pcre deprecation and move to pcre2
Hello, while bumping pcre2 I noted that pcre2 has new maintainers: https://build.opensuse.org/request/show/1252897 https://github.com/PCRE2Project/pcre2/releases/tag/pcre2-10.45 (from 2025-02-25) We had pcre2 in the distribution for 9 years now (by yours truly), intended to replace pcre "soon". https://build.opensuse.org/request/show/312616 The old library was in quasi-maintenance mode at the time already, and is "unmaintained since 2018". The old pcre library should not only be considered deprecated - but dead and insecure now. We should get rid of it - CWE-1104, OWASP Top 10:2021 #6, and all. I zipped through some easy ones... https://build.opensuse.org/request/show/1253625 proftpd https://build.opensuse.org/request/show/1253337 sngrep https://build.opensuse.org/request/show/1253141 zabbix https://build.opensuse.org/request/show/1253581 apache2-mod_auth_openidc Olaf picked up ocaml-pcre2 and started to look at coccinelle - thanks. https://build.opensuse.org/request/show/1253797 ocaml-pcre2 https://build.opensuse.org/request/show/1254244 coccinelle Some need processing please: https://build.opensuse.org/request/show/1253263 apache2-mod_security2 https://build.opensuse.org/request/show/1253341 liblognorm https://build.opensuse.org/request/show/1253347 rasqal For zsh boo#1201811 did not get far the time. I took a stab: https://build.opensuse.org/request/show/1254254 I would like to discuss at which point are we happy to just whack pcre from the distribution for security reasons. Only 37 binary packages depend on the lib, probably less than 30 once the above is through and some available patches are added. Should we just kill it now and get it over with? Some previous work including patches: https://archlinux.org/todo/move-to-pcre2/ https://md.archlinux.org/p/LPxw6tavl#/ Good night, Andreas
On Tue, 2025-03-18 at 22:48 +0100, Andreas Stieger via openSUSE Factory wrote:
Hello,
while bumping pcre2 I noted that pcre2 has new maintainers:
https://build.opensuse.org/request/show/1252897 https://github.com/PCRE2Project/pcre2/releases/tag/pcre2-10.45 (from 2025-02-25)
We had pcre2 in the distribution for 9 years now (by yours truly), intended to replace pcre "soon".
https://build.opensuse.org/request/show/312616
The old library was in quasi-maintenance mode at the time already, and is "unmaintained since 2018". The old pcre library should not only be considered deprecated - but dead and insecure now. We should get rid of it - CWE-1104, OWASP Top 10:2021 #6, and all.
I zipped through some easy ones...
https://build.opensuse.org/request/show/1253625 proftpd https://build.opensuse.org/request/show/1253337 sngrep https://build.opensuse.org/request/show/1253141 zabbix https://build.opensuse.org/request/show/1253581 apache2- mod_auth_openidc
Olaf picked up ocaml-pcre2 and started to look at coccinelle - thanks.
https://build.opensuse.org/request/show/1253797 ocaml-pcre2 https://build.opensuse.org/request/show/1254244 coccinelle
Some need processing please:
https://build.opensuse.org/request/show/1253263 apache2-mod_security2 https://build.opensuse.org/request/show/1253341 liblognorm https://build.opensuse.org/request/show/1253347 rasqal
For zsh boo#1201811 did not get far the time. I took a stab:
https://build.opensuse.org/request/show/1254254
I would like to discuss at which point are we happy to just whack pcre from the distribution for security reasons. Only 37 binary packages depend on the lib, probably less than 30 once the above is through and some available patches are added. Should we just kill it now and get it over with?
Some previous work including patches:
https://archlinux.org/todo/move-to-pcre2/ https://md.archlinux.org/p/LPxw6tavl#/
Thank you very much for picking this up and driving it. The last piece is rather simple to answer: pcre can be removed when there is no consumer left. This means either consumers are fixed/moved to pcre2 or the consumers are removed In any case, you can already file a delete request and have the bots report issues it sees that stops it from removing the package (installcheck will block the removal until it's safe) cheers, Dominique
On 2025-03-19 11:59, Dominique Leuenberger wrote:
The last piece is rather simple to answer: pcre can be removed when there is no consumer left.
