We have several packages in Cauldron that are no longer maintained upstream and have become unusable. They need to be obsoleted before Mageia 9 is released. In case a dead-upstream package still seems usable, but has security issues, then it likely needs to be obsoleted, too.
Needs to get obsoleted: lightspark-mozilla-plugin-0.8.5-2.mga9. Mozilla compatible plugin for lightspark (this type of plugin is obsoleted since years in Firefox) Flashplayer is EOL since 2020 and blocked from execution since Jan 2021 Quote from the GitHub page: "Most browsers including Firefox and Chromium don't support flash any longer, so the plugins don't work on their latest versions." "Support matrix Web browser Windows Linux Pale Moon Yes Yes Firefox No No Chrome No No Chromium No No Waterfox No Yes Falcon No untested MyPal Yes N/A https://github.com/lightspark/lightspark/wiki/Getting-Lightspark-up-and-running-in-Web-Browser https://github.com/lightspark/lightspark/releases
Needs to get obsoleted: firefox-ext-mozvoikko-2.0.1-11.mga9 Finnish spell-checking extension for Mozilla applications Quote from GitHub page: "UNMAINTAINED Spell checker extension for legacy Mozilla products (older than Firefox 57 or Thunderbird 60)" It is a NPAPI plugin which is no longer supported in all major browsers.
Needs to get obsoleted: mozilla-plugin-aliedit-1.0.3.20-9.mga8 Aliedit extension for firefox It is a NPAPI plugin which is no longer supported in all major browsers. (Have look at the spec file history. It should have been removed in the past)
Please keep in mind that only packages the cannot work in Mageia 9, or that will interfere with upgrades from 8 to 9 should be obsoleted, which forcefully removes them from the user's installation during upgrade. Other packages that are no longer supported by Mageia should be removed from svn only, using the null package. https://svnweb.mageia.org/packages/cauldron/null/ The user's may have third party software that can still use those packages, or choose to use no longer supported packages, as I do with opera 12.16 from Mageia 4.
CC: (none) => davidwhodgins
(In reply to Marja Van Waes from comment #0) > We have several packages in Cauldron that are no longer maintained upstream > and have become unusable. They need to be obsoleted before Mageia 9 is > released. > In case a dead-upstream package still seems usable, but has security issues, > then it likely needs to be obsoleted, too. How can these be identified? Over time suggestions to obsolete packages pop up. Is it possible to search Bugzilla for this word in any comment? I never succeed with advanced searching.
CC: (none) => lewyssmith
lightspark actually doesn't need to be removed. It has an offline flash player executable that people can use if they have old swf files laying around. Yes the mozilla plugin doesn't work any more but it's not hurting anything. qca2 and the things built against it (kdelibs4, kdebase4-runtime, kde4-kactivities, qutim) probably all need to be dropped, as qca2 can't be rebuilt against botan. Two more candidates to be dropped, recently mentioned on IRC: <papoteur> I had a look to python-sparqlwrapper. This is a Python module. It doesn't seem to be required by anything. We have 1.8.2, the latest is 1.8.5 about 2 years ago. This ones don't build in cauldron. <papoteur> On https://github.com/RDFLib/sparqlwrapper, it seems to be the idea started 2 years ago to have 1.9 which drops support for Python 2. But the tag 1.9 isn't set for the moment. <papoteur> I think telldus-core is a good candidate for dropping: <papoteur> 1/ it doesn't build <papoteur> 2/ it is linked to specific hardware (IOT) <papoteur> 3/ there is no activity since 2 years, and not a lot since 2013.
CC: (none) => yves.brungard_mageia
Just to make sure it doesn't get forgotten, openssl 1.1.1 needs to removed: https://bugs.mageia.org/show_bug.cgi?id=30174#c2
CC: (none) => luigiwalser
(In reply to David Walser from comment #6) > > Two more candidates to be dropped, recently mentioned on IRC: > > <papoteur> I had a look to python-sparqlwrapper. This is a Python module. It > doesn't seem to be required by anything. We have 1.8.2, the latest is 1.8.5 > about 2 years ago. This ones don't build in cauldron. > <papoteur> On https://github.com/RDFLib/sparqlwrapper, it seems to be the > idea started 2 years ago to have 1.9 which drops support for Python 2. But > the tag 1.9 isn't set for the moment. In the mean time, 2.0.0 has been released. I have posted a new spec for it. > > <papoteur> I think telldus-core is a good candidate for dropping: > <papoteur> 1/ it doesn't build > <papoteur> 2/ it is linked to specific hardware (IOT) > <papoteur> 3/ there is no activity since 2 years, and not a lot since 2013. I have moved it in obsolete.
