I've been maintainer of the yajl package in Fedora forever, as it was a dep of libvirt.
yajl upstream has been dead since 2015, so the current release tarball has multiple CVEs, which I've patched downstream by grabbing patches from github issue comments from third parties or other distros [1].
In the libvirt 10.8.0 release that just hit rawhide, we've switched to using json-c instead. Aside from libvirt in stable Fedora release branches, there are a few other packages in Fedora still using yajl that I see:
Io-language collectd crun grive2 i3 i3-gaps i3status libmodsecurity mod_security raptor2 xen
If anyone is cares about the above packages enough to want to take over ownership of 'yajl', either now or in future, please let me know.
I'm willing to keep ownership of yajl until the Fedora 41 branch goes end of life, at which point no version of libvirt will still use it If no new volunteer has stepped forward by then I'll be orphaning yajl.
If you are the Fedora maintainer of any of the above packages, I'd strongly recommend talking to their respective upstream about switching JSON library to json-c instead of yajl, to avoid being stuck using a dead project forever.
With regards, Daniel
[1] I collect patches in src-git at https://github.com/berrange/yajl/tree/fedora-dist-git
Hi Daniel,
Daniel P. Berrangé berrange@redhat.com writes:
I've been maintainer of the yajl package in Fedora forever, as it was a dep of libvirt.
yajl upstream has been dead since 2015, so the current release tarball has multiple CVEs, which I've patched downstream by grabbing patches from github issue comments from third parties or other distros [1].
In the libvirt 10.8.0 release that just hit rawhide, we've switched to using json-c instead. Aside from libvirt in stable Fedora release branches, there are a few other packages in Fedora still using yajl that I see:
Io-language collectd crun grive2 i3 i3-gaps i3status
As the maintainer of i3, i3-gaps & i3status, I've brought this issue upstream: https://github.com/i3/i3/issues/6257
libmodsecurity mod_security raptor2 xen
If anyone is cares about the above packages enough to want to take over ownership of 'yajl', either now or in future, please let me know.
I'm willing to keep ownership of yajl until the Fedora 41 branch goes end of life, at which point no version of libvirt will still use it If no new volunteer has stepped forward by then I'll be orphaning yajl.
I'm not sure if we'll be able to migrate the i3 away from yajl until the EoL of Fedora 41, but if we won't then I'll try to help out.
Cheers,
Dan
One year later, orphaning of yajl is imminent....
On Wed, Oct 02, 2024 at 05:17:09PM +0100, Daniel P. Berrangé wrote:
I've been maintainer of the yajl package in Fedora forever, as it was a dep of libvirt.
yajl upstream has been dead since 2015, so the current release tarball has multiple CVEs, which I've patched downstream by grabbing patches from github issue comments from third parties or other distros [1].
In the libvirt 10.8.0 release that just hit rawhide, we've switched to using json-c instead. Aside from libvirt in stable Fedora release branches, there are a few other packages in Fedora still using yajl that I see:
Io-language collectd crun grive2 i3 i3-gaps i3status libmodsecurity mod_security raptor2 xen
All of these packages are still using yajl :-(
If anyone is cares about the above packages enough to want to take over ownership of 'yajl', either now or in future, please let me know.
I'm willing to keep ownership of yajl until the Fedora 41 branch goes end of life, at which point no version of libvirt will still use it If no new volunteer has stepped forward by then I'll be orphaning yajl.
IIUC, Fedora 41 is EOL next Wed Nov 19th [1].
Consider this the 1 week warning of intent to orphan yajl. Someone who cares about the above apps will need to take it over to prevent its subsequent retirement.
If you are the Fedora maintainer of any of the above packages, I'd strongly recommend talking to their respective upstream about switching JSON library to json-c instead of yajl, to avoid being stuck using a dead project forever.
[1] I collect patches in src-git at https://github.com/berrange/yajl/tree/fedora-dist-git
With regards, Daniel
[1] https://fedorapeople.org/groups/schedule/f-41/f-41-all-tasks.html
[...]
yajl upstream has been dead since 2015, so the current release tarball has multiple CVEs, which I've patched downstream by grabbing patches from github issue comments from third parties or other distros [1].
