Bug 1144260 - Drop jasper dependency from opencv
Drop jasper dependency from opencv
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Other
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Stefan Brüns
E-mail List
:
Depends on:
Blocks: 1130404
  Show dependency treegraph
 
Reported: 2019-08-05 09:41 UTC by Michael Vetter
Modified: 2022-01-12 14:45 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Vetter 2019-08-05 09:41:10 UTC
Regarding bsc#1130404.

We plan to drop libjasper from the repos.
Let's remove the build dependcy on libjasper from opencv and thus disable JPEG2000 support.

Upstream issues:
https://github.com/opencv/opencv/issues/14145
https://github.com/opencv/opencv/issues/10453
https://github.com/opencv/opencv/issues/5849
Comment 1 Michael Vetter 2019-08-26 10:16:20 UTC
SR#726130
Comment 2 Michael Vetter 2019-09-02 11:37:17 UTC
SR#726173 did so far not get accepted.
Copying comments here to have everything in one place.

maintainer:
I don't think it is a good idea to drop JPEG2000 support completely.

me:
Yes please comment this on https://bugzilla.suse.com/show_bug.cgi?id=1144260 which was opened quite some time ago. Like also mentioned there there are upstream issues: https://github.com/opencv/opencv/issues/14145 https://github.com/opencv/opencv/issues/10453 https://github.com/opencv/opencv/issues/5849

and jpeg2000 is not really a popular format so i dont think opencv suffers a lot when its disabled. debian, gentoo, alpine also are disabling this as we speak. debian actually did years ago.

maintainer:
Jpeg2000 is quite popular in the geo sciences.
Comment 3 Michael Vetter 2019-09-03 11:52:31 UTC
@Stefan, Jasper will be removed from openSUSE repos. So it would be cool if you could accept the SR.

Jasper has many security issues. Upstream is very inactive.

If you don't want to loose JPEG2000 support in opencv you can either try to provide fixes for the jasper issues so it can stay or you can help opencv upstream by porting opencv to openjpeg.

They have two issues open (since 2015/2018) for this:
https://github.com/opencv/opencv/issues/5849
https://github.com/opencv/opencv/issues/10453
Comment 7 Johannes Segitz 2019-10-15 06:40:26 UTC
So from a security POV we're in favor of dropping jasper. Since opencv is the only package depending on it we would like to ask you to please accept the submit authored by Michael. 

jasper is a constant pain for us and is a risk to the users of your package. Losing jpeg2000 support is unfortunate, but the risk introduced by the usage of jasper outweighs this.
Comment 8 Stefan Brüns 2020-01-21 05:08:24 UTC
Just dropping the build dependency causes OpenCV to use its own bundled version of Jasper (1.900.1), which contains significantly more vulnerabilities as the current distro version.

I have started working on OpenCV JPEG2000 support via OpenJPEG, but this will take some time.
Comment 9 Michael Vetter 2020-01-21 08:34:19 UTC
(In reply to Stefan Brüns from comment #8)
> Just dropping the build dependency causes OpenCV to use its own bundled
> version of Jasper (1.900.1), which contains significantly more
> vulnerabilities as the current distro version.

There were several packages using jasper. They are not my packages. The bugs were created and assigned to the maintainers of the respective packages. Like this bug is assigned to you, but you chose to ignore it for months.

I created the SR as a favour, but I didn't check the package deeply enough it seems. In any case I think this is the responsibility of the respective maintainer.

> I have started working on OpenCV JPEG2000 support via OpenJPEG, but this
> will take some time.

This is good. If you start this now it's good. But it would have been even better if you could have started this when the bug report was created.

Maybe OpenCV will loose JPEG2000 support in the meantime if Jasper is removed already, and can only have it back once the openjpeg solution is implemented. But let's see what will happen.
Comment 10 Michael Vetter 2020-01-28 12:39:53 UTC
SR#766065 was accepted to the devel project.
Comment 11 Michael Vetter 2020-01-31 14:38:24 UTC
SR#767987 got accepted to Factory.
Comment 12 Michael Vetter 2020-01-31 14:39:50 UTC
Stefan started to an attempt to port OpenCV to openjpeg: https://github.com/StefanBruens/opencv/tree/jpeg2000_openjpeg_port

See https://github.com/opencv/opencv/issues/5849#issuecomment-579951522
Comment 13 Michael Vetter 2020-03-27 08:48:16 UTC
Stefans work was merged today: https://github.com/opencv/opencv/pull/16494