This means either consumers are fixed/moved to pcre2 or the consumers are removed
That assumes active and responsive maintainers for all, we'll wait and see.
In any case, you can already file a delete request and have the bots report issues it sees that stops it from removing the package (installcheck will block the removal until it's safe)
Already in https://build.opensuse.org/request/show/1254255 Some patterns: A number of packages needlessly pull in pcre-devel without using it - that's why I had a much lower number of packages actually linking to the library. A set would support pcre2 but only when asked. The zsh change will drop a hole bunch. Good night, Andreas
Just to give everyone an update on where we are: We reduced the sources package set consuming pcre directly or transitively from 230 to 74, and the consumer packages of the library from 37 to 30. See https://etherpad.opensuse.org/p/pcre2 for the current progress and pending requests. I estimate that we will be down to 20 source packages if we moved all pending requests through. Thank you Shawn, Ana, Christophe for jumping on, also the individual and project maintainers for reviewing and forwarding. Please check your queues, also for project level requests. A significant number of packages just needed to switch. A double digit number of packages specified pcre needlessly, where upstream no longer required them. Upstream patches or patches in other distribution could mostly be used, these were the straightforward fixes. Package drops or proposed removals: * the_silver_searcher: funny this was abandoned by the second upstream. ugrep is the current best replacement. Removal needs tractions from utilities project. * i3-gaps: merged into mainline 3 years ago, dropping discussed in OBS comments but never executed. Will move ahead. * openCOLLADA: dependency of blender, declared deprecated by upstream blender and will be removed in future. package maintainers are discussing. * prelude-lml, libpreludedb, libprelude, prelude-correlator, prewikka: upstream is totally gone, need traction from server:monitoring project. * kjs, kjsemed, khtml: going away * sleuth: dead upstream, no direct maintainer. * renderdoc: bundles an old swig version, I reviewed the upstream discussion here and upstream refused to moved on. Can be kept in devel project. * ocaml-pcre --> ocaml-pcre2 This type of work is bound to discover packages with maintainers that are no longer active, or dormant for some reason. Project maintainers may not get notifications, and would only see it later. I will give it a bit of time to see if there is some movement. In fact I'll have to as I am busy with something else for the next 1-2 weeks. Andreas
Hello, On 2025-03-25 22:09, Andreas Stieger via openSUSE Factory wrote:
We reduced the sources package set consuming pcre directly or transitively from 230 to 74, and the consumer packages of the library from 37 to 30.
As of writing we drove this further down from 74 to 21 source packages, delta is below. The installation images will soon be free from pcre, Ana is doing the adjustments to the packaging definitions. Notably if you check https://etherpad.opensuse.org/p/pcre2 there is either a submission, a candidate patch, or a plan for each of them. I worked with qore upstream, there will be a 2.0 in a week. I still need traction from server:monitoring to get rid of prelude and friends with a dead upstream. I already sent a direct mail. slang, deepin-file-manager needs some patch wrangling work, pointers are in the doc if someone wants to have some fun. I think this looks good so far, Andreas 4store apache2-mod_jk apache2-mod_perl apache2-mod_security2 ardour cadabra2 ccze clanlib collada-dom cppcheck dataquay dnsmeter fsvs fwts gajim gdal gnuhealth gsmartcontrol guestfs-tools insighttoolkit leechcraft liblognorm libreoffice libreoffice-voikko modsecurity nginx-module-vts nim openSUSE-release-tools perl-Apache-SessionX privoxy proteus rasqal redland renderdoc river rsyslog sarg shadowsocks-libev sleuth sonic-visualiser the_silver_searcher vectorscan virt-v2v yara
participants (2)
-
Andreas Stieger -
Dominique Leuenberger