In the libvirt 10.8.0 release that just hit rawhide, we've switched to using json-c instead. Aside from libvirt in stable Fedora release branches, there are a few other packages in Fedora still using yajl that I see:
[...]
xen
There has been discussion on the Xen development mailing list about replacing yajl with json-c:
https://www.mail-archive.com/xen-devel@lists.xenproject.org/msg200863.html
On Thu, Nov 13, 2025 at 10:42:23AM +0000, Daniel P. Berrangé wrote:
One year later, orphaning of yajl is imminent....
On Wed, Oct 02, 2024 at 05:17:09PM +0100, Daniel P. Berrangé wrote:
In the libvirt 10.8.0 release that just hit rawhide, we've switched to using json-c instead. Aside from libvirt in stable Fedora release branches, there are a few other packages in Fedora still using yajl that I see:
Io-language collectd crun grive2 i3 i3-gaps i3status libmodsecurity mod_security raptor2 xen
All of these packages are still using yajl :-(
snip
IIUC, Fedora 41 is EOL next Wed Nov 19th [1].
Consider this the 1 week warning of intent to orphan yajl. Someone who cares about the above apps will need to take it over to prevent its subsequent retirement.
yajl is now orphaned in dist-git, so unless someone else takes ownership, it is liable to be retired from Fedora.
With regards, Daniel
Hi Daniel and all,
Hau idatzi du Daniel P. Berrangé (berrange@redhat.com) erabiltzaileak (2025 aza. 25(a), ar. (15:31)):
On Thu, Nov 13, 2025 at 10:42:23AM +0000, Daniel P. Berrangé wrote:
One year later, orphaning of yajl is imminent....
On Wed, Oct 02, 2024 at 05:17:09PM +0100, Daniel P. Berrangé wrote:
In the libvirt 10.8.0 release that just hit rawhide, we've switched to using json-c instead. Aside from libvirt in stable Fedora release branches, there are a few other packages in Fedora still using yajl that I see:
Io-language collectd crun grive2 i3 i3-gaps i3status libmodsecurity mod_security raptor2 xen
All of these packages are still using yajl :-(
snip
IIUC, Fedora 41 is EOL next Wed Nov 19th [1].
Consider this the 1 week warning of intent to orphan yajl. Someone who cares about the above apps will need to take it over to prevent its subsequent retirement.
yajl is now orphaned in dist-git, so unless someone else takes ownership, it is liable to be retired from Fedora.
I'm taking ownership before it drops with the idea of orphaning back once ModSecurity has an alternative [1].
Best regards, Mikel
[1] https://github.com/owasp-modsecurity/ModSecurity/issues/3308
Hi Mikel,
Mikel Olasagasti mikel@olasagasti.info writes:
Hi Daniel and all,
Hau idatzi du Daniel P. Berrangé (berrange@redhat.com) erabiltzaileak (2025 aza. 25(a), ar. (15:31)):
On Thu, Nov 13, 2025 at 10:42:23AM +0000, Daniel P. Berrangé wrote:
One year later, orphaning of yajl is imminent....
On Wed, Oct 02, 2024 at 05:17:09PM +0100, Daniel P. Berrangé wrote:
In the libvirt 10.8.0 release that just hit rawhide, we've switched to using json-c instead. Aside from libvirt in stable Fedora release branches, there are a few other packages in Fedora still using yajl that I see:
Io-language collectd crun grive2 i3 i3-gaps i3status libmodsecurity mod_security raptor2 xen
All of these packages are still using yajl :-(
snip
IIUC, Fedora 41 is EOL next Wed Nov 19th [1].
Consider this the 1 week warning of intent to orphan yajl. Someone who cares about the above apps will need to take it over to prevent its subsequent retirement.
yajl is now orphaned in dist-git, so unless someone else takes ownership, it is liable to be retired from Fedora.
I'm taking ownership before it drops with the idea of orphaning back once ModSecurity has an alternative [1].
Thanks! I hope that i3 will have migrated by then too.
Cheers,
Dan
-
Dan Čermák -
Daniel P. Berrangé -
Mikel Olasagasti -
W. Michael Petullo