Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#65570 - [qt5-imageformats] drop support for jasper

Attached to Project: Arch Linux
Opened by Gunnar Bretthauer (Taijian) - Thursday, 20 February 2020, 12:47 GMT
Last edited by freswa (frederik) - Thursday, 20 February 2020, 12:53 GMT
Task Type Feature Request
Category Packages: Extra
Status Closed
Assigned To No-one
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

Arch currently builds qt5-imageformats with jasper support enabled. Unfortunately, jasper is currently unmaintened upstream and it is unlikely that this will change [1]. There are numerous open CVEs that are unlikely to be fixed.
Lots of other distros have already dropped jasper altogether (Debian, Ubuntu, NixOS, Alpine, OpenSUSE) and I think Arch should do so as well [1],[2].
As it is trivially easy to drop jasper from qt5-imageformats - just remove it from the depends() array and .configure will take care of it - I suggest that it be removed from qt5-imageformats in order to reduce attack surface.

Additional info:
* package version(s)
* config and/or log files etc.
* link to upstream bug report, if any
[1] https://github.com/mdadams/jasper/issues/208
[2] https://bugzilla.suse.com/show_bug.cgi?id=1130404

Steps to reproduce:
This task depends upon

Closed by  freswa (frederik)
Thursday, 20 February 2020, 12:53 GMT
Reason for closing:  Duplicate
Additional comments about closing:   FS#64655 

Loading...