Bug#1002876: darktable: embeds libraw

[Tino Mettler]

Package: darktable
Version: 4.6.0-1
Followup-For: Bug #1002876

Hi David,

the attached patch removes src/external/LibRaw and builds the package
using the system libraw.

Regards,
Tino

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.6.1 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages darktable depends on:
ii  libavif161.0.3-1
ii  libc62.37-7
ii  libcairo21.16.0-7
ii  libcolord-gtk1   0.3.0-4
ii  libcolord2   1.4.6-2.2
ii  libcups2 2.4.2-5
ii  libcurl3-gnutls  8.2.1-2
ii  libexiv2-27  0.27.6-1
ii  libgcc-s113.2.0-3
ii  libgdk-pixbuf-2.0-0  2.42.10+dfsg-1+b1
ii  libglib2.0-0 2.77.3-1
ii  libgomp1 13.2.0-3
ii  libgphoto2-6 2.5.30-1
ii  libgphoto2-port122.5.30-1
ii  libgraphicsmagick-q16-3  1.4+really1.3.41-1
ii  libgtk-3-0   3.24.38-4
ii  libheif1 1.17.1-1+b1
ii  libicu72 72.1-3
ii  libimath-3-1-29  3.1.9-3
ii  libjpeg62-turbo  1:2.1.5-2
ii  libjson-glib-1.0-0   1.6.6-1
ii  libjxl0.70.7.0-10
ii  liblcms2-2   2.14-2
ii  liblensfun1  0.3.4-1
ii  liblua5.4-0  5.4.6-1
ii  libopenexr-3-1-303.1.5-5.1
ii  libopenjp2-7 2.5.0-2
ii  libosmgpsmap-1.0-1   1.2.0-2
ii  libpango-1.0-0   1.51.0+ds-2
ii  libpangocairo-1.0-0  1.51.0+ds-2
ii  libpng16-16  1.6.40-1
ii  libportmidi0 1:217-6.1
ii  libpugixml1v51.13-0.2
ii  libraw23 0.21.1-7
ii  librsvg2-2   2.54.7+dfsg-2
ii  libsdl2-2.0-02.28.3+dfsg-1
ii  libsecret-1-00.21.0-1
ii  libsqlite3-0 3.43.0-1
ii  libstdc++6   13.2.0-3
ii  libtiff6 4.5.1+git230720-1
ii  libwebp7 1.3.2-0.3
ii  libwebpmux3  1.3.2-0.3
ii  libx11-6 2:1.8.6-1
ii  libxml2  2.9.14+dfsg-1.3
ii  libxrandr2   2:1.5.2-2+b1
ii  zlib1g   1:1.2.13.dfsg-3

darktable recommends no packages.

darktable suggests no packages.

-- no debconf information
diff --git a/debian/clean b/debian/clean
index 1293eb533..279b62423 100644
--- a/debian/clean
+++ b/debian/clean
@@ -2,3 +2,4 @@ doc/usermanual/profiled_final.fo
 doc/usermanual/profiled_final.xml
 doc/usermanual/usermanual.pdf
 src/external/lua/
+src/external/LibRaw/
diff --git a/debian/control b/debian/control
index 9d8ca2306..8f2b9d266 100644
--- a/debian/control
+++ b/debian/control
@@ -31,6 +31,7 @@ Build-Depends: cmake,
libportmidi-dev,
libpugixml-dev,
libsdl2-dev,
+   libraw-dev,
librsvg2-dev,
libsecret-1-dev,
libsoup2.4-dev,
diff --git a/debian/rules b/debian/rules
index 24268394a..35abb0e1a 100755
--- a/debian/rules
+++ b/debian/rules
@@ -20,7 +20,11 @@ endif
dh $@
 
 override_dh_auto_configure: cmake/version.cmake
-   dh_auto_configure -- -DBINARY_PACKAGE_BUILD=1 
-DCMAKE_BUILD_TYPE=Release -DRAWSPEED_ENABLE_LTO=ON
+   dh_auto_configure -- \
+   -DBINARY_PACKAGE_BUILD=1 \
+   -DCMAKE_BUILD_TYPE=Release \
+   -DRAWSPEED_ENABLE_LTO=ON \
+   -DDONT_USE_INTERNAL_LIBRAW=ON
 
 describe-current-version:
git describe --tags upstream | sed 's,^release-,,;s,-,+,;s,-,~,;'

Bug#1002876: darktable: embeds libraw

[David Bremner]

Package: darktable
Version: 3.8.0-1
Severity: important

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

As of version 3.8.0, darkatable is again embedding libraw.  I decided
to open a new bug rather than reopen #682980, since the situation this
time is somewhat different, and I'm not sure anyone getting up to
speed on the bug is well served by reading the 100 or so previous
messages.

