To be clear, I share doko's feeling against having two versions of the library in main if it can be avoided -- this is certainly not a permanent situation, but most things don't appear to have switched to pcre2 just yet (and I would expect they would in the near-ish term). In that sense, I'd be more in favor of not upgrading vte/gnome-terminal for the time being.
To make it simpler: how do we value the benefits of a new pcre2 in main (meaning possibly some new features of gnome-terminal and vte) against the (probably small, but still) maintenance burden of having two PCRE libraries in main or the need to hold gnome-terminal and vte back for this cycle? To me wearing the MIR team hat, the benefits don't outweigh the increased maintenance work (ie. you can do nothing to vte and gnome- terminal, and we're good), especially when you consider that pcre is the kind of thing that does tend to have CVEs every once in a while[1]. On the other hand, new features are shiny, but they look to me like they might be cherry-pickable. I'm open to be convinced, and the security team probably should have a say in it too (hence my suggestion of bringing it up on the mailing list). [1] http://www.cvedetails.com/product/5715/Pcre-Pcre.html?vendor_id=3265 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-terminal in Ubuntu. https://bugs.launchpad.net/bugs/1636666 Title: [MIR] pcre2 Status in gnome-terminal package in Ubuntu: Confirmed Status in pcre2 package in Ubuntu: Incomplete Status in vte2.91 package in Ubuntu: Confirmed Bug description: Availability ============ Synced with Debian. Built for all supported architectures. Rationale ========= Required by gnome-terminal 3.22+ and vte2.91 0.46+ Security ======== At least one open security issue, affecting Ubuntu 16.04 LTS https://people.canonical.com/~ubuntu-security/cve/pkg/pcre2.html https://security-tracker.debian.org/tracker/source-package/pcre2 https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pcre Quality assurance ================= - Please subscribe Ubuntu Desktop Bugs or Ubuntu Foundation Bugs (like pcre3) to this package. https://bugs.launchpad.net/ubuntu/+source/pcre2 https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=pcre2 Upstream tests are run during the build but there is no autopkgtest Does not have 3.0 (quilt) set Dependencies ============ Only build-dependencies are dpkg and debhelper. No other added dependencies. Standards compliance ==================== 3.9.6 Maintenance =========== - Actively developed upstream http://pcre.org/ Background information ====================== As the package description states, the older version of this library is confusingly named pcre3 in Debian/Ubuntu. pcre3 is already in Ubuntu main. Other Info ========== In the original release of pcre2 in Jan 2015, the author says this is not just a drastic update to the original pcre but a "new project". He felt free to change names and options. https://lists.exim.org/lurker/message/20150105.162835.0666407a.en.html pcre3 has gotten some bugfix releases since then (from 8.36 to 8.40 released Jan 2017) Some discussion of how it's different: http://www.regular-expressions.info/pcre2.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-terminal/+bug/1636666/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
