From Fedora Project Wiki

No edit summary
No edit summary
 
(3 intermediate revisions by the same user not shown)
Line 8: Line 8:


== Summary ==
== Summary ==
Upstream stopped the support for the old 'pcre' package. It only supports the new 'pcre2' version, so Fedora should do the same.
Pcre has been deprecated in Fedora since Fedora 38. Packages have already started to port to the new pcre2, so with this momentum, most of them should be ported at the time of this change execution.
 
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. Note that motivation for the change should be in the Benefit to Fedora section below, and this part should answer the question "What?" rather than "Why?". -->
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. Note that motivation for the change should be in the Benefit to Fedora section below, and this part should answer the question "What?" rather than "Why?". -->


Line 35: Line 36:
<!-- [[Category:SystemWideChange]] -->
<!-- [[Category:SystemWideChange]] -->


* Targeted release: [[Releases/39 | Fedora Linux 39 ]]  
* Targeted release: [[Releases/41 | Fedora Linux 41 ]]  
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
Line 48: Line 49:


== Detailed Description ==
== Detailed Description ==
Upstream stopped supporting the old 'pcre' package. The 8.45 is marked as a final release and nothing else will be added/fixed in it. This may lead to some unresolved CVEs, which would have to be resolved by the maintainers. Unfortunately, due to our limited capacity, we wouldn't have the time and experience to solve this by ourselves, so we need to retire this package.
Upstream stopped supporting the old 'pcre' package. The 8.45 is marked as a final release and nothing else will be added/fixed in it. Fedora has decided to [https://fedoraproject.org/wiki/PcreDeprecation | deprecate this package] as well, and we should remove it by retiring the package.


The new 'pcre2' package is out for more than 7 years now and most of the packages have already been ported to its redefined API.
The new 'pcre2' package is out for more than 7 years now and most of the packages have already been ported to its redefined API.
Line 57: Line 58:
1) Retire the pcre completely (PREFERRED):
1) Retire the pcre completely (PREFERRED):


This would consist of filing the BZ trackers for this change to all of the dependent packages. All of them would have to port their package so it supports the new pcre2 API. We'll help the best we can, but this will also cost a lot of time and effort so most of the work would have to be done by the individual maintainers of the packages that need to be ported.
This would consist of filing the BZ trackers for this change to all of the packages that still didn't port to the pcre2. We'll help the best we can, but this will also cost a lot of time and effort so most of the work would have to be done by the individual maintainers of the packages that need to be ported.


2) Orphan the package:
2) Orphan the package:
Line 95: Line 96:
-->
-->
Fedora shouldn't support unsupported packages. When the future RHEL versions fork from Fedora, it could lead to less secure RHEL as well. We should do everything we can so this retirement will succeed.
Fedora shouldn't support unsupported packages. When the future RHEL versions fork from Fedora, it could lead to less secure RHEL as well. We should do everything we can so this retirement will succeed.
The main API difference between pcre and pcre2 are mentioned in [https://lists.exim.org/lurker/message/20150105.162835.0666407a.en.html email] introducing the new pcre2 in 2015