You can't just move something to obsolete in SVN while it's still in the repo. It needs to be removed from the repository as well.
pm-utils Last distribution standing is Mageia. No rpm or deb based disribution is shipping pm-utils anymore. As seen in bug 30080, bug 30180, bug 30179, bug ... pm-utils only causes problems. Last pm-utils release is from 2010. Most functions are now served by systemd/systemctl. Opensuse deprecated in 2015 https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/message/GX3KAWFIQNXWJDGE2BUANJFK7ZMPPFO3/ Last Fedora with pm-utils was Fedora 22 (now we have Fedora 35) ..and many more deb and prm based distries...dropped support a decade ago...
Depends on: (none) => 30179
Keywords: (none) => TRACKER
Depends on: 30156 => (none)
python-vatnumber : no update since 2014, nothing claims it, doesn't build anymore python-speaklater-1.3-14.mga9 no update since 2012, required by python3-flask-babelex, doesn't build anymore python-anyjson ne construit plus no update since 2012, nothing claims it, doesn't build anymore python-flask-script referenced as deprecated https://github.com/smurfix/flask-script
Bug 30317 - wmebcam is useless Comes with no help, not apparent how to use.
CC: (none) => friDepends on: (none) => 30317
Depends on: 30317 => (none)
fwupdate, https://bugs.mageia.org/show_bug.cgi?id=28878#c3 Bug 28878 - Conflict between fwupdate-efi and grub2-common
Depends on: (none) => 28878
I have two packages that will need to be obsoleted before Mga9 chirp - because upstream are unlikely to move to python-3 any time soon. cambozola - because it was packaged to support zoneminder which no longer needs it. Adding here as a reminder ;)
CC: (none) => zen25000
In the process of updating proj, I forecast some obsoleting to: zygrib
CC: (none) => eatdirt
qt-mobility
Possibly Sugar desktop https://bugs.mageia.org/show_bug.cgi?id=18706#c14
Depends on: (none) => 18706
Depends on: (none) => 30486
Depends on: (none) => 15760
acoustid-fingerprinter The last release is from 2012. http://acoustid.org/fingerprinter It doesn't build anymore, surely because of ffmpeg 5. Nothing claims it.
Depends on: (none) => 26780
vbindiff is broken since MGA6. vbindiff is unmaintained since over 5 years upstream and no code maintenance/bugfixing was done. bug 26780
gnucap? is redundant and old. Electronic cirquit simulator. We have a really old version from 2009 packaged - at least it need to be updated. Project seem alive, but not very active. http://gnucap.org/dokuwiki/doku.php/gnucap:projects list work is needed for interfacing several programs, and that page was last updated in 2016... To clean up number of packages we supply, I suggest to drop gnucap. (and if not, update it at least in cauldron, there is now a 2021 version) We package ngspice, which is well known, well developed, and used by i.e KiCad which we package. https://ngspice.sourceforge.io/ and have even verification tests/examples with KiCad https://ngspice.sourceforge.io/quality.html
(In reply to sturmvogel from comment #19) > vbindiff is broken since MGA6. vbindiff is unmaintained since over 5 years > upstream and no code maintenance/bugfixing was done. > > bug 26780 We now have a fix for 26780 so it should not be obsoleted as it is a useful CLI tool.
CC: (none) => bruno
Fritzing. We fail to package it and get no upstream help. Bug 18689
Depends on: (none) => 18689
Depends on: 26780 => (none)
Nextcloud server Bug 28511 We are not keeping up. Not even finished the upgrade path mga7 -> mga8 yet.
Depends on: (none) => 28511
Misunderstanding - behind the curtain there have been work on NC :)
Depends on: 28511 => (none)
(In reply to Morgan Leijström from comment #24) > Misunderstanding - behind the curtain there have been work on NC :) We still need to remember to drop it before Mageia 9 is branched.
Nextcloud should maybe be dropped from release repo. Then maybe reinstated in backport. Lets see how packaging, testing, and opinions progress in Bug 28511...
Yes that's how we handled it for Mageia 8.
Hi What about this issue?? https://bugs.mageia.org/show_bug.cgi?id=17706
CC: (none) => neoser10
(In reply to Mauricio Andrés Bustamante Viveros from comment #28) > Hi > > What about this issue?? > https://bugs.mageia.org/show_bug.cgi?id=17706 That's not about a package that needs to be dropped.
