Re: Proposed MBF - removal of pcre3 by Bookworm
Alastair McKinstry writes: >> On Thu, Jun 29, 2023 at 08:55:11PM +0100, Matthew Vernon wrote: >>> Bookworm is now out; I will shortly be increasing the severity of >>> the outstanding bugs to RC, with the intention being to remove >>> src:pcre3 from Debian before the trixie release. [snip] > There's significant work creating and testing patches for this > transition. Marking removal is too much. PCRE upstream have been wanting to be shot of old-pcre for a very long time now (pcre2 has been available since 2015, and was first in Debian stretch), and it's been essentially unsupported for a number of years now; I had originally hoped we could ditch it from bookworm. I thought the beginning of a release cycle was the natural time to bump to RC severity to try and make sure we can remove pcre3 in good time for trixie. Regards, Matthew -- "At least you know where you are with Microsoft." "True. I just wish I'd brought a paddle." http://www.debian.org
Re: Proposed MBF - removal of pcre3 by Bookworm
On Jul 02, Peter Pentchev wrote: > On the other hand, the bugs have been open for an year and a half now... For something which has worked just fine for many years. -- ciao, Marco signature.asc Description: PGP signature
Re: Proposed MBF - removal of pcre3 by Bookworm
On Sun, Jul 02, 2023 at 10:14:58AM +0100, Alastair McKinstry wrote: > > On 01/07/2023 14:44, Michael Stone wrote: > > On Thu, Jun 29, 2023 at 08:55:11PM +0100, Matthew Vernon wrote: > > > Bookworm is now out; I will shortly be increasing the severity of > > > the outstanding bugs to RC, with the intention being to remove > > > src:pcre3 from Debian before the trixie release. > > > > You don't think that marking packages for removal two weeks after the > > bug is filed is a little much? > > There's significant work creating and testing patches for this transition. > Marking removal is too much. On the other hand, the bugs have been open for an year and a half now... G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@debian.org p...@storpool.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 signature.asc Description: PGP signature
Re: Proposed MBF - removal of pcre3 by Bookworm
On 01/07/2023 14:44, Michael Stone wrote: On Thu, Jun 29, 2023 at 08:55:11PM +0100, Matthew Vernon wrote: Bookworm is now out; I will shortly be increasing the severity of the outstanding bugs to RC, with the intention being to remove src:pcre3 from Debian before the trixie release. You don't think that marking packages for removal two weeks after the bug is filed is a little much? There's significant work creating and testing patches for this transition. Marking removal is too much. -- Alastair McKinstry, GPG: 82383CE9165B347C787081A2CBE6BB4E5D9AD3A5 ph: +353 87 6847928 e: alast...@sceal.ie, im: @sceal.ie:mckinstry
Re: Proposed MBF - removal of pcre3 by Bookworm
Hi Matthew On Thu, 29 Jun 2023 at 20:18, Matthew Vernon wrote: > Bookworm is now out; I will shortly be increasing the severity of the > outstanding bugs to RC, with the intention being to remove src:pcre3 > from Debian before the trixie release. Thanks for driving this forward! There's a transition tracker [1] which might be helpful. Regards Graham [1] https://release.debian.org/transitions/html/pcre3-to-pcre2.html
Re: Proposed MBF - removal of pcre3 by Bookworm
On Sat, Jul 01, 2023 at 09:44:27AM -0400, Michael Stone wrote: On Thu, Jun 29, 2023 at 08:55:11PM +0100, Matthew Vernon wrote: Bookworm is now out; I will shortly be increasing the severity of the outstanding bugs to RC, with the intention being to remove src:pcre3 from Debian before the trixie release. You don't think that marking packages for removal two weeks after the bug is filed is a little much? Apologies, the original bug report apparently slipped under the radar.
Re: Proposed MBF - removal of pcre3 by Bookworm
On Thu, Jun 29, 2023 at 08:55:11PM +0100, Matthew Vernon wrote: Bookworm is now out; I will shortly be increasing the severity of the outstanding bugs to RC, with the intention being to remove src:pcre3 from Debian before the trixie release. You don't think that marking packages for removal two weeks after the bug is filed is a little much?
