Bug#958250: Use system libjsonparser-dev
Le tiistaina 21. huhtikuuta 2020, 12.59.20 EEST Jonas Smedegaard a écrit : > > > But anyway, is libjsonparser's upstream still active? No release > > > since 2014 doesn't suggest that they are. If that is not the case > > > and we end up with libjsonparser being maintained in Debian, this > > > means that changing vlc to libjsonparser is not upstreamable. Due to > > > the size and security history of vlc, I'd like to avoid that. > > A security bug in libjsonparser should be fixed for all consumers of > that library, not only for VLC. > > If upstream project is dead, and VLC discovers and fixes a bug in the > library, then that bugfix should be forwarded to the Debian package so > that other consumers benefit from it as well. As an upstream developer, I would counter that it is up to Debian, specifically, the maintainers of the affected package (not VLC) to take bug fixes if their upstream is dead. > Only if VLC changes the API of libjsonparser, effectively forking it > (and that fork is not packaged separately in Debian!) does it make sense > to keep using an embedded code copy. In general and overall, VLC has a pretty good track record of enabling Linux distros to use system library builds rather than embedded ones. But to put things back into historical context, libjsonparser was added to Debian in 2018. VLC has depended on it since 2012 and it is quite a small library, so that's that. With that said, in this particular case, VLC 4.0 is probably getting rid of libjsonparser entirely in favour of a different implementation, so the motivation for overhauling the build system around it is pretty much nonexistent from the VLC project side. -- 雷米‧德尼-库尔蒙 http://www.remlab.net/
Bug#958250: Use system libjsonparser-dev
Quoting Sebastian Ramacher (2020-04-21 09:23:57) > Control: tags -1 + wontfix > > But anyway, is libjsonparser's upstream still active? No release > > since 2014 doesn't suggest that they are. If that is not the case > > and we end up with libjsonparser being maintained in Debian, this > > means that changing vlc to libjsonparser is not upstreamable. Due to > > the size and security history of vlc, I'd like to avoid that. A security bug in libjsonparser should be fixed for all consumers of that library, not only for VLC. If upstream project is dead, and VLC discovers and fixes a bug in the library, then that bugfix should be forwarded to the Debian package so that other consumers benefit from it as well. Only if VLC changes the API of libjsonparser, effectively forking it (and that fork is not packaged separately in Debian!) does it make sense to keep using an embedded code copy. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#958250: Use system libjsonparser-dev
Control: tags -1 + wontfix On 2020-04-21 09:18:47 +0200, Sebastian Ramacher wrote: > On 2020-04-21 12:49:09 +0800, Yangfl wrote: > > Jonas Smedegaard 于2020年4月20日周一 下午7:29写道: > > > > > > Quoting Sebastian Ramacher (2020-04-20 13:20:59) > > > > On 2020-04-20 13:07:40 +0200, Jonas Smedegaard wrote: > > > > > Quoting Sebastian Ramacher (2020-04-20 12:51:09) > > > > > > On 2020-04-20 09:06:51, Yangfl wrote: > > > > > > > As libjsonparser-dev is now available, please consider linking > > > > > > > against system library instead of bundled json.c. > > > > > > > > > > > > The last release of libjsonparser was in 2014. In the meantime, > > > > > > vlc's > > > > > > copy has seen some fixes (more so in the master branch than the > > > > > > current version in Debian). Are there any plans upstream to release > > > > > > a > > > > > > new version of libjsonparser? I don't think switching vlc to an > > > > > > older > > > > > > libjsonparser makes sense. > > > > > > > > > > Seems you are asking the wrong place: Upstream developers of > > > > > libjsonparser propably don't follow this bugreport. > > > > > > > > > > Probably helpful to go the other way: Inform libjsonparser upstream > > > > > (or > > > > > at least Debian maintainers ot its package) about fixes existing > > > > > downstream in VLC. > > > > > > > > Yangfl is the package maintainer of libjsonparser in Debian … > > > > > > Good point. > > > > > > Still, better to share issues with libjsonparser as a bugreport against > > > libjsonparser rather than here. > > > > > > - Jonas > > > > > I reviewed json.c in vlc and it seems an outdated version (1.0.0) > > rather than 1.1.0. Some problems (like 'Fix check for > > json_relaxed_commas') already fixed in 1.1.0 in another