Description of problem: GStreamer 1.0 (gstreamer1 in Fedora) has been released 5 years ago. It does provide replace the gstreamer package. The 0.1x version has not seen any update for 6 years. In that time, it has seen a lot of security vulnerabilities fixed in the 1.x but not in the 0.1x series: https://www.cvedetails.com/vulnerability-list/vendor_id-9481/Gstreamer.html https://www.cvedetails.com/vendor/16047/Gstreamer-Project.html We don't need to see another Stagefright fiasco, thus I suggest dropping this package asap. Since this probably is a system wide change, it will have to wait until Fedora 29 anyway. Version-Release number of selected component (if applicable): 0.10.36-18.fc27 How reproducible: always
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle. Changing version to '28'.
I'm all for it. There are quite a bit of packages still depending on it, though.
Thank you filing this bug. Someone should check if the deps can be ported to new gstreamer.
On an updated F28 system, I get these packages (duplicates for i686 architecture removed): $ dnf repoquery --alldeps --whatrequires gstreamer anchorman-0:0.0.1-13.fc28.x86_64 banshee-community-extensions-0:2.4.0-19.fc28.x86_64 bigloo-libs-0:4.3a-3.fc28.x86_64 clutter-gst-0:1.6.0-20.fc28.x86_64 drawtk-0:2.0-6.fc28.x86_64 flumotion-0:0.11.0.1-9.20140103git886031a.fc28.x86_64 gloobus-preview-0:0.4.1-34.fc28.x86_64 gnome-mud-0:0.11.2-22.fc28.x86_64 gnomebaker-0:0.6.4-29.fc28.x86_64 gstreamer-devel-0:0.10.36-18.fc27.x86_64 gstreamer-devel-docs-0:0.10.36-18.fc27.noarch gstreamer-ffmpeg-0:0.10.13-19.fc28.x86_64 gstreamer-plugins-bad-0:0.10.23-10.fc28.x86_64 gstreamer-plugins-bad-free-0:0.10.23-45.fc28.x86_64 gstreamer-plugins-bad-free-extras-0:0.10.23-45.fc28.x86_64 gstreamer-plugins-bad-nonfree-0:0.10.23-6.fc28.x86_64 gstreamer-plugins-base-0:0.10.36-18.fc27.x86_64 gstreamer-plugins-base-tools-0:0.10.36-18.fc27.x86_64 gstreamer-plugins-fc-0:0.2-16.fc28.x86_64 gstreamer-plugins-good-0:0.10.31-20.fc27.x86_64 gstreamer-plugins-good-extras-0:0.10.31-20.fc27.x86_64 gstreamer-plugins-ugly-0:0.10.19-27.fc28.x86_64 gstreamer-rtsp-0:0.10.8-18.fc28.x86_64 iptux-0:0.5.1-20.fc28.x86_64 moodbar-0:0.1.2-18.fc27.x86_64 oggconvert-0:0.3.3-16.fc27.noarch perl-GStreamer-0:0.20-11.fc28.x86_64 perl-GStreamer-Interfaces-0:0.06-17.fc28.x86_64 player-0:3.1.0-8.fc28.x86_64 pocketsphinx-plugin-0:0.8-19.fc28.x86_64 presence-0:0.4.8-18.fc28.x86_64 psimedia-0:1.0.3-20.fc28.x86_64 python2-gstreamer-0:0.10.22-17.fc28.x86_64 python2-gstreamer-rtsp-0:0.10.8-18.fc28.x86_64 sap-0:0.5.1-16.fc28.x86_64 winswitch-0:0.12.21-23.fc28.noarch wxGTK-media-0:2.8.12-30.fc28.x86_64 xfce4-mixer-0:4.10.0-14.fc28.x86_64
This message is a reminder that Fedora 28 is nearing its end of life. On 2019-May-28 Fedora will stop maintaining and issuing updates for Fedora 28. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '28'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 28 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
