[Bug 1998095] Re: [MIR] pkgconf, replacement for pkg-config

Gianfranco Costamagna 1998095 at bugs.launchpad.net
Wed Jan 25 16:38:22 UTC 2023 

Required TODOs:
1. Does it run autopkgtests ? There is a test suite in the sources which runs at build time,

Done.

Recommended TODOs:
2. Debian has bumped version to 1.8.1. There is a very recent cve, CVE-2023-24056 :

Syncd.

3. The source package produces 5 binaries one of them being pkg-config, which iiuc is transitional
   package, can you please clarify if we need it in main too ?


$ reverse-depends -r lunar -b pkgconf |wc -l
83
$ reverse-depends -r lunar -b pkg-config |wc -l
3907


$ reverse-depends -r lunar -b pkg-config -c main |wc -l
606
$ reverse-depends -r lunar -b pkgconf -c main |wc -l
10

Unless we want to patch +600 main packages to switch to pkgconf instead
of pkg-config I prefer to keep it (I don't know why pkgconf is not just
providing pkg-config, probably to ensure people have smooth upgrades).

Maybe in some years from now, we can drop the transitional package and move to a Provides: one, or patch the Debian/Ubuntu archives to use the new naming.
For sure this is something that will eventually come from Debian I would say.


** Changed in: pkgconf (Ubuntu)
       Status: Incomplete => New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pkg-config in Ubuntu.
https://bugs.launchpad.net/bugs/1998095

Title:
  [MIR] pkgconf, replacement for pkg-config

Status in pkg-config package in Ubuntu:
  New
Status in pkgconf package in Ubuntu:
  New

Bug description:
  Rationale: debian moved from pkg-config to new pkgconf version,
  providing same binary.

  Availability: The package is already available in universe and
  building on all archs.

  Rationale: needed for mostly every package in the archive.

  Security, It's well maintained upstream, in Debian, and in Ubuntu.
  There are no known serious issues.

  Only one CVE dated 2018
  CVE-2018-1000221	pkgconf version 1.5.0 to 1.5.2 contains a Buffer Overflow vulnerabilit ...

  
  UI standards: n/a

  Dependencies: atf-sh on i386 is needed to build.

  Standards compliance: no known issues.

  Maintenance: No known issues.

  pkg-config had a long time standing Ubuntu delta, that is now dropped
  because pkgconf supports profiles and the multiarch lib location
  search is now default in Debian too.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pkg-config/+bug/1998095/+subscriptions

More information about the foundations-bugs mailing list