https://bugs.gentoo.org/689784 removed jasper from the tree as I proposed in https://github.com/jasper-software/jasper/issues/208#issue-463674791. Now we were able to release 2.0.19 which fixes all known CVEs. So I would suggest to add it back into the tree. See https://github.com/jasper-software/jasper/issues/208#issuecomment-664945128 for details Reproducible: Always
(In reply to Michael Vetter from comment #0) > https://bugs.gentoo.org/689784 removed jasper from the tree as I proposed in > https://github.com/jasper-software/jasper/issues/208#issue-463674791. > > Now we were able to release 2.0.19 which fixes all known CVEs. > > So I would suggest to add it back into the tree. > See > https://github.com/jasper-software/jasper/issues/208#issuecomment-664945128 > for details > > Reproducible: Always I didn't read the whole thread on GitHub, but how sustainable is this sudden surge of contributions to fix sec issues? Would really hate to rinse and repeat this...
> I didn't read the whole thread on GitHub, but how sustainable is this sudden surge of contributions to fix sec issues? It's a long thread indeed. The contributions are not sudden however. It was months of work until we got there. A lot of fights too. In between we forked the project, worked on it. And when we were ready to create a new release new discussions began. In the end we could agree on things and 3 people have commit rights and maintain jasper together now. Before there was only one person. So I would say chances are much better. Also JasPer was not removed because it had one unfixed CVE but quite a few, for quite a long time. Now we fixed all of them (to my knowledge) and will try to improve some others things too. I can't foretell the future but I hope it doesn't get so bad that we have to remove it again ;)
Update: > I didn't read the whole thread on GitHub, but how sustainable is this sudden surge of contributions to fix sec issues? I opened this in 2020. Since then we keep JasPer alive and happy. A couple of more CVEs appeared but we fixed all of them timely. Issues and pull requests are handled good as well. In Nov 2022 we released JasPer 4.0.0. Which is to say that the situation improved a lot and after 3 years appears to be stable. I would like to work on bringing it back to Gentoo. So my plan is to: * revert the 77aebdf0b31765b33831ca5b02ea3d98f13c46cd * update ebuilds to 4.0.0 Once merged: re-introduce it to packages to bring back their JPEG-2000 support. Would that be ok?
> So my plan is to: By this I mean that I would like to do it myself as a proxy maintainer. To get more practise :)
(In reply to Michael Vetter from comment #4) > > So my plan is to: > > By this I mean that I would like to do it myself as a proxy maintainer. To > get more practise :) Yes, readding jasper has definitely been on our TODO list.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6a76c8c2747a42f6d7e7df306f103c67febeb129 commit 6a76c8c2747a42f6d7e7df306f103c67febeb129 Author: Michael Vetter <jubalh@iodoru.org> AuthorDate: 2023-04-12 13:09:04 +0000 Commit: David Seifert <soap@gentoo.org> CommitDate: 2023-04-12 13:09:04 +0000 media-libs/jasper: readd jasper library (4.0.0) Closes: https://github.com/gentoo/gentoo/pull/30553 Bug: https://bugs.gentoo.org/734284 Signed-off-by: Michael Vetter <jubalh@iodoru.org> Signed-off-by: David Seifert <soap@gentoo.org> media-libs/jasper/Manifest | 1 + media-libs/jasper/jasper-4.0.0.ebuild | 56 +++++++++++++++++++++++++++++++++++ media-libs/jasper/jasper-9999.ebuild | 56 +++++++++++++++++++++++++++++++++++ media-libs/jasper/metadata.xml | 19 ++++++++++++ 4 files changed, 132 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d481e2ef9e32d83300cfc5bd8c6ce1204aa773ac commit d481e2ef9e32d83300cfc5bd8c6ce1204aa773ac Author: Michael Vetter <jubalh@iodoru.org> AuthorDate: 2023-04-12 13:09:03 +0000 Commit: David Seifert <soap@gentoo.org> CommitDate: 2023-04-12 13:09:03 +0000 licenses: add JasPer2.0 license License used by JasPer JPEG-2000 library. Bug: https://bugs.gentoo.org/734284 Signed-off-by: Michael Vetter <jubalh@iodoru.org> Signed-off-by: David Seifert <soap@gentoo.org> licenses/JasPer2.0 | 51 +++++++++++++++++++++++++++++++++++++++++++++++++ profiles/license_groups | 2 +- 2 files changed, 52 insertions(+), 1 deletion(-)
I think this can be closed, 4.0.0 is in the tree. There's also an update to 4.1.1 with at least one security fix in 4.0.1 for the pnm decoder, so maybe a bump is in order.
My assumption was we were keeping this open to restore support in various packages from the time of removal but let's close it.
(In reply to Sam James from comment #8) > My assumption was we were keeping this open to restore support in various > packages from the time of removal but let's close it. Indeed that was my intention. > There's also an update to 4.1.1 with at least one security fix in 4.0.1 for > the pnm decoder, so maybe a bump is in order. Actually we will most likely release a new JasPer version soonish since we fixed another security issue recently. However I created https://github.com/gentoo/gentoo/pull/34707 now. I hope it helps.
(In reply to Michael Vetter from comment #9) > (In reply to Sam James from comment #8) > > My assumption was we were keeping this open to restore support in various > > packages from the time of removal but let's close it. > > Indeed that was my intention. > > > There's also an update to 4.1.1 with at least one security fix in 4.0.1 for > > the pnm decoder, so maybe a bump is in order. > > Actually we will most likely release a new JasPer version soonish since we > fixed another security issue recently. As promised we released 4.1.2 with a CVE (shown as reserved as of now) fix now. I created PR: https://github.com/gentoo/gentoo/pull/34761