Debian Bug report logs - #1000000
phast: depends on obsolete pcre3 library

Toggle useless messages

Message #5 received at maintonly@bugs.debian.org (full text, mbox, reply):

From: Matthew Vernon <matthew@debian.org>

To: maintonly@bugs.debian.org

Subject: phast: depends on obsolete pcre3 library

Date: Thu, 18 Nov 2021 11:49:06 +0000

Source: phast
Severity: important
User: matthew-pcredep@debian.org
Usertags: obsolete-pcre3

Dear maintainer,

Your package still depends on the old, obsolete PCRE3[0] libraries
(i.e. libpcre3-dev). This has been end of life for a while now, and
upstream do not intend to fix any further bugs in it. Accordingly, I
would like to remove the pcre3 libraries from Debian, preferably in
time for the release of Bookworm.

The newer PCRE2 library was first released in 2015, and has been in
Debian since stretch. Upstream's documentation for PCRE2 is available
here: https://pcre.org/current/doc/html/

Many large projects that use PCRE have made the switch now (e.g. git,
php); it does involve some work, but we are now at the stage where
PCRE3 should not be used, particularly if it might ever be exposed to
untrusted input.

This mass bug filing was discussed on debian-devel@ in
https://lists.debian.org/debian-devel/2021/11/msg00176.html

Regards,

Matthew [0] Historical reasons mean that old PCRE is packaged as
pcre3 in Debian 

Message #10 received at 1000000-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1000000-close@bugs.debian.org

Subject: Bug#1000000: fixed in phast 1.6+dfsg-2

Date: Thu, 18 Nov 2021 14:40:53 +0000

Source: phast
Source-Version: 1.6+dfsg-2
Done: Andreas Tille <tille@debian.org>

We believe that the bug you reported is fixed in the latest version of
phast, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1000000@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Tille <tille@debian.org> (supplier of updated phast package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 18 Nov 2021 14:52:47 +0100
Source: phast
Architecture: source
Version: 1.6+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>
Changed-By: Andreas Tille <tille@debian.org>
Closes: 1000000
Changes:
 phast (1.6+dfsg-2) unstable; urgency=medium
 .
   * Build-Depends: s/libpcre3-dev/libpcre2-dev/
     Closes: #1000000
   * Add autopkgtest
Checksums-Sha1:
 1e0b0a6d3042b888c755e85cfd2b27db4fcd248b 2048 phast_1.6+dfsg-2.dsc
 5553e5261388ee2410a0e0d0bd18e14c5f992054 53612 phast_1.6+dfsg-2.debian.tar.xz
 0e2b842413686bae73ee66cc4e9efca043c09fa4 6480 phast_1.6+dfsg-2_amd64.buildinfo
Checksums-Sha256:
 66ef7f55b464fb36f28c1f66717b80b2828fa84d21e3dff8c130f72ebca04867 2048 phast_1.6+dfsg-2.dsc
 b81a67514791bf594f674667c30cb2267c6b0d734aa7b8393e38ace72d4f0c97 53612 phast_1.6+dfsg-2.debian.tar.xz
 99c4e2cddd3e9a3d9994ba5a89c5459c64cf433554f62000af03b2eae5636235 6480 phast_1.6+dfsg-2_amd64.buildinfo
Files:
 512bcf33ea6dda8a4ad326775da74284 2048 science optional phast_1.6+dfsg-2.dsc
 c34e11461a4bb25a53eeacb02def2dad 53612 science optional phast_1.6+dfsg-2.debian.tar.xz
 24cf5eb11a670e0b282c64055fbabeaa 6480 science optional phast_1.6+dfsg-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAmGWW3sRHHRpbGxlQGRl
Ymlhbi5vcmcACgkQV4oElNHGRtEB8Q//V2zvu+x08o+WuJp6Xw6Ymw9DEO4D7YNz
Px02K7YFvuyMLNG+knBE/PSD7pDeizQbVphinY+Ao5VPjBXs3z1+f5+dTg1PKUkY
y4T4s33/yLCblZ6xV6qpHjyU2c2AXdvGWthIuHu1tE3/j9zzRIgAq07ewQKEmWAy
d47MUybjYNrB6hFF58JaNzWcXdYx66iQ7tNMBAf59WeERtQb+qJb/pBecUZSmk88
FVxvtQ6P8i6pMqfWDh8QiEx5EgqN78Ls5+JyOpgT/g2NJYUswbb7gr5I62p/dyV9
1fso5nmhL5Wa0Yj7pWWFPHDkjXNjAUR4mc/241P9RvlW9dtBWoTNXK70d4Vh/2yu
WoxwefvSwMU11iHj/oEH0ZNMj+LOPlLyIzgeFJ7sZpNC2NBG4rEGBjh7Eni95/BY
CkP2r9+9KUXiFuuM/9fT7pA0SP7roCeD1Nd9owQSMILUVEPg8xQ82S9mpx/r+14n
ziC2C780CD+J8OyptY9M3SGKnSMTEsQ7XGclXOdg78mIAEt4KboColZF2L29D+HS
CqiOsBxI4OVmKkjkgqicxFxtUbadZfv2zAJioGoKBilA5K//EmDhpyC786qkSbB1
9Ltei5wn+I0+DTy5FA+bytJzDvDKEb5qck6+wpUoRL3SmlfLX43TWhKaSCnUIajc
QKE5lBxRACA=
=ZMB5
-----END PGP SIGNATURE-----