== Scope ==
== Scope ==
Line 163: Line 162:
=== List ===
=== List ===


389-ds-base
*389-ds-base
 
*adanaxisgpl
adanaxisgpl
*aide
 
*aircrack-ng
aide
*anope
 
*apachetop
aircrack-ng
*bti
 
*ccze
anope
*cegui
 
*cegui06
apachetop
*clamav
 
*ClanLib
bti
*clisp
 
*clover2
ccze
*coccinelle
 
*collada-dom
cegui
*compton
 
*condor
cegui06
*cppcheck
 
*cyrus-imapd
clamav
*deepin-file-manager
 
*dogtag-pki
ClanLib
*EMBOSS
 
*eterm
clisp
*Falcon
 
*freeradius
clover2
*gambas3
 
*ganglia
coccinelle
*ghc-highlighting-kate
 
*ghc-pcre-light
collada-dom
*ghc-regex-pcre
 
*GMT
compton
*gnote
 
*golang
condor
*gource
 
*grep
cppcheck
*groonga
 
*gsmartcontrol
cyrus-imapd
*haxe
 
*hydra
deepin-file-manager
*hyperscan
 
*i3
dogtag-pki
*i3-gaps
 
*imapfilter
EMBOSS
*Io-language
 
*kdelibs
eterm
*kdelibs3
 
*kdevelop
Falcon
*kf5-kjs
 
*kf5-kplotting
freeradius
*libast
 
*liblognorm
gambas3
*libmodsecurity
 
*lnav
ganglia
*logstalgia
 
*lumail
ghc-highlighting-kate
*medusa
 
*mle
ghc-pcre-light
*mod_auth_openid
 
*mod_auth_openidc
ghc-regex-pcre
*mod_qos
 
*mod_security
GMT
*monotone
 
*ncid
gnote
*nekovm
 
*ngrep
golang
*nmap
 
*ocaml-pcre
gource
*oci-umount
 
*octave
grep
*openCOLLADA
 
*openscap
groonga
*opensips
 
*pads
gsmartcontrol
*pcre
 
*pdfgrep
haxe
*perl-re-engine-PCRE
 
*petsc
hydra
*php-pecl-apcu
 
*php-pecl-http
hyperscan
*php-pecl-oauth
 
*picom
i3
*pl
 
*poco
i3-gaps
*postgis
 
*powwow
imapfilter
*prelude-lml
 
*privoxy
Io-language
*proxysql
 
*python-qutepart
kdelibs
*python-scss
 
*R
kdelibs3
*rasqal
 
*regexxer
kdevelop
*remctl
 
*renderdoc
kf5-kjs
*rkward
 
*root
kf5-kplotting
*rudiments
 
*sigil
libast
*slang
 
*sord
liblognorm
*sslh
 
*suricata
libmodsecurity
*sway
 
*swig
lnav
*syncevolution
 
*syslog-ng
logstalgia
*the_foundation
 
*the_silver_searcher
lumail
*Thunar
 
*tin
medusa
*tintin
 
*tinyfugue
mle
*trafficserver
 
*uwsgi
mod_auth_openid
*vdr-epgfixer
 
*watchman
mod_auth_openidc
*wireshark
 
*wmweather+
mod_qos
*xastir
 
*xfce4-verve-plugin
mod_security
*xgrep
 
*xmlcopyeditor
monotone
*zsh
 
ncid
 
nekovm
 
ngrep
 
nmap
 
ocaml-pcre
 
oci-umount
 
octave
 
openCOLLADA
 
openscap
 
opensips
 
pads
 
pcre
 
pdfgrep
 
perl-re-engine-PCRE
 
petsc
 
php-pecl-apcu
 
php-pecl-http
 
php-pecl-oauth
 
picom
 
pl
 
poco
 
postgis
 
powwow
 
prelude-lml
 
privoxy
 
proxysql
 
python-qutepart
 
python-scss
 
R
 
rasqal
 
regexxer
 
remctl
 
renderdoc
 
rkward
 
root
 
rudiments
 
sigil
 
slang
 
sord
 
sslh
 
suricata
 
sway
 
swig
 
syncevolution
 
syslog-ng
 
the_foundation
 
the_silver_searcher
 
Thunar
 
tin
 
tintin
 
tinyfugue
 
trafficserver
 
uwsgi
 
vdr-epgfixer
 
watchman
 
wireshark
 
wmweather+
 
xastir
 
xfce4-verve-plugin
 
xgrep
 
xmlcopyeditor
 
zsh
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
== Contingency Plan ==
== Contingency Plan ==
Line 420: Line 294:
* Contingency mechanism: (What to do?  Who will do it?) Execute the second plan mentioned in Detailed description  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Contingency mechanism: (What to do?  Who will do it?) Execute the second plan mentioned in Detailed description  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
* Contingency deadline: Start of devel phase of the Fedora 40 version  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Contingency deadline: Start of devel phase of the Fedora 41 version  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
* Blocks release? No <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Blocks release? No <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
Line 430: Line 304:
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
There should be documentation of this change, so the users know that the pcre is no longer part of the Fedora packages.
There should be documentation of this change, so the users know that the pcre is no longer part of the Fedora packages.
If the retirement will not succeed the documentation should mention that the pcre is not recommended for the packages in Fedora due to the fact that it's not supported by upstream anymore.


== Release Notes ==
== Release Notes ==

Latest revision as of 08:43, 3 October 2022

Important.png
Change waiting for another change
This change can be executed only when the pcre deprecation change is finished. Until then, this change is on hold.

Pcre Retirement

Important.png
This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

Pcre has been deprecated in Fedora since Fedora 38. Packages have already started to port to the new pcre2, so with this momentum, most of them should be ported at the time of this change execution.


Owner


Current status

  • Targeted release: Fedora Linux 41
  • Last updated: 2022-10-03
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

Upstream stopped supporting the old 'pcre' package. The 8.45 is marked as a final release and nothing else will be added/fixed in it. Fedora has decided to | deprecate this package as well, and we should remove it by retiring the package.

The new 'pcre2' package is out for more than 7 years now and most of the packages have already been ported to its redefined API. Mail about the changes in the pcre2.

There are two plans for this change:

1) Retire the pcre completely (PREFERRED):

This would consist of filing the BZ trackers for this change to all of the packages that still didn't port to the pcre2. We'll help the best we can, but this will also cost a lot of time and effort so most of the work would have to be done by the individual maintainers of the packages that need to be ported.

