GNU bug report logs - #77350
[PATCH 0/6] More OpenEXR 2 to 3 migration

Previous Next

Full log

Message #32 received at 77350 <at> debbugs.gnu.org (full text, mbox):

From: Vinicius Monego <monego <at> posteo.net>
To: Andreas Enge <andreas <at> enge.fr>
Cc: 77350 <at> debbugs.gnu.org
Subject: Re: More OpenEXR 2 to 3 migration
Date: Mon,  7 Apr 2025 11:17:13 +0000

Em 01/04/2025 19:16, Andreas Enge escreveu:
> Hello Vinicius,
Hello Andreas,
>
> I have independently worked on vigra/hugin during the last days, and
> actually pushed an update of vigra to 1.11.2 today (I wanted to do the
> most conservative update possible to ensure depending packages still
> build and not go down the rabbit hole).
>
> Right now I am updating to 1.12.2 and will push once I have made sure
> that all dependents still build. The aarch64 package also builds.
> I have not moved to openexr <at> 3 and have also not removed ilmbase; what is
> the motivation for this latest change?

The OpenEXR 2 situation may be comparable to GTK2. While not officially 
deprecated (AFAIK), it won't receive any feature updates and I don't 
know whether it is still receiving security updates.

Image processing software (which often handles complex numerical 
operations and data structures) is more likely to have security issues 
related to overflows and openexr has had some in its past. 'guix lint -c 
cve openexr <at> 2' reports one CVE and future CVEs are unlikely to be fixed. 
Upstream also recommends against using version 2: 
https://openexr.com/en/latest/install.html

For guix, it also simplifies the package graph as Hugin depends on both 
openexr 3 and 2 by different inputs.

> However I am building with
> python-numpy <at> 2, which has been made possible in the 1.12 release.
> Could you wait a day or two and then maybe adapt your changes to the new
> package?
>
> I also tried to update hugin, but gave up when I noticed that it would not
> even start. Actually the current hugin with the previous vigra also does
> not start (it opens a window with an error message). Could you maybe
> give it a try?
I did try and had the same result. The current build is also broken 
although for a different reason (I am greeted by a GTK debug screen). I 
am unfamiliar with the program, so I don't know what to expect when it 
works.
>
> The issue has been treated by QA, and there is an openexr related
> problem in vigra-c:
>     https://bordeaux.guix.gnu.org/build/5b70b1d1-2bba-4e60-b131-743f037c197f/log
> This project has seen its latest commit in 2022, and may not be ready
> for a newer openexr version. We might consider removing it, but there is
> a depending package, guile-cv. This package is also not very actively
> developed:
>     https://git.savannah.gnu.org/cgit/guile-cv.git
> Removing these two packages might be an option, but would make sense
> mainly if it enables us to get rid of openexr <at> 2.
>
> Thanks,
>
> Andreas
>
Currently there are only 15 packages having openexr-2 as input. I also 
sent a patch series at 76712 to migrate some more. I have not checked 
all 15, but I estimate less than 5 of them have to depend on openexr-2.

Will have a look at what is happening to vigra-c whenever possible.

Vinicius

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.