HEADSUP: pcre security announcement

Yaakov S yselkowitz@users.sourceforge.net
Wed Sep 7 22:45:00 GMT 2005

Hash: SHA1

Corinna Vinschen wrote:
> First a question to the maintainers in general:
> There's a dependency in pcre's setup.hint which pulls in the old libpcre
> which I created ages ago and which lacks versioning support.  I just
> checked and we don't have any package left which requires the old libpcre.
> Shouldn't we finally pull this crap from the distro?

I tried to keep the setup.hint dependencies the same as before to
prevent possible setup.exe breakage for the moment.  If there's nothing
in the distro that actually depends on the unversioned libpcre, then
IMHO it should be pulled from the mirrors (along with everything else
4.x), as it is also seemingly affected by the aforementioned security issue.

> Did you run the testsuite?  Did you already install it on your machine
> instead of the current pcre?  Otherwise, seriously, how do we test this
> package expect for installing it?!?  I did some simple grep -P tests
> which still work, AFAICS, and ...

I did run the testsuite, and everything passed except for one of the
pcrecpp tests.  As libpcrecpp is new in this release, and hence not
critical, I decided to go provide it anyway in the meantime.

> ... the packaging looks good, so, if you don't mind, I don't mind to
> upload it immediately and throw the Cygwin community into cold water.
> I just would like to remove the libpcre dependency, even if we don't
> remove the libpcre package.

By all means.

Version: GnuPG v1.4.1 (Cygwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


More information about the Cygwin-apps mailing list