2) Orphan the package:

If some of the packages couldn't be ported for a good reason, we will orphan the package and the maintainers of the package that couldn't be ported will have to maintain it by themself. In order for this option to be viable, it must have solid justification, as it could lead to unresolved CVEs in the future.

Feedback

The early feedback from the community is in this mailing thread

Benefit to Fedora

Fedora shouldn't support unsupported packages. When the future RHEL versions fork from Fedora, it could lead to less secure RHEL as well. We should do everything we can so this retirement will succeed.

Scope

  • Proposal owners: Help to port the packages that depend on the old pcre package. This change affects roughly 120 packages.
  • Other developers: Port their package to support the new pcre2.
  • Release engineering: When all of the packages have been successfully ported, there will be no need for any release engineering coordination. The old pcre package will be simply retired and removed.
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives:

Upgrade/compatibility impact

How To Test

If the packages that depend on the old pcre are successfully built with the new pcre2 package, there is no need for the test. No FTBFS package will mean that this change was completed.

User Experience

Users will not be exposed to the possible vulnerable pcre package, because the pcre2 is supported by the upstream community.

Dependencies

This list is obtained by using and combining the output of the following commands:

dnf repoquery --disablerepo='*' --enablerepo=rawhide --whatrequires 'libpcre.so.1()(64bit)' --whatrequires 'libpcreposix.so.0()(64bit)' -s | pkgname

dnf repoquery --disablerepo='*' --enablerepo=rawhide-source --whatrequires pcre-devel | pkgname

List

  • 389-ds-base
  • adanaxisgpl
  • aide
  • aircrack-ng
  • anope
  • apachetop
  • bti
  • ccze
  • cegui
  • cegui06
  • clamav
  • ClanLib
  • clisp
  • clover2
  • coccinelle
  • collada-dom
  • compton
  • condor
  • cppcheck
  • cyrus-imapd
  • deepin-file-manager
  • dogtag-pki
  • EMBOSS
  • eterm
  • Falcon
  • freeradius
  • gambas3
  • ganglia
  • ghc-highlighting-kate
  • ghc-pcre-light
  • ghc-regex-pcre
  • GMT
  • gnote
  • golang
  • gource
  • grep
  • groonga
  • gsmartcontrol
  • haxe
  • hydra
  • hyperscan
  • i3
  • i3-gaps
  • imapfilter
  • Io-language
  • kdelibs
  • kdelibs3
  • kdevelop
  • kf5-kjs
  • kf5-kplotting
  • libast
  • liblognorm
  • libmodsecurity
  • lnav
  • logstalgia
  • lumail
  • medusa
  • mle
  • mod_auth_openid
  • mod_auth_openidc
  • mod_qos
  • mod_security
  • monotone
  • ncid
  • nekovm
  • ngrep
  • nmap
  • ocaml-pcre
  • oci-umount
  • octave
  • openCOLLADA
  • openscap
  • opensips
  • pads
  • pcre
  • pdfgrep
  • perl-re-engine-PCRE
  • petsc
  • php-pecl-apcu
  • php-pecl-http
  • php-pecl-oauth
  • picom
  • pl
  • poco
  • postgis
  • powwow
  • prelude-lml
  • privoxy
  • proxysql
  • python-qutepart
  • python-scss
  • R
  • rasqal
  • regexxer
  • remctl
  • renderdoc
  • rkward
  • root
  • rudiments
  • sigil
  • slang
  • sord
  • sslh
  • suricata
  • sway
  • swig
  • syncevolution
  • syslog-ng
  • the_foundation
  • the_silver_searcher
  • Thunar
  • tin
  • tintin
  • tinyfugue
  • trafficserver
  • uwsgi
  • vdr-epgfixer
  • watchman
  • wireshark
  • wmweather+
  • xastir
  • xfce4-verve-plugin
  • xgrep
  • xmlcopyeditor
  • zsh

Contingency Plan

The retirement of the package will be possible only when all of the packages are ported to new pcre2 package. The backup plan (if the packages will not be ported by the time) will be the second plan mentioned in the Detailed description (orphaning the package)

  • Contingency mechanism: (What to do? Who will do it?) Execute the second plan mentioned in Detailed description
  • Contingency deadline: Start of devel phase of the Fedora 41 version
  • Blocks release? No


Documentation

There should be documentation of this change, so the users know that the pcre is no longer part of the Fedora packages.

Release Notes

Release notes should contain the information about the pcre retirement so the users know they won't be able to use its libraries anymore.

Retrieved from "https://fedoraproject.org/w/index.php?title=PcreRetirement&oldid=656392"