Bug 30938 : dhcp-4.4.3P1-1.mga9.src.rpm "dhcp is EOL upstream" This needs to be replaced in various places as DavidW details in this bug.
Depends on: (none) => 30938
Adding Banshee: https://bugs.mageia.org/show_bug.cgi?id=29613#c2 and Brasero: https://bugs.mageia.org/show_bug.cgi?id=30909#c5
Some more there were already bugs for... nrpe Bug 26957 perl-Net-IPv4Addr Bug 29281 qtwebkit/wkhtmltopdf Bug 29326 tmate Bug 29733
Depends on: (none) => 26957, 29281, 29326, 29733
quictls is an openssl fork that should not have been imported.
nbd was imported, but never has worked, and the maintainer is no longer with us.
Depends on: (none) => 30153
tmate Bug 29733 - tmate should probably be dropped due to inadequate upstream maintenance
(In reply to David Walser from comment #33) > quictls is an openssl fork that should not have been imported. Bug 31066.
Depends on: (none) => 31066
bug 31069 : python-flask-security "Note that this software is unmaintained upstream. Apparently it has been replaced by flask-security-too (which is also vulnerable to this issue, where it is known as CVE-2021-32618). So this package should be dropped or replaced in Cauldron as well"
(In reply to David Walser from comment #33) > quictls is an openssl fork that should not have been imported. Bug 31066. "quictls really should just be a patch set for OpenSSL that should be submitted upstream. This should be dropped before Mageia 9."
(In reply to Lewis Smith from comment #38) > (In reply to David Walser from comment #33) > > quictls is an openssl fork that should not have been imported. > Bug 31066. > "quictls really should just be a patch set for OpenSSL that should be > submitted upstream. This should be dropped before Mageia 9." I answered in the bug report, the idea is not to get the whole distribution built against it, just give a easy way for people requiring quic to use it by just rebuilding the required package against quictls instead of openssl. (both libraries may be installed and only the buildrequire should select wanted library)
CC: (none) => mageia
Also qt-fsarchiver and qt-fsarchiver-terminal. See bug 28791
Depends on: (none) => 28791
transcode, bug 31096. "Transcode was removed from SVN 4 months ago, but was never added to task-obsolete-tainted. I have now added it."
notification-daemon (Gnome) Bug 31103 from QA-discuss M/L: /usr/libexec/notification-daemon comes from an archived (deprecated and unmaintained) GNOME project, so probably should be dropped from Mageia.
vino (Gnome) Bug 31104 from QA-discuss M/L: For vino, upstream says: "Vino was the GNOME desktop sharing server. It is now archived and unmaintained - please use gnome-remote-desktop instead! " Thus it has to be obsoleted.
Depends on: (none) => 31118
gnome-shell-extension-topicons See bug 31118 and bug 29840 This is dead upstream. The author recommends switching to the appindicator extension, which we do have packaged for Mageia 9
To be checked with Akien, but: openmw does not build anymore, new version only accept libbullet compiled in double precision, that we do not provide currently. Moreover, it is the only remaining package forcing us to have double packaging of old versions of: openscreengraph34 lib64openthreads20 I think we could consider dropping those three! Cheers, Chris.
(In reply to Chris Denice from comment #45) > To be checked with Akien, but: > > openmw does not build anymore, new version only accept libbullet compiled in > double precision, that we do not provide currently. Moreover, it is the only > remaining package forcing us to have double packaging of old versions of: > > openscreengraph34 > lib64openthreads20 > > I think we could consider dropping those three! > I rebuilded libbullet with double precision to try to get openmw working. You may drop the two previously reported libraries as they seems useless now. I imported recastnavigation and openmw should be available soon in cauldron. The only downside is that we need a check wether the following packages still works with double precision in libbullet : godot godot-headless godot-runner godot-server openmw vdrift I don't know how to fix stuntrally and irrlamb, both fails at link time: https://github.com/stuntrally/stuntrally/issues/107 (they seems to use hardcoded float values where double should be used)
(In reply to Raphael Gertz from comment #46) > I don't know how to fix stuntrally and irrlamb, both fails at link time: > https://github.com/stuntrally/stuntrally/issues/107 > (they seems to use hardcoded float values where double should be used) It seems -DBT_USE_DOUBLE_PRECISION don't get passed correctly by cmake.
