Bug 2345782 - Please branch and build yajl in epel10
Summary: Please branch and build yajl in epel10
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: yajl
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Daniel Berrangé
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 2345748 2357208
TreeView+ depends on / blocked
 
Reported: 2025-02-14 16:26 UTC by Jonathan Wright
Modified: 2025-05-27 19:23 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2025-02-14 17:03:46 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Jonathan Wright 2025-02-14 16:26:35 UTC 
Please branch and build yajl in epel10.

If you do not wish to maintain yajl in epel10,
or do not think you will be able to do this in a timely manner,
the epel-packager-sig would be happy to be a co-maintainer of the package;
please add the epel-packager-sig group through
https://src.fedoraproject.org/rpms/yajl/addgroup
and grant it commit access, or collaborator access on epel* branches.

Please also add me as a co-maintainer (FAS: jonathanspw)
through https://src.fedoraproject.org/rpms/yajl/adduser
Comment 1 Daniel Berrangé 2025-02-14 16:44:09 UTC 
FYI, I have a published plan to orphan yajl in Fedora later this year because it has been dead for 10 years with multiple unfixed CVEs upstream.

https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/YPFHPOKAND3RZR7ZKWTDHUQEESG6IUJ3/

Any application relying on yajl is exposing its users to these flaws because not all distros will have identified and fixed all the yajl CVEs scattered around the bug tracker(s).

I'm suggesting anyone who identifies a package depending on yajl to request their upstream to port to jansson or json-c as a high priority task as these two projects are actively maintained and more widely used.

This is why I had yajl removed from forthcoming RHEL-10, and would thus strongly discourage re-introducing via EPEL-10.

If you none the less want to go ahead with this in EPEL-10, I won't add it myself, but will grant you permissions as maintainer.
Comment 2 Jonathan Wright 2025-02-14 16:52:20 UTC 
This will gimp a few collectd plugins that rely on yajl, namely ceph, curl_json, ovs_events, ovs_stats and log_logstash.

If you'll give my fas permissions I'd appreciate it.  I don't plan to build or ship this right now but may at a later time.  I'm going to try to avoid it and will probably just stop shipping these collectd plugins.

Thanks for the heads up on the state of yajl.
Comment 3 Daniel Berrangé 2025-02-14 17:03:46 UTC 
(In reply to Jonathan Wright from comment #2)
> This will gimp a few collectd plugins that rely on yajl, namely ceph,
> curl_json, ovs_events, ovs_stats and log_logstash.

Yep its not great, but I figured by giving a heads-up there's a bit of time for the Fedora maintainers to encourage the respective upstream projects to replace use of yajl


> If you'll give my fas permissions I'd appreciate it.  I don't plan to build
> or ship this right now but may at a later time.  I'm going to try to avoid
> it and will probably just stop shipping these collectd plugins.

Done
Note You need to log in before you can comment on or make changes to this bug.