Overview
Request 1139244 revoked
- Update to 8.2.0:
https://www.digikam.org/news/2023-12-03-8.2.0_release_announcement/
- Drop 0001-Use-FindLibExiv2.cmake-from-ECM.patch, no longer
necessary
- Rebase 0001-Look-for-each-akonadi-component-separately.patch
Due to the insecure nature of jasper, the dependency shouldn't be added back
Really? AFAIK, jasper is quite secure meanwhile, and well maintained. (since https://build.opensuse.org/request/show/823122)
Maybe I should add some more links:
https://github.com/jasper-software/jasper/issues/208#issuecomment-664976786
https://bugs.kde.org/show_bug.cgi?id=364231#c8
To quote from the latter digikam bugreport:
"We have just released JasPer 2.0.19: https://github.com/jasper-software/jasper/releases/tag/version-2.0.19
It fixes all known CVEs (see https://github.com/jasper-software/jasper/blob/master/CHANGELOG).
See https://github.com/mdadams/jasper/issues/208 for details.
I think this bug can be closed and JasPer can still be used for JPEG2000 support."
If that doesn't satisfy you, maybe we should ask the SUSE package maintainer (who actually wrote those bug entries) for clarification.
every time we tried to add optional jpeg 2000 support, we were asked to drop it. That's why (among others) the Qt imageformats packages don't have this build dependency
Ok. I don't really insist on adding it back. A new SR without it will be coming in soon...
But TBH, I don't really understand why libjasper was added back to Factory then...
@jubalh: Is it true that libjasper should not be used anymore? Or would it be ok to add the dependency back to the digikam package (and maybe Qt too)?
I'd really like to know...
And for the record: I already added it back in SR#945685, then it was removed again in SR#1074923.
Doesn't look to me like we were asked to remove it, it rather seems to have been a merge from KDE:Unstable:Extra which didn't have that change by mistake...
libjasper should be used. I would definitely add it back. You can also see: https://bugs.kde.org/show_bug.cgi?id=364231 and https://github.com/jasper-software/jasper/issues/208 for more context. But tldr: jasper is fine.
I'm now one of the jasper upstream maintainers (and openSUSE maintainer) all CVEs are fixed and we if you see the repo we even fix them quite fast.
I have got feedback from maintainers of other distributions that now they prefer jasper over openjpeg whenever possible.
Jasper was bad 3 years ago. By now there is nothing wrong about it. We improved the situation a lot.
jasper is not more or less insecure than other image libraries. take a look at tiff for example... It was just badly maintained 3 years ago. But the situation is fixed now.
Thank you for the confirmation!
I added libjasper back in the new SR#1139388.
Request History
wolfi323 created request
- Update to 8.2.0:
https://www.digikam.org/news/2023-12-03-8.2.0_release_announcement/
- Drop 0001-Use-FindLibExiv2.cmake-from-ECM.patch, no longer
necessary
- Rebase 0001-Look-for-each-akonadi-component-separately.patch
wolfi323 revoked request
According to the latest comments in SR#1138994, I'll revoke this and reopen the other one.
+1