From Fedora Project Wiki

(Pcre retirement change)
 
No edit summary
Line 24: Line 24:


== Current status ==
== Current status ==
[[Category:ChangeReadyForWrangler]]
[[Category:ChangePageIncomplete]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->

Revision as of 12:31, 17 August 2022


Pcre Retirement

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

Upstream stopped the support for the old 'pcre' package. It only supports the new 'pcre2' version, so Fedora should do the same.

Owner


Current status

  • Targeted release: Fedora Linux 39
  • Last updated: 2022-08-17
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

Upstream stopped supporting the old 'pcre' package. The 8.45 is marked as a final release and nothing else will be added/fixed in it. This may lead to some unresolved CVEs, which would have to be resolved by the maintainers. Unfortunately, due to our limited capacity, we wouldn't have the time and experience to solve this by ourselves, so we need to retire this package.

The new 'pcre2' package is out for more than 7 years now and most of the packages have already been ported to its redefined API. Mail about the changes in the pcre2.

There are two plans for this change:

1) Retire the pcre completely (PREFERRED):

This would consist of filing the BZ trackers for this change to all of the dependent packages. All of them would have to port their package so it supports the new pcre2 API. We'll help the best we can, but this will also cost a lot of time and effort so most of the work would have to be done by the individual maintainers of the packages that need to be ported.

2) Orphan the package:

If some of the packages couldn't be ported for a good reason, we will orphan the package and the maintainers of the package that couldn't be ported will have to maintain it by themself. In order for this option to be viable, it must have solid justification, as it could lead to unresolved CVEs in the future.

Feedback

The early feedback from the community is in this mailing thread

Benefit to Fedora

Fedora shouldn't support unsupported packages. When the future RHEL versions fork from Fedora, it could lead to less secure RHEL as well. We should do everything we can so this retirement will succeed.

The main API difference between pcre and pcre2 are mentioned in email introducing the new pcre2 in 2015

Scope

  • Proposal owners: Help to port the packages that depend on the old pcre package. This change affects roughly 120 packages.
  • Other developers: Port their package to support the new pcre2.
  • Release engineering: When all of the packages have been successfully ported, there will be no need for any release engineering coordination. The old pcre package will be simply retired and removed.
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives:

Upgrade/compatibility impact

How To Test

If the packages that depend on the old pcre are successfully built with the new pcre2 package, there is no need for the test. No FTBFS package will mean that this change was completed.

User Experience

Users will not be exposed to the possible vulnerable pcre package, because the pcre2 is supported by the upstream community.

Dependencies

This list is obtained by using and combining the output of the following commands:

dnf repoquery --disablerepo='*' --enablerepo=rawhide --whatrequires 'libpcre.so.1()(64bit)' --whatrequires 'libpcreposix.so.0()(64bit)' -s | pkgname

dnf repoquery --disablerepo='*' --enablerepo=rawhide-source --whatrequires pcre-devel | pkgname

List

389-ds-base

adanaxisgpl

aide

aircrack-ng

anope

apachetop

bti

ccze

cegui

cegui06

clamav

ClanLib

clisp

clover2

coccinelle

collada-dom

compton

condor

cppcheck

cyrus-imapd

deepin-file-manager

dogtag-pki

EMBOSS

eterm

Falcon

freeradius

gambas3

ganglia

ghc-highlighting-kate

ghc-pcre-light

ghc-regex-pcre

GMT

gnote

golang

gource

grep

groonga

gsmartcontrol

haxe

hydra

hyperscan

i3

i3-gaps

imapfilter

Io-language

kdelibs

kdelibs3

kdevelop

kf5-kjs

kf5-kplotting

libast

liblognorm

libmodsecurity

lnav

logstalgia

lumail

medusa

mle

mod_auth_openid

mod_auth_openidc

mod_qos

mod_security

monotone

ncid

nekovm

ngrep

nmap

ocaml-pcre

oci-umount

octave

openCOLLADA

openscap

opensips

pads

pcre

pdfgrep

perl-re-engine-PCRE

petsc

php-pecl-apcu

php-pecl-http

php-pecl-oauth

picom

pl

poco

postgis

powwow

prelude-lml

privoxy

proxysql

python-qutepart

python-scss

R

rasqal

regexxer

remctl

renderdoc

rkward

root

rudiments

sigil

slang

sord

sslh

suricata

sway

swig

syncevolution

syslog-ng

the_foundation

the_silver_searcher

Thunar

tin

tintin

tinyfugue

trafficserver

uwsgi

vdr-epgfixer

watchman

wireshark

wmweather+

xastir

xfce4-verve-plugin

xgrep

xmlcopyeditor

zsh

Contingency Plan

The retirement of the package will be possible only when all of the packages are ported to new pcre2 package. The backup plan (if the packages will not be ported by the time) will be the second plan mentioned in the Detailed description (orphaning the package)

  • Contingency mechanism: (What to do? Who will do it?) Execute the second plan mentioned in Detailed description
  • Contingency deadline: Start of devel phase of the Fedora 40 version
  • Blocks release? No


Documentation

There should be documentation of this change, so the users know that the pcre is no longer part of the Fedora packages. If the retirement will not succeed the documentation should mention that the pcre is not recommended for the packages in Fedora due to the fact that it's not supported by upstream anymore.

Release Notes

Release notes should contain the information about the pcre retirement so the users know they won't be able to use its libraries anymore.