goal should be the demotion of pcre3.
These are the reverse depends of pcre3 in main:
aide
apache2
apr-util
clamav
exim4
freeradius
git
glib2.0
grep
haproxy
libpam-mount
libselinux
nginx
nmap
php7.2
postfix
python-pyscss
quagga
rasqal
slang2
sssd
wget
zsh
What we
Sorry, I wasn't entirely clear what information you're asking for.
So a simple reverse-depends -r sid -b src:pcre2 (or leave out the -b)
shows that Debian's clamav, get, php7.3, qtbase-opensource-src, and
vte2.91 packages are using pcre2 now.
I don't like pcre's packaging workflow in Debian with
> It is completely impractical to require that all of main switch to pcre2
> before any of main is allowed to switch. main will need to use the old
> pcre, probably for years to come. This should not be a blocker in this
> case.
that is not what was asked for. The required information was a way
vte2.91 and gnome-terminal dropped support for the old pcre 2 years ago.
So that we wouldn't be stuck on old versions of these essential desktop
components indefinitely, I hacked vte2.91 and gnome-terminal to keep the
old code.
The developers of at least tilix, gnome-builder, and xfce4-terminal
#21 and #25 are still valid. No work estimates yet.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/163
Title:
[MIR] pcre2
To manage notifications about this bug go to:
Speaking for the security team, it seems there is no consensus on if
pcre2 should be in main and therefore require a security review. I tend
to agree with foundations that we should not support pcre and pcre2 if
we can avoid it, however packages that are in main that simply bundle it
is not
** Changed in: pcre2 (Ubuntu)
Milestone: ubuntu-17.08 => None
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/163
Title:
[MIR] pcre2
To manage notifications about this bug go to:
afaics, the comments in #21 are still valid. There is no analysis yet
what needs converting to this new version.
** Changed in: pcre2 (Ubuntu)
Status: Confirmed => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: pcre2 (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/163
Title:
Let's get the security team's opinion on maintaining this for its
security aspect. I will leave it to Steve to weigh in on Foundations
maintaining the package, since the Foundations team currently maintains
pcre3.
** Changed in: pcre2 (Ubuntu)
Assignee: Mathieu Trudel-Lapierre (cyphermox) =>
** Description changed:
Availability
Synced with Debian. Built for all supported architectures.
Rationale
=
Required by vte2.91 0.46+ and gnome-terminal 3.22+.
The Ubuntu Desktop team has postponed the need for this transition by
reverting the vte and
** Description changed:
Availability
Synced with Debian. Built for all supported architectures.
Rationale
=
Required by vte2.91 0.46+ and gnome-terminal 3.22+.
The Ubuntu Desktop team has postponed the need for this transition by
reverting the vte and
** Changed in: pcre2 (Ubuntu)
Status: Incomplete => New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/163
Title:
[MIR] pcre2
To manage notifications about this bug go to:
> • In fact, Qt in Ubuntu 17.10 main is _already using_ (a bundled copy
of) PCRE2! Go look at the build log.
We just merged a Qt upload from Debian where it was unbundled, and now
qtbase is uninstallable because pcre2 is in universe.
Of course we can switch back to the bundled version, but I
> I did some quick searches to assess the state of upstream PCRE2
> support in the packages listed on Jeremy’s tracker.
thanks for pointing that out. I didn't check myself, but how many of
these packages are already using pcre2 in Debian?
> So it seems unlikely that sticking our head in the sand
I did some quick searches to assess the state of upstream PCRE2 support
in the packages listed on Jeremy’s tracker. It’s better than I thought:
• ClamAV, Git, HAProxy, SELinux, PHP, Qt, and VTE upstream all support PCRE2.
• PHP, Qt, and VTE upstream all _require_ PCRE2 now.
• In fact, Qt in
If you do work on that, the hidden Vcs is browseable at
https://browse.dgit.debian.org/pcre2.git/
so convert the git commits to regular patches.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/163
> There is one other issue: Debian's pcre2 isn't really using what I
consider "best practice" packaging [specifically, it does not use source
format 3.0 (quilt) ] which makes doing security updates more of a pain
That's tracked at https://bugs.debian.org/862425 (thanks for filing
it!). I can look
Jonathan, thanks for your input.