Message #19 received at 1000000@bugs.debian.org (full text, mbox, reply):

From: Sebastiaan Couwenberg <sebastic@xs4all.nl>

To: 1000000@bugs.debian.org, Andreas Tille <tille@debian.org>

Subject: Re: Bug#1000000: fixed in phast 1.6+dfsg-2

Date: Thu, 18 Nov 2021 17:12:10 +0100

reopen 1000000
notfixed 1000000 phast/1.6+dfsg-2
thanks

On Thu, 18 Nov 2021 14:40:53 +0000 Debian FTP Masters wrote:
>    * Build-Depends: s/libpcre3-dev/libpcre2-dev/

That's not sufficient, the upstream code needs to be ported to use the 
PCRE2 API and link to libprce2.

For the Debian package you could drop use_debian_packaged_libpcre.patch 
and use the embedded copy to not block the prce3 removal in Debian.

Kind Regards,

Bas

-- 
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1

Message #24 received at 1000000@bugs.debian.org (full text, mbox, reply):

From: Adrian Bunk <bunk@debian.org>

To: Sebastiaan Couwenberg <sebastic@xs4all.nl>

Cc: 1000000@bugs.debian.org, Andreas Tille <tille@debian.org>, Matthew Vernon <matthew@debian.org>, debian-devel@lists.debian.org

Subject: Re: Bug#1000000: fixed in phast 1.6+dfsg-2

Date: Thu, 18 Nov 2021 23:12:12 +0200

On Thu, Nov 18, 2021 at 05:12:10PM +0100, Sebastiaan Couwenberg wrote:
>...
> For the Debian package you could drop use_debian_packaged_libpcre.patch and
> use the embedded copy to not block the prce3 removal in Debian.

As a general comment, this would be a lot worse than keeping pcre3.

If any copy of this library should be used at all in bookworm,
it should be provided by src:pcre3.

Switching from src:pcre3 to an older vendored copy would likely create 
additional security vulnerabilities for our users,[1] even with only one 
user in bookworm shipping it security supportable in src:pcre3 would be 
better than hiding vulnerabilities through vendoring.

