On 09/06/16 10:37, Mathieu Malaterre wrote: > On Thu, Jun 2, 2016 at 9:03 AM, Mathieu Malaterre <[email protected]> wrote: >> On Wed, Jun 1, 2016 at 7:10 PM, Emilio Pozuelo Monfort <[email protected]> >> wrote: >>> On 31/05/16 12:00, Mathieu Malaterre wrote: >>>> [adding debian-release] >>>> >>>> Hi, >>>> >>>> On Thu, May 12, 2016 at 12:48 PM, Mathieu Malaterre <[email protected]> >>>> wrote: >>>>> Hi, >>>>> >>>>> On Thu, May 12, 2016 at 12:16 PM, Moritz Muehlenhoff <[email protected]> >>>>> wrote: >>>>>> Hi, >>>>>> in jessie we have the unfortunate situation of having two copies of >>>>>> openjpeg in the archive src:openjpeg and src:openjpeg2. Can you get >>>>>> rid of openjpeg for stretch? We accept two source packages for transition >>>>>> purposes, but these need to be sorted out by the subsequent release. >>>>> >>>>> That does not seems doable [*]. openjpeg 1.x and openjpeg 2.x have >>>>> different API, and it requires a significant effort to move from one >>>>> API to the other. Without upstream help from each packages, this >>>>> cannot possibly be done (at least by me). >>>>> >>>>> If someone wants to volunteer, some projects have successfully moved >>>>> from openjpeg 1.x to openjpeg 2.x (from the top of my head: >>>>> mupdf/gdal/leptonlib) so some projects may have code so that they >>>>> compile against either openjpeg 1.x or openjpeg 2.x using #idef >>>>> triggered during configuration time. >>>>> >>>>> The other option is to deactivate JPEG 2000 support from those >>>>> packages. imagemagick (accidentally) removed support for JPEG 2000 >>>>> (#773530) and no one complained so far. >>>> >>>> Actually the issue is maybe a little more than just a security >>>> concern. See the bug report #825907. >>> >>> Is openjpeg not using versioned symbols? >> >> No (very very few packages are actually using this trick AFAIK). >> >>>> I'll leave it to debian-release to decide the severity of this bug. >>>> Meanwhile I'll track package(s) still using OpenJPEG 1.5.x API. >>> >>> You can do like it is being done for jasper: file bugs with >>> severity:important >>> against all the rdeps, telling them we want to remove openjpeg from Stretch >>> for >>> security reasons, and that the bugs will get bumped to RC in some time. >>> Then we >>> can see how things evolve and what to do next. >>> >>> See >>> >>> https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=jasper-rm;[email protected] >>> https://release.debian.org/transitions/html/jasper-rm.html >>> https://lists.debian.org/debian-release/2016/03/msg00006.html >>> >>> How does that sound? >> >> Sound good! Severity: important is not too annoying for packager, but >> clear enough. I'll do that ASAP. > > Done: > > https://udd.debian.org/cgi-bin/bts-usertags.cgi?tag=stretch2000&user=malat%40debian.org
Thanks. I have created https://release.debian.org/transitions/html/openjpeg-rm.html Emilio
