On Tue, 2025-03-18 at 22:48 +0100, Andreas Stieger via openSUSE Factory wrote:
Hello,
while bumping pcre2 I noted that pcre2 has new maintainers:
https://build.opensuse.org/request/show/1252897 https://github.com/PCRE2Project/pcre2/releases/tag/pcre2-10.45 (from 2025-02-25)
We had pcre2 in the distribution for 9 years now (by yours truly), intended to replace pcre "soon".
https://build.opensuse.org/request/show/312616
The old library was in quasi-maintenance mode at the time already, and is "unmaintained since 2018". The old pcre library should not only be considered deprecated - but dead and insecure now. We should get rid of it - CWE-1104, OWASP Top 10:2021 #6, and all.
I zipped through some easy ones...
https://build.opensuse.org/request/show/1253625 proftpd https://build.opensuse.org/request/show/1253337 sngrep https://build.opensuse.org/request/show/1253141 zabbix https://build.opensuse.org/request/show/1253581 apache2- mod_auth_openidc
Olaf picked up ocaml-pcre2 and started to look at coccinelle - thanks.
https://build.opensuse.org/request/show/1253797 ocaml-pcre2 https://build.opensuse.org/request/show/1254244 coccinelle
Some need processing please:
https://build.opensuse.org/request/show/1253263 apache2-mod_security2 https://build.opensuse.org/request/show/1253341 liblognorm https://build.opensuse.org/request/show/1253347 rasqal
For zsh boo#1201811 did not get far the time. I took a stab:
https://build.opensuse.org/request/show/1254254
I would like to discuss at which point are we happy to just whack pcre from the distribution for security reasons. Only 37 binary packages depend on the lib, probably less than 30 once the above is through and some available patches are added. Should we just kill it now and get it over with?
Some previous work including patches:
https://archlinux.org/todo/move-to-pcre2/ https://md.archlinux.org/p/LPxw6tavl#/
Thank you very much for picking this up and driving it. The last piece is rather simple to answer: pcre can be removed when there is no consumer left. This means either consumers are fixed/moved to pcre2 or the consumers are removed In any case, you can already file a delete request and have the bots report issues it sees that stops it from removing the package (installcheck will block the removal until it's safe) cheers, Dominique