Previously (i.e. #682980), darktable was using a forked copy of libraw
(although the change was textually small).  Currently darktable is
using a git submodule of upstream libraw, which means that it is at least
possible in principle that upstream will release a sufficiently recent
version that we can build against it. Or I guess we could package a
git snapshot of libraw in Debian.

As far as I understand, the snapshot of libraw is needed for Canon CR3
support.

I guess the other thing that has changed since #682980 was closed is
that libraw acquired a number of CVEs.

Darktable already appears in the embedded copies list for libraw [1],
but I'm not sure if "modified-embed" is still the right term.


[1]: 
https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/embedded-code-copies
- -- System Information:
Debian Release: bookworm/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.15.0-2-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_CA:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages darktable depends on:
ii  libc62.33-1
ii  libcairo21.16.0-5
ii  libcolord-gtk1   0.1.26-2+b1
ii  libcolord2   1.4.5-3
ii  libcups2 2.3.3op2-7
ii  libcurl3-gnutls  7.79.1-2
ii  libexiv2-27  0.27.3-3.1
ii  libgcc-s111.2.0-13
ii  libgdk-pixbuf-2.0-0  2.42.6+dfsg-2
ii  libglib2.0-0 2.70.2-1
ii  libgomp1 11.2.0-13
ii  libgphoto2-6 2.5.27-1
ii  libgphoto2-port122.5.27-1
ii  libgraphicsmagick-q16-3  1.4+really1.3.37-1
ii  libgtk-3-0   3.24.31-1
ii  libicu67 67.1-7
ii  libilmbase25 2.5.7-2
ii  libjpeg62-turbo  1:2.1.2-1
ii  libjson-glib-1.0-0   1.6.6-1
ii  liblcms2-2   2.12~rc1-2
ii  liblensfun1  0.3.2-6
ii  libopenexr25 2.5.7-1
ii  libopenjp2-7 2.4.0-3
ii  libosmgpsmap-1.0-1   1.2.0-1
ii  libpango-1.0-0   1.48.10+ds1-1
ii  libpangocairo-1.0-0  1.48.10+ds1-1
ii  libpng16-16  1.6.37-3
ii  libpugixml1v51.11.4-1
ii  librsvg2-2   2.50.7+dfsg-2
ii  libsecret-1-00.20.4-2
ii  libsoup2.4-1 2.74.2-3
ii  libsqlite3-0 3.36.0-2
ii  libstdc++6   11.2.0-13
ii  libtiff5 4.3.0-2
ii  libwebp6 0.6.1-2.1
ii  libx11-6 2:1.7.2-2+b1
ii  libxml2  2.9.12+dfsg-5+b1
ii  libxrandr2   2:1.5.2-1
ii  zlib1g   1:1.2.11.dfsg-2

darktable recommends no packages.

darktable suggests no packages.

- -- no debconf information

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEkiyHYXwaY0SiY6fqA0U5G1WqFSEFAmHN/VYACgkQA0U5G1Wq
FSHOnw/+J+O8sR5k+UBBjLLf01STow0Sz8bX+yiSjLTf9p/XYHsFP0t0Ov7iFCco
Po+2lprkIuotFo+9114yc5rDgE8MKLctTM98CN6YbM5tMRTtTqUdQFhnty8T+qLO
tGlcozdHftzIT9nOKaAPWAVqS0uKNfFVGksHLQIDSJeIBSfn7sZiwYzHyNeXNIft
aaEOtrCp8adWq6L2QhIYqSY1C2rfvE41hG/FTkBNkAUB36sdOiBpGy+MRPmxxd3E
k/KIP70EBzY0SPdYEAPjE1uMpB8gnNBa8c5A1YDGUzwWfMxx9RYVkIkPvL/PS8uu
OzkOc7sWnfZnzhdC6rhLEXxpwTB2GlNxXfrqRd++4c9pLT8rEEJHcmQsxl+NYIpK
zV0gRI54TAbsAcLIltoJHDrERruBvgi4GkCQismRFQyvSCn1iECBbvYyiKcOMA+1
iEwPLWaEkJgNlO4ek2IruerSDcP7x2eFgFhWZliQPf+Rm+plbM79arJBVlpRonMf
QaELwCsuCgOIXszLV4zg+POBO3hdwNQ1qnUDXyx8OxmWMXeuGDZQB/AlYyMbKv6x
Nj8Mk1Tmh7lYE5luBJShw1rdXA5mPd1XFb+3UkNZIeM7WKwMGEeTafxIIyz/fBb0
ULDzzmAD13Uz/7Ufk0laGEAishuvIkZ+jXB0EqhkxkX0IisBj6Y=
=zxHR
-END PGP SIGNATURE-