Re: Proposed MBF - removal of pcre3 by Bookworm
On Thursday, June 29, 2023 3:55:11 PM EDT Matthew Vernon wrote: > Hi, > > On 13/11/2021 11:41, Matthew Vernon wrote: > > TL;DR> pcre3 is obsolete and upstream don't want to fix it any more. I > > propose a MBF to track our progress in getting rid of it for Bookworm > > Bookworm is now out; I will shortly be increasing the severity of the > outstanding bugs to RC, with the intention being to remove src:pcre3 > from Debian before the trixie release. > > While upstream never did produce a porting guide, though there was some > useful discussion of some of the issues on the relevant issue report[0]; > additionally, the glib gregex change set to make the change is quite > comprehensive[1]. > > Regards, > > Matthew > [0] https://github.com/PCRE2Project/pcre2/issues/51 > [1] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/2529 Here's the postfix change, for another example: https://github.com/vdukhovni/postfix/commit/ 3b0ac407f313135ffd74e248ad88abd2ad6dfe09 Scott K signature.asc Description: This is a digitally signed message part.
Re: Proposed MBF - removal of pcre3 by Bookworm
On 2023-06-29 20:55 +0100, Matthew Vernon wrote: > On 13/11/2021 11:41, Matthew Vernon wrote: > >> TL;DR> pcre3 is obsolete and upstream don't want to fix it any >> more. I propose a MBF to track our progress in getting rid of it for >> Bookworm > > Bookworm is now out; I will shortly be increasing the severity of the > outstanding bugs to RC, with the intention being to remove src:pcre3 > from Debian before the trixie release. Please add the sid and trixie tags to these bugs so that people who care about Debian (old)stable can concentrate on the bugs which actually matter for these distributions. Thanks, Sven
Re: Proposed MBF - removal of pcre3 by Bookworm
Hi, On 13/11/2021 11:41, Matthew Vernon wrote: TL;DR> pcre3 is obsolete and upstream don't want to fix it any more. I propose a MBF to track our progress in getting rid of it for Bookworm Bookworm is now out; I will shortly be increasing the severity of the outstanding bugs to RC, with the intention being to remove src:pcre3 from Debian before the trixie release. While upstream never did produce a porting guide, though there was some useful discussion of some of the issues on the relevant issue report[0]; additionally, the glib gregex change set to make the change is quite comprehensive[1]. Regards, Matthew [0] https://github.com/PCRE2Project/pcre2/issues/51 [1] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/2529
Re: Proposed MBF - removal of pcre3 by Bookworm
Matthew Vernon writes: > User: matthew-pcre...@lists.debian.org Sigh, always one typo gets through. That should be: User: matthew-pcre...@debian.org Regards, Matthew -- "At least you know where you are with Microsoft." "True. I just wish I'd brought a paddle." http://www.debian.org
Proposed MBF - removal of pcre3 by Bookworm
Hi, TL;DR> pcre3 is obsolete and upstream don't want to fix it any more. I propose a MBF to track our progress in getting rid of it for Bookworm PCRE is the perl-compatible regular expression library, https://pcre.org/ For historical reasons, the old PCRE library ended up as libpcre3 in Debian. I'm going to call it pcre3 hereafter. In 2015, PCRE upstream brought out pcre2, re-architectured to be be more secure and easier to maintain (it's been in Debian since stretch). Many large (and small) projects have successfully migrated to pcre2. PCRE upstream have been increasingly reluctant to fix bugs in pcre3, and have said that they intent to make no further releases of it. So I think it's high time we got it out of Debian, particularly given it's often used to handle untrusted input. I propose, therefore, a MBF against