Bug 31867 - X.org unmaintained packages need to be dropped
Summary: X.org unmaintained packages need to be dropped
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: High normal
Target Milestone: Mageia 9
Assignee: All Packagers
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 30163
  Show dependency treegraph
 
Reported: 2023-05-04 17:10 CEST by David Walser
Modified: 2023-08-28 16:09 CEST (History)
6 users (show)

See Also:
Source RPM: xfindproxy, libxfontcache, xfwp, xsetpointer, libxkbui, libxxf86misc, libdmx, liboldx, xsetmode, libxevie, libxtrap, x11-font-bitstream-speedo, xrx, libxp, liblbxutil, x11-driver-input-{mutouch,fpit,hyperpen,penmount}
CVE:
Status comment:


Attachments

Description David Walser 2023-05-04 17:10:58 CEST
X.org has announced several packages that they are no longer maintaining, which we should be dropping:
https://www.openwall.com/lists/oss-security/2023/05/02/3

I believe I got all of them listed in the Source RPM field, here they are with versions:
xfindproxy-1.0.4-4.mga9.src.rpm, libxfontcache-1.0.5-14.mga9.src.rpm, xfwp-1.0.3-8.mga9.src.rpm, xsetpointer-1.0.1-15.mga9.src.rpm, libxkbui-1.0.2-19.mga9.src.rpm, libxxf86misc-1.0.4-4.mga9.src.rpm, libdmx-1.1.4-4.mga9.src.rpm, liboldx-1.0.1-19.mga9.src.rpm, xsetmode-1.0.0-18.mga9.src.rpm, libxevie-1.0.3-13.mga9.src.rpm, libxtrap-1.0.1-10.mga9.src.rpm, x11-font-bitstream-speedo-1.0.2-10.mga9.src.rpm, xrx-1.0.4-10.mga9.src.rpm, libxp-1.0.4-1.mga9.src.rpm, liblbxutil-1.1.0-13.mga9.src.rpm, x11-driver-input-mutouch-1.3.0-28.mga9.src.rpm, x11-driver-input-fpit-1.4.0-27.mga9.src.rpm, x11-driver-input-hyperpen-1.4.1-33.mga9.src.rpm, x11-driver-input-penmount-1.5.0-27.mga9.src.rpm

We'll have to be careful, as some of them are currently required by other packages.
David Walser 2023-05-04 17:11:17 CEST

Blocks: (none) => 30163
Priority: Normal => release_blocker
Target Milestone: --- => Mageia 9

Comment 1 Lewis Smith 2023-05-04 20:16:07 CEST
Here are the packages to drop listed, hopefully in alphabetic order:
libdmx
liblbxutil
liboldx
libxevie
libxfontcache
libxp
libxtrap
libxxf86misc
x11-driver-input-fpit
x11-driver-input-hyperpen
x11-driver-input-mutouch
x11-driver-input-penmount
x11-font-bitstream-speedo
xfindproxy
xfwp
xrx
xsetmode

Inevitably assigning this globally, but it might need more than one packager to do it all - especially as
"some of them are currently required by other packages".

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Lécureuil 2023-06-06 11:07:07 CEST
we will need to rebuild xorg w/o the deps because for ex:

urpmq --whatrequires lib64dmx1
lib64dmx-devel
lib64dmx1
lib64xorg-x11

CC: (none) => mageia

Comment 3 Morgan Leijström 2023-06-11 01:24:00 CEST
Should we really do this for mga9?

Needs much testing for reliability?  = delaying mga9 further.

Or do this after RC1, in order to be able to ship RC1 soon?

CC: (none) => fri

Comment 4 David Walser 2023-06-11 03:28:17 CEST
We should do this now.  Once we release with unmaintained packages/software, we have no recourse.  Rushing a distro release that we can't support doesn't help us.
Comment 5 Dave Hodgins 2023-06-11 20:12:37 CEST
If we don't do it before the rc, which is supposed to be as close to final
as possible, it will not get adequate testing before the final iso images
are released.

For packages being dropped, if they are on the iso images or need to be
obsoleted to force removal from user's systems, that has to be done before
the RC iso images start testing.

Doing it later would lengthen the final iso image testing, which we want
to have be as short as possible due to the freeze on all development except
fixing bugs impacting the iso images.

For this bug, it's due to the security warning from Xorg.

CC: (none) => davidwhodgins

Comment 6 David GEIGER 2023-06-12 18:14:12 CEST
So I searched all unmaintained X.org packages listed and cleaned all packages which depended on they, here the cleaned dependencies list:

$ urpmq --whatrequires-recursive lib64dmx1
lib64dmx-devel
$ urpmq --whatrequires-recursive lib64dmx-devel


$ urpmq --whatrequires-recursive lib64lbxutil1
lib64lbxutil-devel
$ urpmq --whatrequires-recursive lib64lbxutil-devel


$ urpmq --whatrequires-recursive lib64oldx6
lib64oldx-devel
$ urpmq --whatrequires-recursive lib64oldx-devel


$ urpmq --whatrequires-recursive lib64xevie1
lib64xevie-devel
$ urpmq --whatrequires-recursive lib64xevie-devel


