Bug 31867 - X.org unmaintained packages need to be dropped
Summary: X.org unmaintained packages need to be dropped
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: High normal
Target Milestone: Mageia 10
Assignee: All Packagers
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 32127
  Show dependency treegraph
 
Reported: 2023-05-04 17:10 CEST by David Walser
Modified: 2024-02-18 19:22 CET (History)
6 users (show)

See Also:
Source RPM: xfindproxy, libxfontcache, xfwp, xsetpointer, libxkbui, libxxf86misc, libdmx, liboldx, xsetmode, libxevie, libxtrap, x11-font-bitstream-speedo, xrx, libxp, liblbxutil, x11-driver-input-{mutouch,fpit,hyperpen,penmount}
CVE:
Status comment:


Attachments
Packages that would be removed from my current m9 x86_64 install (10.06 KB, text/plain)
2024-02-18 19:22 CET, Dave Hodgins
Details

Description David Walser 2023-05-04 17:10:58 CEST
X.org has announced several packages that they are no longer maintaining, which we should be dropping:
https://www.openwall.com/lists/oss-security/2023/05/02/3

I believe I got all of them listed in the Source RPM field, here they are with versions:
xfindproxy-1.0.4-4.mga9.src.rpm, libxfontcache-1.0.5-14.mga9.src.rpm, xfwp-1.0.3-8.mga9.src.rpm, xsetpointer-1.0.1-15.mga9.src.rpm, libxkbui-1.0.2-19.mga9.src.rpm, libxxf86misc-1.0.4-4.mga9.src.rpm, libdmx-1.1.4-4.mga9.src.rpm, liboldx-1.0.1-19.mga9.src.rpm, xsetmode-1.0.0-18.mga9.src.rpm, libxevie-1.0.3-13.mga9.src.rpm, libxtrap-1.0.1-10.mga9.src.rpm, x11-font-bitstream-speedo-1.0.2-10.mga9.src.rpm, xrx-1.0.4-10.mga9.src.rpm, libxp-1.0.4-1.mga9.src.rpm, liblbxutil-1.1.0-13.mga9.src.rpm, x11-driver-input-mutouch-1.3.0-28.mga9.src.rpm, x11-driver-input-fpit-1.4.0-27.mga9.src.rpm, x11-driver-input-hyperpen-1.4.1-33.mga9.src.rpm, x11-driver-input-penmount-1.5.0-27.mga9.src.rpm

We'll have to be careful, as some of them are currently required by other packages.
David Walser 2023-05-04 17:11:17 CEST

Blocks: (none) => 30163
Priority: Normal => release_blocker
Target Milestone: --- => Mageia 9

Comment 1 Lewis Smith 2023-05-04 20:16:07 CEST
Here are the packages to drop listed, hopefully in alphabetic order:
libdmx
liblbxutil
liboldx
libxevie
libxfontcache
libxp
libxtrap
libxxf86misc
x11-driver-input-fpit
x11-driver-input-hyperpen
x11-driver-input-mutouch
x11-driver-input-penmount
x11-font-bitstream-speedo
xfindproxy
xfwp
xrx
xsetmode

Inevitably assigning this globally, but it might need more than one packager to do it all - especially as
"some of them are currently required by other packages".

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Lécureuil 2023-06-06 11:07:07 CEST
we will need to rebuild xorg w/o the deps because for ex:

urpmq --whatrequires lib64dmx1
lib64dmx-devel
lib64dmx1
lib64xorg-x11

CC: (none) => mageia

Comment 3 Morgan Leijström 2023-06-11 01:24:00 CEST
Should we really do this for mga9?

Needs much testing for reliability?  = delaying mga9 further.

Or do this after RC1, in order to be able to ship RC1 soon?

CC: (none) => fri

Comment 4 David Walser 2023-06-11 03:28:17 CEST
We should do this now.  Once we release with unmaintained packages/software, we have no recourse.  Rushing a distro release that we can't support doesn't help us.
Comment 5 Dave Hodgins 2023-06-11 20:12:37 CEST
If we don't do it before the rc, which is supposed to be as close to final
as possible, it will not get adequate testing before the final iso images
are released.

For packages being dropped, if they are on the iso images or need to be
obsoleted to force removal from user's systems, that has to be done before
the RC iso images start testing.

