Re: Bug#862727: RFP: libjasper -- JasPer JPEG-2000 runtime library

2017-05-16 Thread Adam Cecile 

Hi,

Thanks for the feedback. I think the CVEs have been addressed upstream 
but ofc, it has to be verified first.
Btw, I'not involved at all in OpenCV so sadly, my biggest concern is to 
have a working python3 OpenCV package...


Regards, Adam.


On 05/16/2017 12:05 PM, Mathieu Malaterre wrote:

Hi,

On Tue, May 16, 2017 at 11:40 AM, Adam Cecile  wrote:

Package: wnpp
Severity: wishlist
X-Debbugs-CC: debian-devel@lists.debian.org

Package name: libjasper

Just keep the old naming convention please: 'jasper'.


Version: 2.0.12
Upstream: Michael David Adams
License: JasPer License
Description: This package has been scheduled for removal after Stretch
release but is very important to me as it can be used to add JPEG 2000 to
OpenCV (many satellite images comes as JPEG 2000). The new upstream on
GitHub provides frequent updates as well as a decent CMake build system so I
see no reason to not get it back in the archive :)

At the very least you'll need to address the old CVEs in that case:

https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no=jasper

- CVE-2016-8693
- CVE-2016-8691
- CVE-2016-8692
- CVE-2016-8690

I personally fought against having duplicate JPEG 2000 libraries in
Debian (esp. since jasper seems dead upstream). I still believe you
should invest some time in replace jasper with OpenJPEG throughout
your OpenCV codebase, since OpenJPEG is used to manipulate satellite
image in professional environment.


2cts
-M

Re: Bug#862727: RFP: libjasper -- JasPer JPEG-2000 runtime library

2017-05-16 Thread Alastair McKinstry 
Hi
>> Version: 2.0.12
>> Upstream: Michael David Adams
>> License: JasPer License
>> Description: This package has been scheduled for removal after Stretch
>> release but is very important to me as it can be used to add JPEG 2000 to
>> OpenCV (many satellite images comes as JPEG 2000). The new upstream on
>> GitHub provides frequent updates as well as a decent CMake build system so I
>> see no reason to not get it back in the archive :)
> At the very least you'll need to address the old CVEs in that case:
>
> https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no=jasper
>
> - CVE-2016-8693
> - CVE-2016-8691
> - CVE-2016-8692
> - CVE-2016-8690
>
> I personally fought against having duplicate JPEG 2000 libraries in
> Debian (esp. since jasper seems dead upstream). I still believe you
> should invest some time in replace jasper with OpenJPEG throughout
> your OpenCV codebase, since OpenJPEG is used to manipulate satellite
> image in professional environment.
Hi,

Which file formats are you using ?
I've faced the similar problem earlier in GRIB files in Stretch, and
replaced Jasper with OpenJPEG2
to phase out Jasper. I've patches included in the two grib libaries
(grib_api, now eccodes, and g2clib)
for openjpeg2. I can help with porting

Regards
Alastair

>
> 2cts
> -M
>
-- 
Alastair McKinstry, , , 
https://diaspora.sceal.ie/u/amckinstry
Misentropy: doubting that the Universe is becoming more disordered. 




signature.asc
Description: OpenPGP digital signature

Re: Bug#862727: RFP: libjasper -- JasPer JPEG-2000 runtime library

2017-05-16 Thread Mathieu Malaterre 
Hi,

On Tue, May 16, 2017 at 11:40 AM, Adam Cecile  wrote:
> Package: wnpp
> Severity: wishlist
> X-Debbugs-CC: debian-devel@lists.debian.org
>
> Package name: libjasper

Just keep the old naming convention please: 'jasper'.

> Version: 2.0.12
> Upstream: Michael David Adams
> License: JasPer License
> Description: This package has been scheduled for removal after Stretch
> release but is very important to me as it can be used to add JPEG 2000 to
> OpenCV (many satellite images comes as JPEG 2000). The new upstream on
> GitHub provides frequent updates as well as a decent CMake build system so I
> see no reason to not get it back in the archive :)

At the very least you'll need to address the old CVEs in that case:

https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no=jasper

- CVE-2016-8693
- CVE-2016-8691
- CVE-2016-8692
- CVE-2016-8690

I personally fought against having duplicate JPEG 2000 libraries in
Debian (esp. since jasper seems dead upstream). I still believe you
should invest some time in replace jasper with OpenJPEG throughout
your OpenCV codebase, since OpenJPEG is used to manipulate satellite
image in professional environment.


2cts
-M