Concerning libjasper

Mathieu Malaterre malat at debian.org
Mon Oct 18 13:37:02 BST 2021


Hi all,

On Mon, Oct 18, 2021 at 5:35 AM Norbert Preining <norbert at preining.info> wrote:
>
> Hi all,
>
> sending everyone that discussed on the bug an email.
>
> Since version 2.0.19 (2020-07-11) libjasper is now reasonably active
> maintained and CVEs have been dealt with.
>
> For support in some KDE/Plasma packages I have revived/made some
> packaging of the current version (2.0.33, from 2021-08-01).
>
> Adam, are you still interested in getting this back into Debian?
> Any other comment?
>
> BTW, my source package are built on OBS:
> https://build.opensuse.org/package/show/home:npreining:debian-kde:other-deps/jasper

In case this was missed in the original thread. The reason why I
switched from jasper to openjpeg was mainly because of:

* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681234

I do not know if this has been fixed upstream since.

In any case: imagemagick, poppler and gdcm have all switched to
openjpeg 2.x ABI (see usertag: stretch2000). I believe chrome is also
using openjpeg for the PDF support. I see that opencv has support for
openjpeg:

* https://github.com/opencv/opencv/blob/master/modules/imgcodecs/src/grfmt_jpeg2000_openjpeg.cpp

Technically opencv is built against gdcm, so openjpeg is already a
dependency of opencv in Debian.

Things may have changed a bit, but I believe openjpeg supports
decoding by tile (I believe jasper required the entire image in
memory).

I do not mind having another jpeg 2000 implementation in Debian, but
keep in mind that those low level imaging libraries have all sort of
potential CVEs attached to them.

Would be nice to include the KDE rationale for picking jasper over
openjpeg, maybe there is a particular feature that is missing, that
may convince debian-security team to help with maintenance.

2cts
-M



More information about the pkg-kde-talk mailing list