On Thu, Jun 2, 2016 at 9:03 AM, Mathieu Malaterre <[email protected]> wrote: > On Wed, Jun 1, 2016 at 7:10 PM, Emilio Pozuelo Monfort <[email protected]> > wrote: >> On 31/05/16 12:00, Mathieu Malaterre wrote: >>> [adding debian-release] >>> >>> Hi, >>> >>> On Thu, May 12, 2016 at 12:48 PM, Mathieu Malaterre <[email protected]> >>> wrote: >>>> Hi, >>>> >>>> On Thu, May 12, 2016 at 12:16 PM, Moritz Muehlenhoff <[email protected]> >>>> wrote: >>>>> Hi, >>>>> in jessie we have the unfortunate situation of having two copies of >>>>> openjpeg in the archive src:openjpeg and src:openjpeg2. Can you get >>>>> rid of openjpeg for stretch? We accept two source packages for transition >>>>> purposes, but these need to be sorted out by the subsequent release. >>>> >>>> That does not seems doable [*]. openjpeg 1.x and openjpeg 2.x have >>>> different API, and it requires a significant effort to move from one >>>> API to the other. Without upstream help from each packages, this >>>> cannot possibly be done (at least by me). >>>> >>>> If someone wants to volunteer, some projects have successfully moved >>>> from openjpeg 1.x to openjpeg 2.x (from the top of my head: >>>> mupdf/gdal/leptonlib) so some projects may have code so that they >>>> compile against either openjpeg 1.x or openjpeg 2.x using #idef >>>> triggered during configuration time. >>>> >>>> The other option is to deactivate JPEG 2000 support from those >>>> packages. imagemagick (accidentally) removed support for JPEG 2000 >>>> (#773530) and no one complained so far. >>> >>> Actually the issue is maybe a little more than just a security >>> concern. See the bug report #825907. >> >> Is openjpeg not using versioned symbols? > > No (very very few packages are actually using this trick AFAIK). > >>> I'll leave it to debian-release to decide the severity of this bug. >>> Meanwhile I'll track package(s) still using OpenJPEG 1.5.x API. >> >> You can do like it is being done for jasper: file bugs with >> severity:important >> against all the rdeps, telling them we want to remove openjpeg from Stretch >> for >> security reasons, and that the bugs will get bumped to RC in some time. Then >> we >> can see how things evolve and what to do next. >> >> See >> >> https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=jasper-rm;[email protected] >> https://release.debian.org/transitions/html/jasper-rm.html >> https://lists.debian.org/debian-release/2016/03/msg00006.html >> >> How does that sound? > > Sound good! Severity: important is not too annoying for packager, but > clear enough. I'll do that ASAP.
Done: https://udd.debian.org/cgi-bin/bts-usertags.cgi?tag=stretch2000&user=malat%40debian.org
