On Wed, Jun 1, 2016 at 7:10 PM, Emilio Pozuelo Monfort <[email protected]> wrote: > On 31/05/16 12:00, Mathieu Malaterre wrote: >> [adding debian-release] >> >> Hi, >> >> On Thu, May 12, 2016 at 12:48 PM, Mathieu Malaterre <[email protected]> wrote: >>> Hi, >>> >>> On Thu, May 12, 2016 at 12:16 PM, Moritz Muehlenhoff <[email protected]> >>> wrote: >>>> Hi, >>>> in jessie we have the unfortunate situation of having two copies of >>>> openjpeg in the archive src:openjpeg and src:openjpeg2. Can you get >>>> rid of openjpeg for stretch? We accept two source packages for transition >>>> purposes, but these need to be sorted out by the subsequent release. >>> >>> That does not seems doable [*]. openjpeg 1.x and openjpeg 2.x have >>> different API, and it requires a significant effort to move from one >>> API to the other. Without upstream help from each packages, this >>> cannot possibly be done (at least by me). >>> >>> If someone wants to volunteer, some projects have successfully moved >>> from openjpeg 1.x to openjpeg 2.x (from the top of my head: >>> mupdf/gdal/leptonlib) so some projects may have code so that they >>> compile against either openjpeg 1.x or openjpeg 2.x using #idef >>> triggered during configuration time. >>> >>> The other option is to deactivate JPEG 2000 support from those >>> packages. imagemagick (accidentally) removed support for JPEG 2000 >>> (#773530) and no one complained so far. >> >> Actually the issue is maybe a little more than just a security >> concern. See the bug report #825907. > > Is openjpeg not using versioned symbols?
No (very very few packages are actually using this trick AFAIK). >> I'll leave it to debian-release to decide the severity of this bug. >> Meanwhile I'll track package(s) still using OpenJPEG 1.5.x API. > > You can do like it is being done for jasper: file bugs with severity:important > against all the rdeps, telling them we want to remove openjpeg from Stretch > for > security reasons, and that the bugs will get bumped to RC in some time. Then > we > can see how things evolve and what to do next. > > See > > https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=jasper-rm;[email protected] > https://release.debian.org/transitions/html/jasper-rm.html > https://lists.debian.org/debian-release/2016/03/msg00006.html > > How does that sound? Sound good! Severity: important is not too annoying for packager, but clear enough. I'll do that ASAP. Thanks -M
