tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Deprecating graphics/jasper



nia <nia%netbsd.org@localhost> writes:

> # List of packages that use jasper in pkgsrc:
>
> - graphics/GraphicsMagick - jasper is in PKG_SUGGESTED_OPTIONS
> - graphics/dcraw - EOL, replacement is apparently libraw
> - devel/devIL - non-optional, would probably need to be patched out
> - geography/gdal-lib - can be switched to OpenJPEG
> - graphics/gdk-pixbuf2-jasper - module, should be fine to keep...?
> - graphics/gegl -  optional, could be turned off
> - x11/kdelibs4 - EOL
> - multimedia/kodi - Broken, unmaintained
> - graphics/libraw - optional, could be turned off
>   apparently jasper is only used for RedCine files
> - graphics/netpbm - ... not optional? difficult to tell
> - graphics/opencv - optional, could be turned off
> - graphics/opencv2 - optional, could be turned off
> - x11/qt5-qtimageformats - optional, could be turned off
>
> Conclusion: we could mostly get rid of jasper if we wanted to.

I see where you are coming from about security, but pkgsrc tends to be a
bit slow to really remove things, because that more or less forces the
issue for users, rather than letting them choose.  I realize you think
they shouldn't use it, and you are probably right in the big picture
sense, but we don't understand the considerations of various people.
It's often a reasonable choice to run older code with bugs on inputs not
under the control of attackers, to get things done.

Which is sort of a long way of saying that I don't think we should just
rm the jasper package at this point, but I agree it makes sense to
consider disabling the use of jasper in a lot of places.  Arguably the
upstreams, if they are functioning, should be transitioning to
openjpeg.  Having a jasper option defaulting to off lets people who need
it enable it, while protecting those who aren't aware.

As for kodi, it seems there is a release just a few weeks ago.



I'm guessing that in many of the above programs, there is some loss of
functionality from disabling jasper, but that mostly it's for rare
formats so that most users wouldn't notice.

Are you proposing to go through the things that depend on jasper and
optionize jasper, default off, if that's a reasonable thing, on a
case-by-case basis?  That sounds like a good plan to me, if so.



Home | Main Index | Thread Index | Old Index