From Fedora Project Wiki
No edit summary
No edit summary
 
(9 intermediate revisions by 3 users not shown)
Line 3: Line 3:


= Pcre Deprecation <!-- The name of your change proposal --> =
= Pcre Deprecation <!-- The name of your change proposal --> =
{{Change_Proposal_Banner}}


== Summary ==
== Summary ==
Line 17: Line 15:


== Current status ==
== Current status ==
[[Category:ChangePageIncomplete]]
[[Category:ChangeAcceptedF38]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
Line 27: Line 25:
<!-- [[Category:SystemWideChange]] -->
<!-- [[Category:SystemWideChange]] -->


* Targeted release: [[Releases/39 | Fedora Linux 39 ]]  
* Targeted release: [[Releases/38 | Fedora Linux 38 ]]  
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
Line 35: Line 33:
ON_QA -> change is fully code complete
ON_QA -> change is fully code complete
-->
-->
* FESCo issue: <will be assigned by the Wrangler>
* [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/HEK6GY22HOUAYHQQV257WNLPRI74LCZ4/ devel thread]
* Tracker bug: <will be assigned by the Wrangler>
* FESCo issue: [https://pagure.io/fesco/issue/2862 #2862]
* Release notes tracker: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=2127507 #2127507]
* Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/878 #878]


== Detailed Description ==
== Detailed Description ==
Line 43: Line 42:


The new 'pcre2' package is out for more than 7 years now and most of the packages have already been ported to its redefined API.
The new 'pcre2' package is out for more than 7 years now and most of the packages have already been ported to its redefined API.
[https://lists.exim.org/lurker/message/20150105.162835.0666407a.en.html Mail] about the changes in the pcre2.
[https://lists.exim.org/lurker/message/20150105.162835.0666407a.en.html Mail] about the changes in the pcre2. Another example of differences between pcre and pcre2 is explained in the [https://php.watch/versions/7.3/pcre2 php article].


=== Plan ===
=== Plan ===
Line 57: Line 56:
== Benefit to Fedora ==
== Benefit to Fedora ==
Fedora shouldn't support unsupported packages. When the future RHEL versions fork from Fedora, it could lead to less secure RHEL as well. By deprecating this package, we will send the message to the maintainers that their packages should port to new pcre2 package and any new package would have to use only new and supported pcre2 version.
Fedora shouldn't support unsupported packages. When the future RHEL versions fork from Fedora, it could lead to less secure RHEL as well. By deprecating this package, we will send the message to the maintainers that their packages should port to new pcre2 package and any new package would have to use only new and supported pcre2 version.
The main API difference between pcre and pcre2 are mentioned in [https://lists.exim.org/lurker/message/20150105.162835.0666407a.en.html email] introducing the new pcre2 in 2015


== Scope ==
== Scope ==
* Proposal owners: 3 steps mentioned in the [https://fedoraproject.org/w/index.php?title=PcreDeprecation&action=submit#Plan Plan].  
* Proposal owners: 3 steps mentioned in the [https://fedoraproject.org/wiki/PcreDeprecation#Plan Plan].  
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->



Latest revision as of 14:09, 28 June 2023


Pcre Deprecation

Summary

Upstream stopped the support for the old 'pcre' package. It only supports the new 'pcre2' version, so Fedora should deprecate it so it could later be retired and removed from Fedora entirely.

Owner

Current status

Detailed Description

Upstream stopped supporting the old 'pcre' package. The 8.45 is marked as a final release and nothing else will be added/fixed in it. This may lead to some unresolved CVEs, which would have to be resolved by the maintainers. Unfortunately, due to our limited capacity, we wouldn't have the time and experience to solve this by ourselves, so we need to deprecate this package. After the deprecation is done, the very next step would be starting the retirement change, so the package is removed from Fedora entirely.

The new 'pcre2' package is out for more than 7 years now and most of the packages have already been ported to its redefined API. Mail about the changes in the pcre2. Another example of differences between pcre and pcre2 is explained in the php article.

Plan

1) File the BZ trackers for all of the dependent packages.

