FS#65614 - [gimp] replace unused dependendy jasper with openjpeg

Attached to Project: Arch Linux
Opened by Gunnar Bretthauer (Taijian) - Monday, 24 February 2020, 13:14 GMT
Last edited by freswa (frederik) - Sunday, 26 April 2020, 16:21 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Christian Hesse (eworm)
Levente Polyak (anthraxx)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

jasper is insecure and unmaintained and currently under consideration for removal from the Arch repos [1]. Additionally, gimp has not been depending on it since before 2018-08-13 as it got replaced by openjpeg [2]. Therefore please replace the jasper dependency with openjpeg.

[1] https://bugs.archlinux.org/task/64655
[2] https://gitlab.gnome.org/GNOME/gimp/commit/fb57133d55f88e88fafadec8b09a0a3084585b88


This task depends upon

Closed by  freswa (frederik)
Sunday, 26 April 2020, 16:21 GMT
Reason for closing:  Fixed
Additional comments about closing:  2.10.18-6
Comment by Gunnar Bretthauer (Taijian) - Monday, 24 February 2020, 21:23 GMT
  • Field changed: Percent Complete (100% → 0%)
While I understand the reasoning behind keeping all the jasper related security stuff in one place, this is a actual bug in the PKGBUILD. It pulls in jasper which hasn't been a dependency of gimp since 2018-03-04 with commit https://gitlab.gnome.org/GNOME/gimp/-/commit/58a0a651602d5b55d8c7d3408fb315f4e47d9b8f. OpenJPEG should instead be pulled in. Clearly, gimp maintainers are not seeing the other issue, because the released an update to gimp yesterday that still contains this bug. Therefore I think this should be addressed seperately for better visibility.
Comment by Rikard Falkeborn (Herk) - Sunday, 26 April 2020, 11:03 GMT
As of 2.10.18-6, gimp depends on openjpeg2 instead of jasper.

Loading...