the remaining 218 packages in Debian that Build-Depend upon pcre3 (except where that's an alternative to pcre2). I suggest important for now, but with a view to hopefully making this RC for bookworm. I'm aware that some upstreams are looking at the pcre2 migration (e.g. glib2); hopefully we can encourage them to get that work done sooner rather than later :) I constructed the package list by taking Sources.gz from unstable and processing it thus: grep-dctrl -F Build-Depends pcre3 --and --not -F Build-Depends pcre2 Sources | dd-list --stdin --sources Sources --dctrl ---begin MBF template--- Subject: x: depends on obsolete PCRE3 library Source: x Version: x Severity: important User: matthew-pcre...@lists.debian.org Usertags: obsolete-pcre3 Dear maintainer, Your package still depends on the old, obsolete PCRE3[0] libraries (i.e. libpcre3-dev). This has been end of life for a while now, and upstream do not intend to fix any further bugs in it. Accordingly, I would like to remove the pcre3 libraries from Debian, preferably in time for the release of Bookworm. The newer PCRE2 library was first released in 2015, and has been in Debian since stretch. Upstream's documentation for PCRE2 is available here: https://pcre.org/current/doc/html/ Many large projects that use PCRE have made the switch now (e.g. git, php); it does involve some work, but we are now at the stage where PCRE3 should not be used, particularly if it might ever be exposed to untrusted input. This mass bug filing was discussed on debian-devel@ in [url] Regards, Matthew [0] Historical reasons mean that old PCRE is packaged as pcre3 in Debian ---end MBF template--- Regards, Matthew Adam Saponara mle Aide Maintainers aide Alan Boudreault mapcache (U) Alastair McKinstry coda (U) slang2 Alberto Gonzalez Iniesta mboxgrep modsecurity modsecurity-apache Alejandro Garrido Mota cclive Alexander GQ Gerasiov xneur Alexandre Viau ring (U) Andreas B. Mundt atftp (U) Andreas Metzler exim4 (U) Andreas Romeyke checkit-tiff (U) Andreas Tille libgoby-java (U) pftools (U) phast (U) plast (U) virtuoso-opensource (U) Andrew Caudwell gource logstalgia Andrew Pollock snort (U) Android Tools Maintainers android-platform-external-libselinux android-platform-tools Andy Li haxe neko Anibal Monsalve Salazar grep Ansgar Burchardt cclive (U) Anthony Prades cyrus-imapd (U) Antonio Radici cfengine3 Anuradha Weeraman watchman Apollon Oikonomopoulos ganeti (U) Arno Töll apache2 (U) Aron Xu trafficserver (U) Artur R. Czechowski lwatch rrdcollect Arturo Borrero Gonzalez suricata (U) Axel Beckert ccze mp4h xymon (U) zsh (U) Balint Reczey wireshark Barak A. Pearlmutter ettercap (U) terminus Bas Couwenberg gdal (U) librttopo (U) mapcache (U) postgis (U) Bastian Germann gambas3 (U) Benjamin Schlüter e2guardian (U) Bernhard Schmidt freeradius (U) Birger Schacht sway (U) Boian Bonev vfu Boris Pek eiskaltdcpp Boyuan Yang shadowsocks-libev (U) Carlos Alberto Lopez Perez aircrack-ng (U) Carsten Leonhardt pound CESNET libyang (U) Chandramouli Rajagopalan android-platform-external-libselinux (U) ChangZhuo Chen (陳昌倬) libr3 Chirayu Desai android-platform-tools (U) Chris Hofstaedtler kannel Chris Lamb zoneminder (U) Christoph Berg pgpcre (U) postgis (U) xymon Christoph Egger clisp (U) pdfgrep Christoph Haas zabbix (U) Christoph Martin libapache2-mod-auth-openidc (U) Christos Trochalakis nginx (U) Clint Adams haskell-regex-pcre (U) Cord Beermann passwordmaker-cli Cristian Greco poco (U) Damyan Ivanov libhtml-template-pro-perl (U) Daniel Echeverri hydra (U) Dario Minnucci shush Dave Beckett rasqal Dave Hibberd xastir (U) David Bremner ledger David Lamparter frr libyang David Suárez crystal Debian Accessibility Team brltty edbrowse Debian Apache Maintainers apache2 Debian