Hi, I updated stuntrally to version 2.6.2, irrlamb and vdrift are fixed for bullet double precision too. You may be able to drop these susmentioned packages: openscreengraph34 lib64openthreads20 Best regards
Well done Raphael!
zfs-fuse? https://bugs.mageia.org/show_bug.cgi?id=17245#c17
Another one to obsolete as per bug 3659 from 2012 invictus-firewall As per discussion on qa discuss ml it still causes problems if installed.
ogmrip is dead upstream and broken in other distros and in mga8 and cauldron despite trying to fix it https://bugs.mageia.org/show_bug.cgi?id=28683#c19
Depends on: (none) => 28683
Depends on: (none) => 31546
Added unarj (Bug 31546). Unfixed security issues and should be obsoleted by arj apparently.
Anki: can no longer be built, and the old version is not compatible with the sync service https://bugs.mageia.org/show_bug.cgi?id=30841#c3
Depends on: (none) => 30841
Fritzing now works on cauldron / mga9; do not drop.
Depends on: 18689 => (none)
Depends on: (none) => 29771
Depends on: (none) => 28885
Depends on: (none) => 31773
Depends on: (none) => 31774
Depends on: (none) => 31694
Re the previous comment, https://bugs.mageia.org/show_bug.cgi?id=31694#c2 "Because eclipse was removed from Cauldron, openjfx and openjfx8 cannot be built anymore. I think the best thing to do is to drop both." so recording here the need to drop both packages.
Depends on: (none) => 31867
From bug 31867 noted above, here are the packages to drop listed, hopefully in alpabetic order: libdmx liblbxutil liboldx libxevie libxfontcache libxp libxtrap libxxf86misc x11-driver-input-fpit x11-driver-input-hyperpen x11-driver-input-mutouch x11-driver-input-penmount x11-font-bitstream-speedo xfindproxy xfwp xrx xsetmode
ogmrip now removed from Cauldron Core and Tainted repo!
CC: (none) => geiger.david68210
Depends on: 31694 => (none)
Depends on: 28791 => (none)
Depends on: (none) => 32018
can we have an updated list of the packages to drop ?
Well, this is a list from perusing this bug, with no guarantee of its validity. Up to others to point up errors. I have NOT shown packages which were commented to be dropped, but re-instated in later comments. comment 1 : lightspark-mozilla-plugin-0.8.5-2.mga9 ? [See also comment 6] Flashplayer comment 2 : firefox-ext-mozvoikko-2.0.1-11.mga9 comment 3 : mozilla-plugin-aliedit-1.0.3.20-9.mga8 comment 6 : qca2 and the things built against it (kdelibs4, kdebase4-runtime, kde4-kactivities, qutim) telldus-core [See also comment 8, comment 9] comment 7 : openssl 1.1.1 ? [There is an open nVidia bug about this: https://bugs.mageia.org/show_bug.cgi?id=32022] comment 10 : pm-utils comment 11 : python-vatnumber python-speaklater-1.3-14.mga9, required by python3-flask-babelex python-anyjson python-flask-script comment 12 : wmebcam comment 13 : fwupdate comment 14 : chirp cambozola comment 15 : zygrib comment 16 : qt-mobility comment 17 : Sugar desktop ? comment 18 : acoustid-fingerprinter comment 19 : vbindiff ? [countermanded to keep comment 21] comment 20 : gnucap ? comment 23 : Nextcloud server ? [See also comments 24, 25, 26, 27] comment 30 : dhcp-4.4.3P1-1.mga9.src.rpm comment 31 : Banshee Brasero comment 32 : nrpe perl-Net-IPv4Addr qtwebkit/wkhtmltopdf tmate comment 33 : quictls [See also comment 36, comment 38, comment 39] comment 34 : nbd comment 35 : tmate comment 37 : python-flask-security comment 41 : transcode comment 42 : notification-daemon (Gnome) comment 43 : vino comment 44 : gnome-shell-extension-topicons comment 45 : openscreengraph34 lib64openthreads20 [see also for both comment 46, comment 48] comment 50 : zfs-fuse ? comment 51 : invictus-firewall comment 52 : ogmrip comment 53 : unarj comment 54 : Anki comment 56 : openjfx openjfx8 comment 57 : libdmx liblbxutil liboldx libxevie libxfontcache libxp libxtrap libxxf86misc x11-driver-input-fpit x11-driver-input-hyperpen x11-driver-input-mutouch x11-driver-input-penmount x11-font-bitstream-speedo xfindproxy xfwp xrx xsetmode
I don't think a valid reason was given for dropping lightspark. unarj was already replaced. I think openjfx was fixed? Also, don't forget the "depends on" bugs, which don't all have an associated comment in this bug.
