Bug 2345782

Summary: Please branch and build yajl in epel10
Product: [Fedora] Fedora Reporter: Jonathan Wright <jonathan>
Component: yajlAssignee: Daniel Berrangé <berrange>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: berrange
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-02-14 17:03:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2345748, 2357208    

Description Jonathan Wright 2025-02-14 16:26:35 UTC 
Please branch and build yajl in epel10.

If you do not wish to maintain yajl in epel10,
or do not think you will be able to do this in a timely manner,
the epel-packager-sig would be happy to be a co-maintainer of the package;
please add the epel-packager-sig group through
https://src.fedoraproject.org/rpms/yajl/addgroup
and grant it commit access, or collaborator access on epel* branches.

Please also add me as a co-maintainer (FAS: jonathanspw)
through https://src.fedoraproject.org/rpms/yajl/adduser
Comment 1 Daniel Berrangé 2025-02-14 16:44:09 UTC 
FYI, I have a published plan to orphan yajl in Fedora later this year because it has been dead for 10 years with multiple unfixed CVEs upstream.

https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/YPFHPOKAND3RZR7ZKWTDHUQEESG6IUJ3/

Any application relying on yajl is exposing its users to these flaws because not all distros will have identified and fixed all the yajl CVEs scattered around the bug tracker(s).

I'm suggesting anyone who identifies a package depending on yajl to request their upstream to port to jansson or json-c as a high priority task as these two projects are actively maintained and more widely used.

This is why I had yajl removed from forthcoming RHEL-10, and would thus strongly discourage re-introducing via EPEL-10.

If you none the less want to go ahead with this in EPEL-10, I won't add it myself, but will grant you permissions as maintainer.
Comment 2 Jonathan Wright 2025-02-14 16:52:20 UTC 
This will gimp a few collectd plugins that rely on yajl, namely ceph, curl_json, ovs_events, ovs_stats and log_logstash.

If you'll give my fas permissions I'd appreciate it.  I don't plan to build or ship this right now but may at a later time.  I'm going to try to avoid it and will probably just stop shipping these collectd plugins.

Thanks for the heads up on the state of yajl.
Comment 3 Daniel Berrangé 2025-02-14 17:03:46 UTC 
(In reply to Jonathan Wright from comment #2)
> This will gimp a few collectd plugins that rely on yajl, namely ceph,
> curl_json, ovs_events, ovs_stats and log_logstash.

Yep its not great, but I figured by giving a heads-up there's a bit of time for the Fedora maintainers to encourage the respective upstream projects to replace use of yajl


> If you'll give my fas permissions I'd appreciate it.  I don't plan to build
> or ship this right now but may at a later time.  I'm going to try to avoid
> it and will probably just stop shipping these collectd plugins.

Done