Doing it later would lengthen the final iso image testing, which we want
to have be as short as possible due to the freeze on all development except
fixing bugs impacting the iso images.

For this bug, it's due to the security warning from Xorg.

CC: (none) => davidwhodgins

Comment 6 David GEIGER 2023-06-12 18:14:12 CEST
So I searched all unmaintained X.org packages listed and cleaned all packages which depended on they, here the cleaned dependencies list:

$ urpmq --whatrequires-recursive lib64dmx1
lib64dmx-devel
$ urpmq --whatrequires-recursive lib64dmx-devel


$ urpmq --whatrequires-recursive lib64lbxutil1
lib64lbxutil-devel
$ urpmq --whatrequires-recursive lib64lbxutil-devel


$ urpmq --whatrequires-recursive lib64oldx6
lib64oldx-devel
$ urpmq --whatrequires-recursive lib64oldx-devel


$ urpmq --whatrequires-recursive lib64xevie1
lib64xevie-devel
$ urpmq --whatrequires-recursive lib64xevie-devel


$ urpmq --whatrequires-recursive lib64xfontcache1
lib64xfontcache-devel
$ urpmq --whatrequires-recursive lib64xfontcache-devel


$ urpmq --whatrequires-recursive lib64xp6
lib64xp-devel
lib64xprintutil1
$ urpmq --whatrequires lib64xp-devel
lib64xprintutil-devel
libxprintutil


$ urpmq --whatrequires-recursive lib64xtrap6
lib64xtrap-devel
xtrap
$ urpmq --whatrequires-recursive lib64xtrap-devel
xtrap

$ urpmq --whatrequires-recursive xtrap

$ urpmq --whatrequires lib64xxf86misc1
lib64xxf86misc-devel
$ urpmq --whatrequires lib64xxf86misc-devel
drakx-kbd-mouse-x11


$ urpmq --whatrequires x11-driver-input-fpit

$ urpmq --whatrequires x11-driver-input-hyperpen

$ urpmq --whatrequires x11-driver-input-mutouch

$ urpmq --whatrequires x11-driver-input-penmount

$ urpmq --whatrequires x11-font-bitstream-speedo

$ urpmq --whatrequires-recursive xfindproxy

$ urpmq --whatrequires-recursive xfwp

$ urpmq --whatrequires-recursive xrx

$ urpmq --whatrequires-recursive xsetmode

$ urpmq --whatrequires-recursive xsetpointer


$ urpmq --whatrequires-recursive lib64xkbui1
lib64xkbui-devel
$ urpmq --whatrequires-recursive lib64xkbui-devel


$ urpmq --whatrequires-recursive lib64xprintutil1
lib64xprintutil-devel
$ urpmq --whatrequires-recursive lib64xprintutil-devel



All can be removed except for now our "drakx-kbd-mouse-x11" pkg which still depend on xxf86misc-devel.
Also new xdpyinfo-1.3.4-2.mga9 should now be moved from Testing to Release to fix dependencies.

CC: (none) => geiger.david68210

Comment 7 David GEIGER 2023-06-12 18:16:05 CEST
List of srpms which can now be retired from our repo:

libdmx-1.1.4-4.mga9.src.rpm
liblbxutil-1.1.0-13.mga9.src.rpm
liboldx-1.0.1-19.mga9.src.rpm
libxevie-1.0.3-13.mga9.src.rpm
libxfontcache-1.0.5-14.mga9.src.rpm
libxp-1.0.4-1.mga9.src.rpm
libxtrap-1.0.1-10.mga9.src.rpm
xtrap-1.0.3-4.mga9.src.rpm
x11-driver-input-fpit-1.4.0-27.mga9.src.rpm
x11-driver-input-hyperpen-1.4.1-33.mga9.src.rpm
x11-driver-input-mutouch-1.3.0-28.mga9.src.rpm
x11-driver-input-penmount-1.5.0-27.mga9.src.rpm
x11-font-bitstream-speedo-1.0.2-10.mga9.src.rpm
xfindproxy-1.0.4-4.mga9.src.rpm
xfwp-1.0.3-8.mga9.src.rpm
xrx-1.0.4-10.mga9.src.rpm
xsetmode-1.0.0-18.mga9.src.rpm
xsetpointer-1.0.1-15.mga9.src.rpm
libxkbui-1.0.2-19.mga9.src.rpm
libxprintutil-1.0.1-20.mga9.src.rpm


