Overview
Request 726173 revoked
- bsc#1144260 - Drop jasper dependency from opencv:
Due to planned removal of jasper. Removes JPEG2000 support.
- Created by jubalh
- In state revoked
-
Package maintainer:
StefanBruens
- Supersedes 726130
Request History
jubalh created request
- bsc#1144260 - Drop jasper dependency from opencv:
Due to planned removal of jasper. Removes JPEG2000 support.
dstoecker declined request
Seems jasper has been updated recently.
jubalh reopened request
No it has not.
It was a release made after sending several emails and pushing upstream to do it.
The release was only made due to my repeated effort. But the package is not actively maintained.
The decision to remove it has been made due to my experiences with upstream. Especially _after_ the release has happened.
Read https://github.com/mdadams/jasper/issues/208 and https://bugzilla.suse.com/show_bug.cgi?id=1130404
StefanBruens declined request
Would have been great if you had checked the output of cmake:
66s] -- JPEG 2000: build
i.e. it falls back to a bundled jasper version (1.900.1). So instead of making the build more secure, you actually make it more vulnerable ...
jubalh revoked request
Revoking in favour of https://build.opensuse.org/request/show/766065
I don't think it is a good idea to drop JPEG2000 support completely.
Yes please comment this on https://bugzilla.suse.com/show_bug.cgi?id=1144260 which was opened quite some time ago. Like also mentioned there there are upstream issues: https://github.com/opencv/opencv/issues/14145 https://github.com/opencv/opencv/issues/10453 https://github.com/opencv/opencv/issues/5849
and jpeg2000 is not really a popular format so i dont think opencv suffers a lot when its disabled. debian, gentoo, alpine also are disabling this as we speak. debian actually did years ago.
Jpeg2000 is quite popular in the geo sciences.
Then I'd advocate that the opencv maintainers have to be burdened witht he maintenance of jasper too - as the only consumer left of this library, it should be their own duty
@StefanBruens did you see the comments on bugzilla?
Has there been any resolution to the jpeg2000 issue?
Which issue?
The one being discussed in the comment thread above. This has been in the queue for 5 months, but as far as I can tell there has been no explicit mention of a resolution to the problem that has been holding it up.
I'm not sure what you mean by this. Did you read the bug mentioned above? It's about the removal of Jasper. Because jasper is badly maintained and has many security fixes which are hard to fix. For this reason we want to remove Jasper from openSUSE (and push projects to use openjpeg). It is all described in the bug mentioned above. The reason this request here is in the queue for 5 month is not that there is an issue that needs to be resolved. It's just because of the decision of the maintainer to have JPEG2000 support stay in OpenCV.
@StefanBruens: review reminder
So, I give the maintainers here 24 hours to decide:
either you accept this and allow the removal of jasper (jpg2000) from Tumbleweed or you take over maintainership of jasper including all potentially current and future bug reports.
Tomorrow are 11:00 CET I will drop Jasper from the distro
Sorry, 24 hours is completely unreasonable.
I give you 24 hours to come up with a compelling reason why jasper has to be removed immediately.
5 months + 24 hours ;)
There was never a deadline.
Sorry Stefan, you're very late to the game (and you were part of it from the beginning, 5 months ago when this change was submitted). Time has expired and patience depleted.
Jasper is History NOW
I have stated 4 months ago why I haven't accepted it.
BTW, the bug report is Priority P5, Severity normal - if it were critical, somebody should say so.
Are we going to remove any software which might have a security issue now?
Back to my dayjob now, maybe I will work on this next weekend.
if we have CVEs that remain unaddressed because upstream is dead and nobody wants to provide fixes, yes. we drop it.
options are easy: * Jasper is being dropped as no current maintainer wants to take the burden of fixing the CVEs (even upstream does not) * Jasper finds new maintainers - but I see nobody stepping up to take this on.
Hence: bye bye jasper
And just for the fun of it:
https://bugzilla.opensuse.org/buglist.cgi?quicksearch=jasper&list_id=12771331