On Fedora 30, the list is getting shorter: $ dnf repoquery --alldeps --whatrequires gstreamer | grep --invert-match "i686" anchorman-0:0.0.1-15.fc30.x86_64 banshee-community-extensions-0:2.4.0-22.fc30.x86_64 bigloo-libs-0:4.3e-2.fc30.x86_64 drawtk-0:2.0-8.fc30.x86_64 flumotion-0:0.11.0.1-12.20140103git886031a.fc30.x86_64 frogr-0:1.5-2.fc30.x86_64 gloobus-preview-0:0.4.1-36.fc30.x86_64 gnome-mud-0:0.11.2-24.fc30.x86_64 gnomebaker-0:0.6.4-31.fc30.x86_64 gstreamer-devel-0:0.10.36-18.fc27.x86_64 gstreamer-devel-docs-0:0.10.36-18.fc27.noarch gstreamer-ffmpeg-0:0.10.13-21.fc30.x86_64 gstreamer-plugins-bad-0:0.10.23-12.fc30.x86_64 gstreamer-plugins-bad-free-0:0.10.23-49.fc30.x86_64 gstreamer-plugins-bad-free-extras-0:0.10.23-49.fc30.x86_64 gstreamer-plugins-bad-nonfree-0:0.10.23-9.fc30.x86_64 gstreamer-plugins-base-0:0.10.36-18.fc27.x86_64 gstreamer-plugins-base-tools-0:0.10.36-18.fc27.x86_64 gstreamer-plugins-fc-0:0.2-18.fc30.x86_64 gstreamer-plugins-good-0:0.10.31-20.fc27.x86_64 gstreamer-plugins-good-extras-0:0.10.31-20.fc27.x86_64 gstreamer-plugins-ugly-0:0.10.19-32.fc30.x86_64 gstreamer-rtsp-0:0.10.8-24.fc30.x86_64 iptux-0:0.5.1-22.fc30.x86_64 moodbar-0:0.1.2-19.fc29.x86_64 oggconvert-0:0.3.3-20.fc30.noarch perl-GStreamer-0:0.20-14.fc30.x86_64 player-0:3.1.0-14.fc30.x86_64 psimedia-0:1.0.3-22.fc30.x86_64 python2-gstreamer-0:0.10.22-20.fc30.x86_64 winswitch-0:0.12.21-26.fc30.noarch Removing the gstreamer packages and its language bindings from the list only leaves us with 15 packages: anchorman-0:0.0.1-15.fc30.x86_64 (upstream is dead and gone) banshee-community-extensions-0:2.4.0-22.fc30.x86_64 bigloo-libs-0:4.3e-2.fc30.x86_64 drawtk-0:2.0-8.fc30.x86_64 flumotion-0:0.11.0.1-12.20140103git886031a.fc30.x86_64 frogr-0:1.5-2.fc30.x86_64 (can be built with GStreamer 1.x) gloobus-preview-0:0.4.1-36.fc30.x86_64 gnome-mud-0:0.11.2-24.fc30.x86_64 gnomebaker-0:0.6.4-31.fc30.x86_64 (latest upstream release >10 years ago) iptux-0:0.5.1-22.fc30.x86_64 (fedora package completely unmaintained, waiting for update for >1 year) moodbar-0:0.1.2-19.fc29.x86_64 (fedora package completely unmaintained, FTBFS, new upstream with new version using GStreamer 1.x) oggconvert-0:0.3.3-20.fc30.noarch (latest upstream release 9 years ago) player-0:3.1.0-14.fc30.x86_64 psimedia-0:1.0.3-22.fc30.x86_64 (fedora package unmaintained, waiting for update for >5 years) winswitch-0:0.12.21-26.fc30.noarch I think most of these packages will never be updated again ever. Throwing them away wouldn't cost a thing but keeping security critical bugs around is a risk. (In reply to Wim Taymans from comment #2) > I'm all for it. There are quite a bit of packages still depending on it, > though. (In reply to Huzaifa S. Sidhpurwala from comment #3) > Thank you filing this bug. Someone should check if the deps can be ported to > new gstreamer. I think that does not matter. GStreamer is parsing untrusted data and has hundreds of known unfixed security-critical bugs. This is the same situation as WebKit1, which has been dropped by the maintainers and forced all dependencies to update or retire. With WebKit, this was a very good decision imho and I think gstreamer 0.1x should be retired the same way.
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle. Changing version to '31'.
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle. Changing version to 31.
I still need it for VMware Horizon Client. It's likely VMware won't move off it by the time Fedora 32 is released, so I'd like to keep it for a bit longer.
This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle. Changing version to 32.
I guess this can be closed as gstreamer-0.10 was retired. FWIW, we moved gstreamer to RPM Fusion for those who still need it for some reason. As for my case, VMware is saying they'll move to GStreamer 1.x in a future release, so at least they're aware.