2) Document the deprecation.

3) Start the new change with the pcre retirement.

Feedback

The early feedback from the community is in this mailing thread

Benefit to Fedora

Fedora shouldn't support unsupported packages. When the future RHEL versions fork from Fedora, it could lead to less secure RHEL as well. By deprecating this package, we will send the message to the maintainers that their packages should port to new pcre2 package and any new package would have to use only new and supported pcre2 version.

Scope

  • Proposal owners: 3 steps mentioned in the Plan.
  • Other developers: Port their package to support the new pcre2.
  • Release engineering: N/A (not needed for this Change)
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives:

Upgrade/compatibility impact

The old pcre package will be deprecated, so the new packages are not able to require it and have to require the new pcre2 version of this package.

User Experience

Users will not be exposed to the possible vulnerable pcre package, because the pcre2 is supported by the upstream community.

Dependencies

This list is obtained by using and combining the output of the following commands:

dnf repoquery --disablerepo='*' --enablerepo=rawhide --whatrequires 'libpcre.so.1()(64bit)' --whatrequires 'libpcreposix.so.0()(64bit)' -s | pkgname

dnf repoquery --disablerepo='*' --enablerepo=rawhide-source --whatrequires pcre-devel | pkgname

List

  • 389-ds-base
  • adanaxisgpl
  • aide
  • aircrack-ng
  • anope
  • apachetop
  • bti
  • ccze
  • cegui
  • cegui06
  • clamav
  • ClanLib
  • clisp
  • clover2
  • coccinelle
  • collada-dom
  • compton
  • condor
  • cppcheck
  • cyrus-imapd
  • deepin-file-manager
  • dogtag-pki
  • EMBOSS
  • eterm
  • Falcon
  • freeradius
  • gambas3
  • ganglia
  • ghc-highlighting-kate
  • ghc-pcre-light
  • ghc-regex-pcre
  • GMT
  • gnote
  • golang
  • gource
  • grep
  • groonga
  • gsmartcontrol
  • haxe
  • hydra
  • hyperscan
  • i3
  • i3-gaps
  • imapfilter
  • Io-language
  • kdelibs
  • kdelibs3
  • kdevelop
  • kf5-kjs
  • kf5-kplotting
  • libast
  • liblognorm
  • libmodsecurity
  • lnav
  • logstalgia
  • lumail
  • medusa
  • mle
  • mod_auth_openid
  • mod_auth_openidc
  • mod_qos
  • mod_security
  • monotone
  • ncid
  • nekovm
  • ngrep
  • nmap
  • ocaml-pcre
  • oci-umount
  • octave
  • openCOLLADA
  • openscap
  • opensips
  • pads
  • pcre
  • pdfgrep
  • perl-re-engine-PCRE
  • petsc
  • php-pecl-apcu
  • php-pecl-http
  • php-pecl-oauth
  • picom
  • pl
  • poco
  • postgis
  • powwow
  • prelude-lml
  • privoxy
  • proxysql
  • python-qutepart
  • python-scss
  • R
  • rasqal
  • regexxer
  • remctl
  • renderdoc
  • rkward
  • root
  • rudiments
  • sigil
  • slang
  • sord
  • sslh
  • suricata
  • sway
  • swig
  • syncevolution
  • syslog-ng
  • the_foundation
  • the_silver_searcher
  • Thunar
  • tin
  • tintin
  • tinyfugue
  • trafficserver
  • uwsgi
  • vdr-epgfixer
  • watchman
  • wireshark
  • wmweather+
  • xastir
  • xfce4-verve-plugin
  • xgrep
  • xmlcopyeditor
  • zsh

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not needed for this Change)
  • Contingency deadline: N/A (not needed for this Change)
  • Blocks release? No

Documentation

There should be documentation of this change, so the users know that the pcre is no longer supported and cannot be required by any Fedora package. If an existing package requires the pcre package, it is considered as a bug.

Release Notes

Release notes should contain the information about the pcre deprecation so the users know they won't be able to use its libraries anymore.