> Kind Regards,
> 
> Bas

cu
Adrian

[1] https://security-tracker.debian.org/tracker/source-package/pcre3

Message #29 received at 1000000@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tille@debian.org>

To: Adrian Bunk <bunk@debian.org>, 1000000@bugs.debian.org

Cc: Sebastiaan Couwenberg <sebastic@xs4all.nl>, Matthew Vernon <matthew@debian.org>, debian-devel@lists.debian.org

Subject: Re: Bug#1000000: fixed in phast 1.6+dfsg-2

Date: Fri, 19 Nov 2021 07:03:04 +0100

Hi,

Am Thu, Nov 18, 2021 at 11:12:12PM +0200 schrieb Adrian Bunk:
> On Thu, Nov 18, 2021 at 05:12:10PM +0100, Sebastiaan Couwenberg wrote:
> >...
> > For the Debian package you could drop use_debian_packaged_libpcre.patch and
> > use the embedded copy to not block the prce3 removal in Debian.
> 
> As a general comment, this would be a lot worse than keeping pcre3.

Since I agree here I started (! not working yet!) with a patch[2].  I
remember that upstream - who has basically stopped development if I
remember correctly - was not even happy, that we replace the code copy.
Thus I assume that they are not very interested in providing a pcre2
patch and we are on our own.

> If any copy of this library should be used at all in bookworm,
> it should be provided by src:pcre3.

I agree and I assume we will need this.  Several packages that received
this bug report are not actively developed any more but used by our
users.  So it might be that we need to work on this ourselves and this
needs time (and knowledge).
 
> Switching from src:pcre3 to an older vendored copy would likely create 
> additional security vulnerabilities for our users,[1] even with only one 
> user in bookworm shipping it security supportable in src:pcre3 would be 
> better than hiding vulnerabilities through vendoring.

+1

Kind regards

    Andreas.
 
> [1] https://security-tracker.debian.org/tracker/source-package/pcre3
[2] https://salsa.debian.org/med-team/phast/-/blob/master/debian/patches/pcre2.patch 

-- 
http://fam-tille.de

Message #34 received at 1000000-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1000000-close@bugs.debian.org