way. Other > > fixes > > https://github.com/videolan/vlc/commits/master/modules/misc/webservices/json.c > > are all minor but I will pick them into Debian package. > > Okay, thanks for the investigation. > > But anyway, is libjsonparser's upstream still active? No release since > 2014 doesn't suggest that they are. If that is not the case and we end > up with libjsonparser being maintained in Debian, this means that > changing vlc to libjsonparser is not upstreamable. Due to the size and > security history of vlc, I'd like to avoid that. I think I just found the answer: https://github.com/udp/json-parser/issues/82, so that's a no. Cheers -- Sebastian Ramacher signature.asc Description: PGP signature
Bug#958250: Use system libjsonparser-dev
On 2020-04-21 12:49:09 +0800, Yangfl wrote: > Jonas Smedegaard 于2020年4月20日周一 下午7:29写道: > > > > Quoting Sebastian Ramacher (2020-04-20 13:20:59) > > > On 2020-04-20 13:07:40 +0200, Jonas Smedegaard wrote: > > > > Quoting Sebastian Ramacher (2020-04-20 12:51:09) > > > > > On 2020-04-20 09:06:51, Yangfl wrote: > > > > > > As libjsonparser-dev is now available, please consider linking > > > > > > against system library instead of bundled json.c. > > > > > > > > > > The last release of libjsonparser was in 2014. In the meantime, vlc's > > > > > copy has seen some fixes (more so in the master branch than the > > > > > current version in Debian). Are there any plans upstream to release a > > > > > new version of libjsonparser? I don't think switching vlc to an older > > > > > libjsonparser makes sense. > > > > > > > > Seems you are asking the wrong place: Upstream developers of > > > > libjsonparser propably don't follow this bugreport. > > > > > > > > Probably helpful to go the other way: Inform libjsonparser upstream (or > > > > at least Debian maintainers ot its package) about fixes existing > > > > downstream in VLC. > > > > > > Yangfl is the package maintainer of libjsonparser in Debian … > > > > Good point. > > > > Still, better to share issues with libjsonparser as a bugreport against > > libjsonparser rather than here. > > > > - Jonas > > > I reviewed json.c in vlc and it seems an outdated version (1.0.0) > rather than 1.1.0. Some problems (like 'Fix check for > json_relaxed_commas') already fixed in 1.1.0 in another way. Other > fixes > https://github.com/videolan/vlc/commits/master/modules/misc/webservices/json.c > are all minor but I will pick them into Debian package. Okay, thanks for the investigation. But anyway, is libjsonparser's upstream still active? No release since 2014 doesn't suggest that they are. If that is not the case and we end up with libjsonparser being maintained in Debian, this means that changing vlc to libjsonparser is not upstreamable. Due to the size and security history of vlc, I'd like to avoid that. Cheers -- Sebastian Ramacher signature.asc Description: PGP signature
Bug#958250: Use system libjsonparser-dev
Jonas Smedegaard 于2020年4月20日周一 下午7:29写道: > > Quoting Sebastian Ramacher (2020-04-20 13:20:59) > > On 2020-04-20 13:07:40 +0200, Jonas Smedegaard wrote: > > > Quoting Sebastian Ramacher (2020-04-20 12:51:09) > > > > On 2020-04-20 09:06:51, Yangfl wrote: > > > > > As libjsonparser-dev is now available, please consider linking > > > > > against system library instead of bundled json.c. > > > > > > > > The last release of libjsonparser was in 2014. In the meantime, vlc's > > > > copy has seen some fixes (more so in the master branch than the > > > > current version in Debian). Are there any plans upstream to release a > > > > new version of libjsonparser? I don't think switching vlc to an older > > > > libjsonparser makes sense. > > > > > > Seems you are asking the wrong place: Upstream developers of > > > libjsonparser propably don't follow this bugreport. > > > > > > Probably helpful to go the other way: Inform libjsonparser upstream (or > > > at least Debian maintainers ot its package) about fixes existing > > > downstream in VLC. > > > > Yangfl is the package maintainer of libjsonparser in Debian … > > Good point. > > Still, better to share issues with libjsonparser as a bugreport against > libjsonparser rather than here. > > - Jonas > I reviewed json.c in vlc and it seems an outdated version (1.0.0) rather than 1.1.0. Some problems (like 'Fix check for json_relaxed_commas') already fixed in 1.1.0 in another way. Other fixes https://github.com/videolan/vlc/commits/master/modules/misc/webservices/json.c are all minor but I will pick them into Debian package.