I did set up trackers. Except for 'git', I don't think we've made much
progress on converting packages at all.
https://people.canonical.com/~ubuntu-archive/transitions/html/pcre2.html
https://people.canonical.com/~ubuntu-archive/transitions/html/pcre2-main.html
> To mirror what doko mentioned earlier, what is needed to demote pcre3?
Can we start (even a long running) transition? (So there should be a
tracker setup for that).
Sounds good to me. What's the process for making that happen?
Keep in mind that since pcre2 is a new API and ABI, packages will
** Attachment added: "pcre3 symbols"
https://bugs.launchpad.net/ubuntu/+source/pcre2/+bug/163/+attachment/5001389/+files/libpcre.so.3.dynsym
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
On the subject of the relationship between pcre3 (the older one) and
pcre2 (the newer one):
$ eu-readelf -s.dynsym /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0 |grep -v UNDEF
>/tmp/libpcre2-8.so.0.dynsym
$ eu-readelf -s.dynsym /lib/x86_64-linux-gnu/libpcre.so.3 |grep -v UNDEF
What is the rationale for not wanting to have both packages in Ubuntu?
As stated, despite the name it is not considered an update but a
separate project.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Seems like this is coming up again now by way of git.
** Changed in: pcre2 (Ubuntu)
Milestone: ubuntu-17.06 => ubuntu-17.08
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/163
Title:
[MIR]
Updating milestone to denote I'm still tracking this.
** Changed in: pcre2 (Ubuntu)
Milestone: ubuntu-17.05 => ubuntu-17.06
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/163
Title:
[MIR]
** No longer affects: vte2.91 (Ubuntu)
** No longer affects: gnome-terminal (Ubuntu)
** Description changed:
Availability
Synced with Debian. Built for all supported architectures.
Rationale
=
Required by gnome-terminal 3.22+ and vte2.91 0.46+
Security
"Other distros do it" isn't sufficient rationale, by itself, to support
putting pcre2 in main. We already ship it, the question is whether it
should be in main, meaning whether Canonical will be responsible for
support, providing security updates, etc.
To mirror what doko mentioned earlier, what
It seems likely that Ubuntu will have to support/ship both PCRE and
PCRE2 before long. At least some other distros (Fedora, Gentoo, Debian)
appear to be doing that already.
As mentioned above, for packaging purposes PCRE2 is effectively a new
project, *not* a new version of the previous PCRE. The
** Changed in: pcre2 (Ubuntu)
Milestone: ubuntu-17.03 => ubuntu-17.05
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/163
Title:
[MIR] pcre2
To manage notifications about this bug go to:
To be clear, I share doko's feeling against having two versions of the
library in main if it can be avoided -- this is certainly not a
permanent situation, but most things don't appear to have switched to
pcre2 just yet (and I would expect they would in the near-ish term). In
that sense, I'd be
I understand the concerns, and I share them, but I don't think we should
alone make the decision. Perhaps bring this up for wider discussion on
the ubuntu-devel mailing list?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
I added an Other Info section.
** Description changed:
Availability
Synced with Debian. Built for all supported architectures.
Rationale
=
Required by gnome-terminal 3.22+ and vte2.91 0.46+
Security
At least one open security issue, affecting
For zesty, I have proposed reverting the mandatory pcre2 changes so that
we can do the vte/gnome-terminal update. See bug 1666264
Like I wrote there, I am concerned about how long these reverts can be
maintained with new versions.
--
You received this bug notification because you are a member
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: gnome-terminal (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/163
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: vte2.91 (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/163
Title:
** Changed in: pcre2 (Ubuntu)
Milestone: None => ubuntu-17.03
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/163
Title:
[MIR] pcre2
To manage notifications about this bug go to:
If y'all are indeed going to block on there not being allowed to have 2
pcre's in main, then I guess we'll either have to figure out how to hack
vte2.91 and gnome-terminal to either not use pcre2 or instead use the
older pcre3. Or we'll just keep using the current gnome-terminal/vte.
$
> pcre3 is already in Ubuntu main
we don't want to have two versions in main. please could you evaluate
first what is needed to demote pcre3?
** Changed in: pcre2 (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
** Changed in: pcre2 (Ubuntu)
Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/163
Title:
[MIR] pcre2
To manage notifications
** Description changed:
Availability
Synced with Debian. Built for all supported architectures.
Rationale
=
Required by gnome-terminal 3.22+ and vte2.91 0.46+
Security
At least one open security issue, affecting Ubuntu 16.04 LTS
60 matches
Mail list logo