Subject: Bug#1000000: fixed in phast 1.6+dfsg-3

Date: Fri, 19 Nov 2021 13:21:17 +0000

Source: phast
Source-Version: 1.6+dfsg-3
Done: Andreas Tille <tille@debian.org>

We believe that the bug you reported is fixed in the latest version of
phast, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1000000@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Tille <tille@debian.org> (supplier of updated phast package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 19 Nov 2021 13:17:54 +0100
Source: phast
Architecture: source
Version: 1.6+dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>
Changed-By: Andreas Tille <tille@debian.org>
Closes: 1000000 1000163
Changes:
 phast (1.6+dfsg-3) unstable; urgency=medium
 .
   * Port to pcre2
     Closes: #1000000, #1000163
Checksums-Sha1:
 dc4f4dbd858d6eeff0c85d2bc0d17dd7e08e33d1 2048 phast_1.6+dfsg-3.dsc
 b59881c299836be37bc9e5852454d786998b1e55 57668 phast_1.6+dfsg-3.debian.tar.xz
 ed0eec0a890c31ea17eb1871fa8823d537022a30 6492 phast_1.6+dfsg-3_amd64.buildinfo
Checksums-Sha256:
 d961d6761663e45c8481fc8112b60d00218c03a93ca96d7746135b90140f8490 2048 phast_1.6+dfsg-3.dsc
 95f5073ace91794c2f9bffcc725a73c4e1c7f8d754080ae5df622192c378b8b6 57668 phast_1.6+dfsg-3.debian.tar.xz
 df1dcaed9408d25fd3fc2fadbbf62ba39fbdd98502784df6c44149f420044fa9 6492 phast_1.6+dfsg-3_amd64.buildinfo
Files:
 eb83d5700f8f3824ab62fde46bd16663 2048 science optional phast_1.6+dfsg-3.dsc
 38cf28b61182cc39d4f63c4e951b70bb 57668 science optional phast_1.6+dfsg-3.debian.tar.xz
 94c8ef52715224e7ebf5e35a9405f867 6492 science optional phast_1.6+dfsg-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAmGXntIRHHRpbGxlQGRl
Ymlhbi5vcmcACgkQV4oElNHGRtFX9g//ZN6owkq/eOgoFGL1PEAQ1VQWJnaK70UV
wt+D/zk8C9MnmOTChBamE/2iuk4ZxwwQcZljtHU3YWyHNVotjgdVT97uoIe9nmWT
f8o0THvcuCKZsQcZ+QCXlDShLKINYExhBL/hJWqQa2OG18toyQfIcv0mvD4MTNsq
jWqrNqSmPGtM1xZOxEYl9KzC8cQ70lQnLgXHRLYGZJKNAxT9TdPwfEAQD3V7yzG4
EXsKB+Lt3L3M7ukeOU3eHtS2kuAuF4VZBUzuapg4cQOao3capmff6IwL8/zNjtwY
e4yag+O6BxrnINjkh/pwHXeq1uepK+OQcBZGY56GiU2hIZmpFK/b3mvMxd0UIW7n
LmHuhJ3R7JBBkFCYvzolsqGPZPwh9m6pZxaEu1PfcVzaFLQOYXu+PosXZ94Qcg5Q
7wlvR2hGIj/2/1QS7dfAFApLPngRVR4GgzC3a+c1W5es4/R/jhHmuw187mOCujSD
rTD3uABb07hpkNcnMD+TSBuwfaP5SuhlqrGPu0TEbMH3+Gsp1ftD6sg1HF+xgOVG
9flDoNKjZRRqLIa4wFws1h6wDK7xswyu2gbcjfKMdAMqPj48Ytbp6IFqP79q9z/A
rRIjaEebeAYIRkmFS2SdcSHEwsGowNsBBuW4dBK/Gj9jrNYN+4WH+DA09neu08HL
dts9UuLy9hQ=
=Tvbg
-----END PGP SIGNATURE-----

Message #39 received at 1000000@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: 1000000@bugs.debian.org

Cc: Andreas Tille <tille@debian.org>, Matthew Vernon <matthew@debian.org>, debian-devel@lists.debian.org

Subject: Re: Bug#1000000: fixed in phast 1.6+dfsg-2

Date: Sat, 20 Nov 2021 10:30:18 +0000

[Message part 1 (text/plain, inline)]

congrats to the Debian Med team for filing #1000000 *and* fixing it so quickly!
well done & well deserved to hit this "special bug" :)


-- 
cheers,
	Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Words may inspire but only action creates change.

[signature.asc (application/pgp-signature, inline)]

Message #44 received at 1000000@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <andreas@fam-tille.de>

To: Holger Levsen <holger@layer-acht.org>

Cc: 1000000@bugs.debian.org, Matthew Vernon <matthew@debian.org>, debian-devel@lists.debian.org

Subject: Re: Bug#1000000: fixed in phast 1.6+dfsg-2

Date: Sat, 20 Nov 2021 17:39:17 +0100

Am Sat, Nov 20, 2021 at 10:30:18AM +0000 schrieb Holger Levsen:
> congrats to the Debian Med team for filing #1000000 *and* fixing it so quickly!
> well done & well deserved to hit this "special bug" :)

Thanks a lot.  I admit it was not a trivial one but I was motivated to spent
some hours on it (after I was wrong in my first was to simple fix). ;-)

Kind regards

    Andreas.

-- 
http://fam-tille.de

Message #49 received at 1000000@bugs.debian.org (full text, mbox, reply):

From: 積丹尼 Dan Jacobson <jidanni@jidanni.org>

To: 1000000@bugs.debian.org

Subject: million bugs

Date: Tue, 30 Nov 2021 05:12:36 +0800

People always told me Debian has a million bugs.

Send a report that this bug log contains spam.