Bug#958250: Use system libjsonparser-dev
Quoting Sebastian Ramacher (2020-04-20 13:20:59) > On 2020-04-20 13:07:40 +0200, Jonas Smedegaard wrote: > > Quoting Sebastian Ramacher (2020-04-20 12:51:09) > > > On 2020-04-20 09:06:51, Yangfl wrote: > > > > As libjsonparser-dev is now available, please consider linking > > > > against system library instead of bundled json.c. > > > > > > The last release of libjsonparser was in 2014. In the meantime, vlc's > > > copy has seen some fixes (more so in the master branch than the > > > current version in Debian). Are there any plans upstream to release a > > > new version of libjsonparser? I don't think switching vlc to an older > > > libjsonparser makes sense. > > > > Seems you are asking the wrong place: Upstream developers of > > libjsonparser propably don't follow this bugreport. > > > > Probably helpful to go the other way: Inform libjsonparser upstream (or > > at least Debian maintainers ot its package) about fixes existing > > downstream in VLC. > > Yangfl is the package maintainer of libjsonparser in Debian … Good point. Still, better to share issues with libjsonparser as a bugreport against libjsonparser rather than here. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#958250: Use system libjsonparser-dev
On 2020-04-20 13:07:40 +0200, Jonas Smedegaard wrote: > Quoting Sebastian Ramacher (2020-04-20 12:51:09) > > On 2020-04-20 09:06:51, Yangfl wrote: > > > As libjsonparser-dev is now available, please consider linking > > > against system library instead of bundled json.c. > > > > The last release of libjsonparser was in 2014. In the meantime, vlc's > > copy has seen some fixes (more so in the master branch than the > > current version in Debian). Are there any plans upstream to release a > > new version of libjsonparser? I don't think switching vlc to an older > > libjsonparser makes sense. > > Seems you are asking the wrong place: Upstream developers of > libjsonparser propably don't follow this bugreport. > > Probably helpful to go the other way: Inform libjsonparser upstream (or > at least Debian maintainers ot its package) about fixes existing > downstream in VLC. Yangfl is the package maintainer of libjsonparser in Debian … Cheers -- Sebastian Ramacher signature.asc Description: PGP signature
Bug#958250: Use system libjsonparser-dev
Quoting Sebastian Ramacher (2020-04-20 12:51:09) > On 2020-04-20 09:06:51, Yangfl wrote: > > As libjsonparser-dev is now available, please consider linking > > against system library instead of bundled json.c. > > The last release of libjsonparser was in 2014. In the meantime, vlc's > copy has seen some fixes (more so in the master branch than the > current version in Debian). Are there any plans upstream to release a > new version of libjsonparser? I don't think switching vlc to an older > libjsonparser makes sense. Seems you are asking the wrong place: Upstream developers of libjsonparser propably don't follow this bugreport. Probably helpful to go the other way: Inform libjsonparser upstream (or at least Debian maintainers ot its package) about fixes existing downstream in VLC. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#958250: Use system libjsonparser-dev
Control: tags -1 moreinfo On 2020-04-20 09:06:51, Yangfl wrote: > Source: vlc > Severity: wishlist > > Hi, > > As libjsonparser-dev is now available, please consider linking against > system library instead of bundled json.c. The last release of libjsonparser was in 2014. In the meantime, vlc's copy has seen some fixes (more so in the master branch than the current version in Debian). Are there any plans upstream to release a new version of libjsonparser? I don't think switching vlc to an older libjsonparser makes sense. Cheers -- Sebastian Ramacher
Bug#958250: Use system libjsonparser-dev
Source: vlc Severity: wishlist Hi, As libjsonparser-dev is now available, please consider linking against system library instead of bundled json.c.