[Privoxy-devel] pcre2 support

Roland Rosenfeld roland at spinnaker.de
Fri Nov 26 14:50:17 UTC 2021 

On Mi, 24 Nov 2021, Fabian Keil wrote:

> On the TODO list there is:
> | 79) Evaluate pcre alternatives.
> https://www.privoxy.org/gitweb/?p=privoxy.git;a=blob;f=TODO;hb=HEAD#l180
> 
> I consider pcre2 an alternative but there are others
> and I'm not familiar enough with them to quickly decide
> if they are better or worse for our purposes.
> 
> Maybe migrating to pcre2 is less work but at the moment
> but I'm not sure about this either.

As an active Perl user, I prefer perl regular expressions over other
(posix and the like) regexp.  I think that pcre/pcre2 currently is the
most common perl regex library, which may imply that it is the most
secure one.

> > Debian is planning to remove the classic pcre (8.39) library in
> > the next release (Bookworm) and substitute it by pcre2.
> 
> Is there a time frame?

In https://bugs.debian.org/999981 the Debian maintainer of pcre as
well as pcre2 writes, that he "like to remove the pcre3 libraries from
Debian, preferably in time for the release of Bookworm."
At the moment, there is no schedule for bookworm release, but I expect
bookworm to be frozen around the end of 2022.

Currently there are 212 Debian source packages using the old pcre
library, I have no idea, whether all can be changed before Bookworm
release.  Depending on the bottom not migrated early enough, packages
may be removed from Bookworm or the old pcre library may stay until
the next release.

Anyway we should try to migrate away from the obsolete library in the
long term...

> Is python 2.7 already gone?

No, but I'm happy with every piece of software that is migrated to
python 3 and does no longer depend on 2.7, since it's no secure
feeling if you use software, that depends on libraries that have no
security support any more.

> It's still part of the FreeBSD ports even though it was
> supposed to expire on 2020-12-31, nearly a year ago.
> 
> Due to applications like Mailman (which we also use for
> the Privoxy mailing lists) it hasn't been deleted yet.

Debian replaced mailman by mailman3 (using Python 3) in Debian buster
(which was release in July 2019)...

> I'd expect pcre to have even more consumers than python 2.7.

python2.7 is still part of the Debian buster release (released August
2021), but with an extremely reduced list of libraries and only a hand
full of other packages depending on python2.7.  So I consider it dead
in Debian.

> > So since pcre1 is now obsolete, it may be a good idea to migrate
> > privoxy to pcre2...
> 
> I agree that it could be a good idea but it's not clear to
> me how much time we have left.
>
> At the moment I'm still sitting on a couple of other patches
> that I have to send to Ian for review so I can get the money
> from our SPI account.
> 
> I hope to be able to get this done soonish,
> hopefully before the end of the year.

That would be great, I'd really appreciate that.  That would be enough
time to intensively test the change and bring it into Bookworm.

I had a look at the code myself and most pcre code is collected in
pcrs.[ch], but to say the truth, my C skills are too limited to
rewrite pcrs using pcre2 myself and I'm not sure, whether completely
replacing pcrs with the new pcre2_substitute API would be the
preferable way (but I fear that's much more work).

Greetings
Roland
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.privoxy.org/pipermail/privoxy-devel/attachments/20211126/4df100bc/attachment.bin>

More information about the Privoxy-devel mailing list