[Bug 1987678] Re: Backport jansson 2.14 to jammy from kinetic

Loïc Minier 1987678 at bugs.launchpad.net
Wed Dec 7 16:25:06 UTC 2022 

Thanks for the review Robie!

Agreed that verification makes sense with a program built against both
libraries before and after this fix

Why backport 2.14 rather than cherry-pick the corresponding change? It would be feasible to cherry-pick just the change to add symbol versioning (you can see it here: https://github.com/akheron/jansson/pull/540/files), but IMO:
1) we'd have to autoreconf in a patch or at build-time, which would be a similar amount of noise in build files (the patch touches configure.ac, Makefile.am, CMakeLists.txt)

2) I think it's good to land the actual version number bump along with
this kind of change: it reflects through the version number that we have
this fix in (I know the proper way to check if a feature is there is to
test for the feature and not the upstream version), in particular when
it's about adding symbol versioning

3) the other minor changes in the new upstream release all seemed
conservative fixes addressing simple issues that seemed LTS worthy (some
even seemed to border on improving the security of some functions)

4) taking the backport as a whole seemed simplest and less risky than
splitting things up

Hope you see the same pros and cons and why we went this way

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1987678

Title:
  Backport jansson 2.14 to jammy from kinetic

Status in jansson package in Ubuntu:
  Fix Released
Status in jansson source package in Jammy:
  Incomplete

Bug description:
  [Impact]

   * jansson 2.13 has a symbol conflict with json-c
  library.(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966398 &
  https://github.com/akheron/jansson/issues/523). So an application is
  linking to both jansson and json-c, there will be 50% of chance that
  it reference to a wrong symbol, which need to SIGSEGV

   * In order to fix this issue, both json-c and jansson need to add
  symbol versioning. jansson library added this in 2.14(not yet in
  jammy) while json-c added in 0.15 (already in jammy)

   * And the affecting application should rebuild against the latest
  json-c and jansson libraries in order to have the correct symbol
  linked

  
  [Test Plan]
   * jansson is basically available in all of the cpu architecture. So the 1st test will be building in a personal ppa and see if it can be built in every platform. 

   * Some of the library mentioned in the upstream issue checker can be
  used to verify the fix. But since I am working on a package in a
  private project which is hitting the issue. I am testing with my
  private packages(which is on arm64 platform)

   * Looking into the packages that depends on jansson. There are a large number of packages including network-manager. So I tried to pick 2 packages on my desktop to verify if there is regression
  1. network-manager, since it is widely used in Ubuntu
  2. emacs, since jansson is a JSON parser, so I pick an application that I can do some operation on JSON(e.g. formatting in emacs)
   

  [Where problems could occur]

   * jansson upstream is well maintained and there is also CI test job.
  jansson 2.14 is also packaged and maintained by Debian community. It
  is available for a few months already. So in general, the risk of
  regression is low in that perspective.

   * When looking into the changes between 2.13 and 2.14. There are
  changes in test coverage and some tidy up on the build scripts. The
  changes look safe but certainly there can be mistake and behaviour
  changes. But jansson do not depends on other packages and so this kind
  of regression on build script should be easily caught by test builds
  in different architecture and a simple integration test with package
  that depends on jansson.

   * On the library itself, it added symbol versioning to fix the bug
  and at the same time there are 3 new API added in 2.14. But these
  changes should be backward compatible. But since there is new symbols
  added, there can be new symbol conflict with other library but the
  impact should just be similar to the original bug that it is already
  conflict with json-c. There are alos misc fixes in like snprintf
  checking which looks to be safe.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/jansson/+bug/1987678/+subscriptions

More information about the Ubuntu-sponsors mailing list