Execpt libxxf86misc-1.0.4-4.mga9.src.rpm as we have first to fix our drakx-kbd-mouse-x11 pkg!
Comment 8 David GEIGER 2023-06-16 07:09:42 CEST
So all added in task-obsolete except libxxf86misc for now.
Comment 9 papoteur 2023-06-16 11:33:38 CEST
The code which uses libxxf86misc is present since about 2005. It seems to concern test of the X server and another part for mouse setting.
https://gitweb.mageia.org/software/drakx-kbd-mouse-x11/tree/lib/xf86misc/main.xs
Who knows how this work? Not me.
I suggest to keep it to not blocks the Mageia 9 release.
For the X test, an option is to withdraw it, this is not so important.
We still need to investigate for initIMPS2 function.

CC: (none) => yves.brungard_mageia

Nicolas Lécureuil 2023-06-16 16:20:22 CEST

Priority: release_blocker => High

Comment 10 Thomas Backlund 2023-06-23 18:21:48 CEST
drakx  relies on libxxf86misc, so it's removal broke stage2 installer (bug 31867), so I've restored the deps so stage2 installer works again, ...  

that will need to be reviewed for mga10
Comment 11 Thomas Backlund 2023-06-23 18:22:16 CEST
bug 32031 that is
Comment 12 Morgan Leijström 2023-06-26 17:58:20 CEST
If we are satisfied with dropping packages for Mageia 9 release, 
please drop blocking of
 Bug 30163 - [TRACKER] Packages that need to be obsoleted for Mageia 9 release
Comment 13 Chris Denice 2023-08-28 16:09:19 CEST
FI, I am just having a few proprietary programs failing on mga9 as they are looking for libXp.
I was able to fix my very personal issue by building from obsolete/libxp, which does not depend on other obsoleted packages. Bug reports on that will possibly come.

Cheers,
Chris.

CC: (none) => eatdirt

Comment 14 Morgan Leijström 2024-02-18 11:48:49 CET
Mageia 9 released long ago...
Targeting mga10

Target Milestone: Mageia 9 => Mageia 10
Blocks: 30163 => 32127

Comment 15 Chris Denice 2024-02-18 16:08:02 CET
I'd like, as I said on the mailing list, that a fine-compiling package, working-package, used, should not be dropped.

For instance, xsetmode should stays.

Cheers.
Comment 16 David Walser 2024-02-18 16:18:39 CET
See Comment 4.  If we can remove our reliance on dead, unmaintained software, we should.  There have been other things in the past people would have liked to keep forever (old versions of Gtk+ being just one example), but we just can't responsibly do that.
Comment 17 Chris Denice 2024-02-18 16:25:25 CET
I disagree.

We should remove software when they do not work or do not build. Here, you're using manpower to remove softs and, more importantly, dependencies, that work perfectly fine. Non-sense to me.

Unmaintained does not mean broken nor useless.
Comment 18 David Walser 2024-02-18 17:01:45 CET
Unless we have the expertise to maintain the software ourselves, or know that we can rely on someone else that does, it's not good to keep unmaintained stuff, should any serious issues arise with it.
Comment 19 Dave Hodgins 2024-02-18 19:22:55 CET
Created attachment 14396 [details]
Packages that would be removed from my current m9 x86_64 install

The following command shows any of the packages that would be obsoleted based
on the srpm list in comment 1.
$ cat checkxorgpkgs
rpm -q \
lib64xpm4 \
lib64xpm-devel \
lib64xpresent1 \
lib64xpresent-devel \
lib64xxf86misc1 \
lib64xxf86misc-devel \
libxpa1 \
libxpa-devel \
libxplayer-plparser18 \
libxplayer-plparser-devel \
libxplayer-plparser-gir1.0 \
libxplayer-plparser-mini18 \
libxplc0 \
libxplc-devel \
libxpm4 \
libxpm-devel \
libxpresent1 \
libxpresent-devel \
libxxf86misc1 \
libxxf86misc-devel | grep -v -w not

The attached file lists the 269 packages that would then be uninstalled,
which I generated using "urpme --test".

Note You need to log in before you can comment on or make changes to this bug.