Deprecating graphics/jasper

To: tech-pkg%NetBSD.org@localhost
Subject: Deprecating graphics/jasper
From: nia <nia%netbsd.org@localhost>
Date: Tue, 16 Jul 2019 11:03:59 +0000

Just read the conclusions if you don't have much time.

This is the result of me looking for CVEs in file format libraries and
trying to apply fixes. I couldn't find any fixes for graphics/jasper.

# Brief introduction to jasper

- It's library that implements JPEG 2000 support (.jp2 file format)
- it was just updated by me to 2.0.16.
- the last release was a few years ago
- this release wasn't uploaded properly, only tagged
- the only change was to fix 1/26 CVEs that effect 2.0.14

Conclusion: jasper implements a lesser-used image format, and its
maintainance state is very poor. From a security perspective, it's
scary.

# Status of third-party projects:

- Some programs (like GIMP) have transitioned to OpenJPEG.
  Also implements JPEG 2000, but more completely, according to
  Wikipedia. Also, maintained better.
- Others (like opencv) maintain jasper as an optional dependency.
- Projects like Debian, Gentoo, and OpenSUSE are removing JPEG 2000
  support from packages to avoid jasper[1].
  By doing this, Debian has removed the jasper package completely.

[1]: https://github.com/mdadams/jasper/issues/208

Conclusion: jasper is going away.

# List of packages that use jasper in pkgsrc:

- graphics/GraphicsMagick - jasper is in PKG_SUGGESTED_OPTIONS
- graphics/dcraw - EOL, replacement is apparently libraw
- devel/devIL - non-optional, would probably need to be patched out
- geography/gdal-lib - can be switched to OpenJPEG
- graphics/gdk-pixbuf2-jasper - module, should be fine to keep...?
- graphics/gegl -  optional, could be turned off
- x11/kdelibs4 - EOL
- multimedia/kodi - Broken, unmaintained
- graphics/libraw - optional, could be turned off
  apparently jasper is only used for RedCine files
- graphics/netpbm - ... not optional? difficult to tell
- graphics/opencv - optional, could be turned off
- graphics/opencv2 - optional, could be turned off
- x11/qt5-qtimageformats - optional, could be turned off

Conclusion: we could mostly get rid of jasper if we wanted to.

Follow-Ups:
- Re: Deprecating graphics/jasper
  - From: David Holland
- Re: Deprecating graphics/jasper
  - From: Greg Troxel

Prev by Date: Re: [PATCH] fvwm reproducibility patch
Next by Date: Re: [PATCH] fvwm reproducibility patch
Previous by Thread: [PATCH] fvwm reproducibility patch
Next by Thread: Re: Deprecating graphics/jasper
Indexes:

Home | Main Index | Thread Index | Old Index