Ben Cotton wrote:
== Summary ==
Upstream stopped the support for the old 'pcre' package. It only
supports the new 'pcre2' version, so Fedora should deprecate it so it
could later be retired and removed from Fedora entirely.
== Owner ==
* Name: [[User:ljavorsk| Lukas Javorsky]]
* Email: ljavorsk(a)redhat.com
This is simply a non-starter.
You yourself list dozens of packages using this compatibility library. Some
of those are themselves compatibility libraries (e.g., kdelibs 3 and 4) and
will never be fixed by upstream. It is entirely impractical to port them to
a completely different API. But even current leaf packages such as rkward
are in the list.
PCRE 1 needs to remain as a fully supported compatibility library for the
foreseeable future.
== Detailed Description ==
Upstream stopped supporting the old 'pcre' package. The 8.45 is marked
as a final release and nothing else will be added/fixed in it. This
may lead to some unresolved CVEs, which would have to be resolved by
the maintainers. Unfortunately, due to our limited capacity, we
wouldn't have the time and experience to solve this by ourselves, so
we need to deprecate this package. After the deprecation is done, the
very next step would be starting the [[PcreRetirement|retirement
change]], so the package is removed from Fedora entirely.
How different is the code from the pcre2 code? If it is completely
different, then CVEs found in pcre2 will typically not affect the legacy
code, and you can expect a steep drop in found CVEs with the upstream drop
of support. If, on the other hand, it is sufficiently similar for the CVEs
to apply, then the fixes can also be backported.
In the end, my suggestion if you are unable to deal with the security
vulnerabilities is to simply orphan the library and let someone else pick it
up. (If nobody else does, I will, because at least 3 of my packages depend
on it.)
Kevin Kofler