$ urpmq --whatrequires-recursive lib64xfontcache1
lib64xfontcache-devel
$ urpmq --whatrequires-recursive lib64xfontcache-devel


$ urpmq --whatrequires-recursive lib64xp6
lib64xp-devel
lib64xprintutil1
$ urpmq --whatrequires lib64xp-devel
lib64xprintutil-devel
libxprintutil


$ urpmq --whatrequires-recursive lib64xtrap6
lib64xtrap-devel
xtrap
$ urpmq --whatrequires-recursive lib64xtrap-devel
xtrap

$ urpmq --whatrequires-recursive xtrap

$ urpmq --whatrequires lib64xxf86misc1
lib64xxf86misc-devel
$ urpmq --whatrequires lib64xxf86misc-devel
drakx-kbd-mouse-x11


$ urpmq --whatrequires x11-driver-input-fpit

$ urpmq --whatrequires x11-driver-input-hyperpen

$ urpmq --whatrequires x11-driver-input-mutouch

$ urpmq --whatrequires x11-driver-input-penmount

$ urpmq --whatrequires x11-font-bitstream-speedo

$ urpmq --whatrequires-recursive xfindproxy

$ urpmq --whatrequires-recursive xfwp

$ urpmq --whatrequires-recursive xrx

$ urpmq --whatrequires-recursive xsetmode

$ urpmq --whatrequires-recursive xsetpointer


$ urpmq --whatrequires-recursive lib64xkbui1
lib64xkbui-devel
$ urpmq --whatrequires-recursive lib64xkbui-devel


$ urpmq --whatrequires-recursive lib64xprintutil1
lib64xprintutil-devel
$ urpmq --whatrequires-recursive lib64xprintutil-devel



All can be removed except for now our "drakx-kbd-mouse-x11" pkg which still depend on xxf86misc-devel.
Also new xdpyinfo-1.3.4-2.mga9 should now be moved from Testing to Release to fix dependencies.

CC: (none) => geiger.david68210

Comment 7 David GEIGER 2023-06-12 18:16:05 CEST
List of srpms which can now be retired from our repo:

libdmx-1.1.4-4.mga9.src.rpm
liblbxutil-1.1.0-13.mga9.src.rpm
liboldx-1.0.1-19.mga9.src.rpm
libxevie-1.0.3-13.mga9.src.rpm
libxfontcache-1.0.5-14.mga9.src.rpm
libxp-1.0.4-1.mga9.src.rpm
libxtrap-1.0.1-10.mga9.src.rpm
xtrap-1.0.3-4.mga9.src.rpm
x11-driver-input-fpit-1.4.0-27.mga9.src.rpm
x11-driver-input-hyperpen-1.4.1-33.mga9.src.rpm
x11-driver-input-mutouch-1.3.0-28.mga9.src.rpm
x11-driver-input-penmount-1.5.0-27.mga9.src.rpm
x11-font-bitstream-speedo-1.0.2-10.mga9.src.rpm
xfindproxy-1.0.4-4.mga9.src.rpm
xfwp-1.0.3-8.mga9.src.rpm
xrx-1.0.4-10.mga9.src.rpm
xsetmode-1.0.0-18.mga9.src.rpm
xsetpointer-1.0.1-15.mga9.src.rpm
libxkbui-1.0.2-19.mga9.src.rpm
libxprintutil-1.0.1-20.mga9.src.rpm


Execpt libxxf86misc-1.0.4-4.mga9.src.rpm as we have first to fix our drakx-kbd-mouse-x11 pkg!
Comment 8 David GEIGER 2023-06-16 07:09:42 CEST
So all added in task-obsolete except libxxf86misc for now.
Comment 9 papoteur 2023-06-16 11:33:38 CEST
The code which uses libxxf86misc is present since about 2005. It seems to concern test of the X server and another part for mouse setting.
https://gitweb.mageia.org/software/drakx-kbd-mouse-x11/tree/lib/xf86misc/main.xs
Who knows how this work? Not me.
I suggest to keep it to not blocks the Mageia 9 release.
For the X test, an option is to withdraw it, this is not so important.
We still need to investigate for initIMPS2 function.

CC: (none) => yves.brungard_mageia

Nicolas Lécureuil 2023-06-16 16:20:22 CEST

Priority: release_blocker => High

Comment 10 Thomas Backlund 2023-06-23 18:21:48 CEST
drakx  relies on libxxf86misc, so it's removal broke stage2 installer (bug 31867), so I've restored the deps so stage2 installer works again, ...  

that will need to be reviewed for mga10
Comment 11 Thomas Backlund 2023-06-23 18:22:16 CEST
bug 32031 that is
Comment 12 Morgan Leijström 2023-06-26 17:58:20 CEST
If we are satisfied with dropping packages for Mageia 9 release, 
please drop blocking of
 Bug 30163 - [TRACKER] Packages that need to be obsoleted for Mageia 9 release
Comment 13 Chris Denice 2023-08-28 16:09:19 CEST
FI, I am just having a few proprietary programs failing on mga9 as they are looking for libXp.
I was able to fix my very personal issue by building from obsolete/libxp, which does not depend on other obsoleted packages. Bug reports on that will possibly come.

Cheers,
Chris.

CC: (none) => eatdirt


Note You need to log in before you can comment on or make changes to this bug.