Pcre Retirement
Summary
Upstream stopped the support for the old 'pcre' package. It only supports the new 'pcre2' version, so Fedora should do the same.
Owner
- Name: Lukas Javorsky
- Email: ljavorsk@redhat.com
Current status
- Targeted release: Fedora Linux 39
- Last updated: 2022-08-18
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
Upstream stopped supporting the old 'pcre' package. The 8.45 is marked as a final release and nothing else will be added/fixed in it. This may lead to some unresolved CVEs, which would have to be resolved by the maintainers. Unfortunately, due to our limited capacity, we wouldn't have the time and experience to solve this by ourselves, so we need to retire this package.
The new 'pcre2' package is out for more than 7 years now and most of the packages have already been ported to its redefined API. Mail about the changes in the pcre2.
There are two plans for this change:
1) Retire the pcre completely (PREFERRED):
This would consist of filing the BZ trackers for this change to all of the dependent packages. All of them would have to port their package so it supports the new pcre2 API. We'll help the best we can, but this will also cost a lot of time and effort so most of the work would have to be done by the individual maintainers of the packages that need to be ported.
2) Orphan the package:
If some of the packages couldn't be ported for a good reason, we will orphan the package and the maintainers of the package that couldn't be ported will have to maintain it by themself. In order for this option to be viable, it must have solid justification, as it could lead to unresolved CVEs in the future.
Feedback
The early feedback from the community is in this mailing thread
Benefit to Fedora
Fedora shouldn't support unsupported packages. When the future RHEL versions fork from Fedora, it could lead to less secure RHEL as well. We should do everything we can so this retirement will succeed.
The main API difference between pcre and pcre2 are mentioned in email introducing the new pcre2 in 2015
Scope
- Proposal owners: Help to port the packages that depend on the old pcre package. This change affects roughly 120 packages.
- Other developers: Port their package to support the new pcre2.
- Release engineering: When all of the packages have been successfully ported, there will be no need for any release engineering coordination. The old pcre package will be simply retired and removed.
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Upgrade/compatibility impact
How To Test
If the packages that depend on the old pcre are successfully built with the new pcre2 package, there is no need for the test. No FTBFS package will mean that this change was completed.
User Experience
Users will not be exposed to the possible vulnerable pcre package, because the pcre2 is supported by the upstream community.
Dependencies
This list is obtained by using and combining the output of the following commands:
dnf repoquery --disablerepo='*' --enablerepo=rawhide --whatrequires 'libpcre.so.1()(64bit)' --whatrequires 'libpcreposix.so.0()(64bit)' -s | pkgname
dnf repoquery --disablerepo='*' --enablerepo=rawhide-source --whatrequires pcre-devel | pkgname
List
- 389-ds-base
- adanaxisgpl
- aide
- aircrack-ng
- anope
- apachetop
- bti
- ccze
- cegui
- cegui06
- clamav
- ClanLib
- clisp
- clover2
- coccinelle
- collada-dom
- compton
- condor
- cppcheck
- cyrus-imapd
- deepin-file-manager
- dogtag-pki
- EMBOSS
- eterm
- Falcon
- freeradius
- gambas3
- ganglia
- ghc-highlighting-kate
- ghc-pcre-light
- ghc-regex-pcre
- GMT
- gnote
- golang
- gource
- grep
- groonga
- gsmartcontrol
- haxe
- hydra
- hyperscan
- i3
- i3-gaps
- imapfilter
- Io-language
- kdelibs
- kdelibs3
- kdevelop
- kf5-kjs
- kf5-kplotting
- libast
- liblognorm
- libmodsecurity
- lnav
- logstalgia
- lumail
- medusa
- mle
- mod_auth_openid
- mod_auth_openidc
- mod_qos
- mod_security
- monotone
- ncid
- nekovm
- ngrep
- nmap
- ocaml-pcre
- oci-umount
- octave
- openCOLLADA
- openscap
- opensips
- pads
- pcre
- pdfgrep
- perl-re-engine-PCRE
- petsc
- php-pecl-apcu
- php-pecl-http
- php-pecl-oauth
- picom
- pl
- poco
- postgis
- powwow
- prelude-lml
- privoxy
- proxysql
- python-qutepart
- python-scss
- R
- rasqal
- regexxer
- remctl
- renderdoc
- rkward
- root
- rudiments
- sigil
- slang
- sord
- sslh
- suricata
- sway
- swig
- syncevolution
- syslog-ng
- the_foundation
- the_silver_searcher
- Thunar
- tin
- tintin
- tinyfugue
- trafficserver
- uwsgi
- vdr-epgfixer
- watchman
- wireshark
- wmweather+
- xastir
- xfce4-verve-plugin
- xgrep
- xmlcopyeditor
- zsh
Contingency Plan
The retirement of the package will be possible only when all of the packages are ported to new pcre2 package. The backup plan (if the packages will not be ported by the time) will be the second plan mentioned in the Detailed description (orphaning the package)
- Contingency mechanism: (What to do? Who will do it?) Execute the second plan mentioned in Detailed description
- Contingency deadline: Start of devel phase of the Fedora 40 version
- Blocks release? No
Documentation
There should be documentation of this change, so the users know that the pcre is no longer part of the Fedora packages. If the retirement will not succeed the documentation should mention that the pcre is not recommended for the packages in Fedora due to the fact that it's not supported by upstream anymore.
Release Notes
Release notes should contain the information about the pcre retirement so the users know they won't be able to use its libraries anymore.