Depends on: 32018 => (none)
Quictls #31066 conflict with openssl bug has been fixed, it's patchset is in sync with openssl 3.0.9. QUIC implementation is not expected in openssl until version 3.4 : https://www.openssl.org/roadmap.html This library is required to rebuild haproxy with optional and disabled by default quic feature.
If it's optional can't it be built without it?
(In reply to David Walser from comment #63) > If it's optional can't it be built without it ? By default it's builded without. The quictls library is a convenient optional dependency required to enable QUIC feature in haproxy and other network tools. To enable bleeding edge protocol, it require a package rebuild with quic optional flag and uncomment related sections in config file. rpmbuild -bb --with quic SPECS/haproxy.spec It would be possible to add a similar quic option for the rest of the QUIC toolchain (curl/wget/etc) to have a easy way to get the features. It is separated from openssl and package can't be build against it without patching build process to replace -lssl -lcrypto by -lcrypto-quic -lssl-quic at least.
Fixed/removed: firefox-ext-mozvoikko mozilla-plugin-aliedit invictus-firewall tmate quvi nrpe perl-Net-IPv4Addr anki qca2 unarj ogmrip vino gnome-shell-extension-topicons transcode pm-utils libdmx liblbxutil liboldx libxevie libxfontcache libxp libxtrap x11-driver-input-fpit x11-driver-input-hyperpen x11-driver-input-mutouch x11-driver-input-penmount x11-font-bitstream-speedo xfindproxy xfwp xrx xsetmode python-flask-security qt5-webkit qt-mobility acoustid-fingerprinter python-vatnumber zygrib
I removed pgadmin4. It is too complex to update because of fixed python modules, and more complex to maintain. Use upstream packages.
openjfx openjfx8 Fixed too
TODO: sugar desktop? skopeo/buildah/podman dhcp (its replacement needs to be packaged first) libxxf86misc quictls anything else?
i think we can remove sugar desktop. Nothing new in 2 yrs
(In reply to David Walser from comment #68) > quictls No David, quictls shoudn't be dropped, openssl will not support QUIC protocol until version 3.3, in years ! Did you take in consideration my comment #64 ??? Quictls bug #31066 was resolved, with other's time and help, to remove any conflict with openssl. We don't seems to have a policy advocating to drop others library, be it a dependancy or simply optional: https://wiki.mageia.org/en/Libraries_policy Is there a real or political reason we should be made aware ? https://github.com/haproxy/haproxy/issues/680#issuecomment-1433118828
You confirmed that it isn't required (and that someone would have to rebuild haproxy locally to use it). We already previously decided we weren't going to support multiple openssl implementations when we dropped libressl. Maybe you could put it in backports or something after Mageia 9 is branched.
We also should be looking here: http://madb.mageia.org/tools/security for unfixed security issues that haven't gotten any action, to see if there's anything else we can drop.
(In reply to David Walser from comment #71) > You confirmed that it isn't required (and that someone would have to rebuild > haproxy locally to use it). We already previously decided we weren't going > to support multiple openssl implementations when we dropped libressl. Maybe > you could put it in backports or something after Mageia 9 is branched. I only find this bug report dating from mageia 6: https://bugs.mageia.org/show_bug.cgi?id=17229 This was clearly a totaly different case, libressl would have replaced openssl in full and everything was to be rebuild against it. I would have prefered to keep quictls in release and make it follow openssl patchset. It's not really a new version ported back in the distribution. I will look into changing haproxy package to have haproxy-quicless (openssl) and haproxy-quic (quictls) as haproxy binary alternatives, this way user will have a simple choice to activate or disable quic feature, fine with it ?
We never tried to replace openssl with libressl. We carried both packages for a bit, but it was not ideal.
Depends on: 28885 => (none)
CC: (none) => cooker
Open a new tracker bug for packages to be obsoleted before Mageia 10 release.
Summary: [TRACKER] Packages that need to be obsoleted => [TRACKER] Packages that need to be obsoleted for Mageia 9 release
Depends on: 30938 => (none)
(In reply to Morgan Leijström from comment #75) > Open a new tracker bug for packages to be obsoleted before Mageia 10 release. Bug 32127 - [TRACKER] Packages that need to be obsoleted for Mageia 10 release
Closing as no further changes will be made until updates for m9 start being processed.
Status: NEW => RESOLVEDResolution: (none) => FIXED