Pcre Retirement
Summary
Pcre has been deprecated in Fedora since Fedora 38. Packages have already started to port to the new pcre2, so with this momentum, most of them should be ported at the time of this change execution.
Owner
- Name: Lukas Javorsky
- Email: ljavorsk@redhat.com
Current status
- Targeted release: Fedora Linux 41
- Last updated: 2022-10-03
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
Upstream stopped supporting the old 'pcre' package. The 8.45 is marked as a final release and nothing else will be added/fixed in it. Fedora has decided to | deprecate this package as well, and we should remove it by retiring the package.
The new 'pcre2' package is out for more than 7 years now and most of the packages have already been ported to its redefined API. Mail about the changes in the pcre2.
There are two plans for this change:
1) Retire the pcre completely (PREFERRED):
This would consist of filing the BZ trackers for this change to all of the packages that still didn't port to the pcre2. We'll help the best we can, but this will also cost a lot of time and effort so most of the work would have to be done by the individual maintainers of the packages that need to be ported.
2) Orphan the package:
If some of the packages couldn't be ported for a good reason, we will orphan the package and the maintainers of the package that couldn't be ported will have to maintain it by themself. In order for this option to be viable, it must have solid justification, as it could lead to unresolved CVEs in the future.
Feedback
The early feedback from the community is in this mailing thread
Benefit to Fedora
Fedora shouldn't support unsupported packages. When the future RHEL versions fork from Fedora, it could lead to less secure RHEL as well. We should do everything we can so this retirement will succeed.
Scope
- Proposal owners: Help to port the packages that depend on the old pcre package. This change affects roughly 120 packages.
- Other developers: Port their package to support the new pcre2.
- Release engineering: When all of the packages have been successfully ported, there will be no need for any release engineering coordination. The old pcre package will be simply retired and removed.
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Upgrade/compatibility impact
How To Test
If the packages that depend on the old pcre are successfully built with the new pcre2 package, there is no need for the test. No FTBFS package will mean that this change was completed.
User Experience
Users will not be exposed to the possible vulnerable pcre package, because the pcre2 is supported by the upstream community.
Dependencies
This list is obtained by using and combining the output of the following commands:
dnf repoquery --disablerepo='*' --enablerepo=rawhide --whatrequires 'libpcre.so.1()(64bit)' --whatrequires 'libpcreposix.so.0()(64bit)' -s | pkgname
dnf repoquery --disablerepo='*' --enablerepo=rawhide-source --whatrequires pcre-devel | pkgname
List
- 389-ds-base
- adanaxisgpl
- aide
- aircrack-ng
- anope
- apachetop
- bti
- ccze
- cegui
- cegui06
- clamav
- ClanLib
- clisp
- clover2
- coccinelle
- collada-dom
- compton
- condor
- cppcheck
- cyrus-imapd
- deepin-file-manager
- dogtag-pki
- EMBOSS
- eterm
- Falcon
- freeradius
- gambas3
- ganglia
- ghc-highlighting-kate
- ghc-pcre-light
- ghc-regex-pcre
- GMT
- gnote
- golang
- gource
- grep
- groonga
- gsmartcontrol
- haxe
- hydra
- hyperscan
- i3
- i3-gaps
- imapfilter
- Io-language
- kdelibs
- kdelibs3
- kdevelop
- kf5-kjs
- kf5-kplotting
- libast
- liblognorm
- libmodsecurity
- lnav
- logstalgia
- lumail
- medusa
- mle
- mod_auth_openid
- mod_auth_openidc
- mod_qos
- mod_security
- monotone
- ncid
- nekovm
- ngrep
- nmap
- ocaml-pcre
- oci-umount
- octave
- openCOLLADA
- openscap
- opensips
- pads
- pcre
- pdfgrep
- perl-re-engine-PCRE
- petsc
- php-pecl-apcu
- php-pecl-http
- php-pecl-oauth
- picom
- pl
- poco
- postgis
- powwow
- prelude-lml
- privoxy
- proxysql
- python-qutepart
- python-scss
- R
- rasqal
- regexxer
- remctl
- renderdoc
- rkward
- root
- rudiments
- sigil
- slang
- sord
- sslh
- suricata
- sway
- swig
- syncevolution
- syslog-ng
- the_foundation
- the_silver_searcher
- Thunar
- tin
- tintin
- tinyfugue
- trafficserver
- uwsgi
- vdr-epgfixer
- watchman
- wireshark
- wmweather+
- xastir
- xfce4-verve-plugin
- xgrep
- xmlcopyeditor
- zsh
Contingency Plan
The retirement of the package will be possible only when all of the packages are ported to new pcre2 package. The backup plan (if the packages will not be ported by the time) will be the second plan mentioned in the Detailed description (orphaning the package)
- Contingency mechanism: (What to do? Who will do it?) Execute the second plan mentioned in Detailed description
- Contingency deadline: Start of devel phase of the Fedora 41 version
- Blocks release? No
Documentation
There should be documentation of this change, so the users know that the pcre is no longer part of the Fedora packages.
Release Notes
Release notes should contain the information about the pcre retirement so the users know they won't be able to use its libraries anymore.