This change can be executed only when the pcre deprecation change is finished. Until then, this change is on hold.
Pcre Retirement
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
Summary
Upstream stopped the support for the old 'pcre' package. It only supports the new 'pcre2' version, so Fedora should do the same.
Owner
- Name: Lukas Javorsky
- Email: ljavorsk@redhat.com
Current status
- Targeted release: Fedora Linux 39
- Last updated: 2022-08-18
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
Upstream stopped supporting the old 'pcre' package. The 8.45 is marked as a final release and nothing else will be added/fixed in it. This may lead to some unresolved CVEs, which would have to be resolved by the maintainers. Unfortunately, due to our limited capacity, we wouldn't have the time and experience to solve this by ourselves, so we need to retire this package.
The new 'pcre2' package is out for more than 7 years now and most of the packages have already been ported to its redefined API. Mail about the changes in the pcre2.
There are two plans for this change:
1) Retire the pcre completely (PREFERRED):
This would consist of filing the BZ trackers for this change to all of the dependent packages. All of them would have to port their package so it supports the new pcre2 API. We'll help the best we can, but this will also cost a lot of time and effort so most of the work would have to be done by the individual maintainers of the packages that need to be ported.
2) Orphan the package:
If some of the packages couldn't be ported for a good reason, we will orphan the package and the maintainers of the package that couldn't be ported will have to maintain it by themself. In order for this option to be viable, it must have solid justification, as it could lead to unresolved CVEs in the future.
Feedback
The early feedback from the community is in this mailing thread
Benefit to Fedora
Fedora shouldn't support unsupported packages. When the future RHEL versions fork from Fedora, it could lead to less secure RHEL as well. We should do everything we can so this retirement will succeed.
The main API difference between pcre and pcre2 are mentioned in email introducing the new pcre2 in 2015
Scope
- Proposal owners: Help to port the packages that depend on the old pcre package. This change affects roughly 120 packages.
- Other developers: Port their package to support the new pcre2.
- Release engineering: When all of the packages have been successfully ported, there will be no need for any release engineering coordination. The old pcre package will be simply retired and removed.
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Upgrade/compatibility impact
How To Test
If the packages that depend on the old pcre are successfully built with the new pcre2 package, there is no need for the test. No FTBFS package will mean that this change was completed.
User Experience
Users will not be exposed to the possible vulnerable pcre package, because the pcre2 is supported by the upstream community.
Dependencies
This list is obtained by using and combining the output of the following commands:
dnf repoquery --disablerepo='*' --enablerepo=rawhide --whatrequires 'libpcre.so.1()(64bit)' --whatrequires 'libpcreposix.so.0()(64bit)' -s | pkgname
dnf repoquery --disablerepo='*' --enablerepo=rawhide-source --whatrequires pcre-devel | pkgname
List
389-ds-base
adanaxisgpl
aide
aircrack-ng
anope
apachetop
bti
ccze
cegui
cegui06
clamav
ClanLib
clisp
clover2
coccinelle
collada-dom
compton
condor
cppcheck
cyrus-imapd
deepin-file-manager
dogtag-pki
EMBOSS
eterm
Falcon
freeradius
gambas3
ganglia
ghc-highlighting-kate
ghc-pcre-light
ghc-regex-pcre
GMT
gnote
golang
gource
grep
groonga
gsmartcontrol
haxe
hydra
hyperscan
i3
i3-gaps
imapfilter
Io-language
kdelibs
kdelibs3
kdevelop
kf5-kjs
kf5-kplotting
libast
liblognorm
libmodsecurity
lnav
logstalgia
lumail
medusa
mle
mod_auth_openid
mod_auth_openidc
mod_qos
mod_security
monotone
ncid
nekovm
ngrep
nmap
ocaml-pcre
oci-umount
octave
openCOLLADA
openscap
opensips
pads
pcre
pdfgrep
perl-re-engine-PCRE
petsc
php-pecl-apcu
php-pecl-http
php-pecl-oauth
picom
pl
poco
postgis
powwow
prelude-lml
privoxy
proxysql
python-qutepart
python-scss
R
rasqal
regexxer
remctl
renderdoc
rkward
root
rudiments
sigil
slang
sord
sslh
suricata
sway
swig
syncevolution
syslog-ng
the_foundation
the_silver_searcher
Thunar
tin
tintin
tinyfugue
trafficserver
uwsgi
vdr-epgfixer
watchman
wireshark
wmweather+
xastir
xfce4-verve-plugin
xgrep
xmlcopyeditor
zsh
Contingency Plan
The retirement of the package will be possible only when all of the packages are ported to new pcre2 package. The backup plan (if the packages will not be ported by the time) will be the second plan mentioned in the Detailed description (orphaning the package)
- Contingency mechanism: (What to do? Who will do it?) Execute the second plan mentioned in Detailed description
- Contingency deadline: Start of devel phase of the Fedora 40 version
- Blocks release? No
Documentation
There should be documentation of this change, so the users know that the pcre is no longer part of the Fedora packages. If the retirement will not succeed the documentation should mention that the pcre is not recommended for the packages in Fedora due to the fact that it's not supported by upstream anymore.
Release Notes
Release notes should contain the information about the pcre retirement so the users know they won't be able to use its libraries anymore.