#1000065 grok: depends on obsolete pcre3 library

Package:
src:grok
Source:
grok
Submitter:
Matthew Vernon
Date:
2025-08-11 15:23:09 UTC
Severity:
important
Tags:
#1000065#5
Date:
2021-11-18 11:49:04 UTC
From:
To:
Dear maintainer,

Your package still depends on the old, obsolete PCRE3[0] libraries
(i.e. libpcre3-dev). This has been end of life for a while now, and
upstream do not intend to fix any further bugs in it. Accordingly, I
would like to remove the pcre3 libraries from Debian, preferably in
time for the release of Bookworm.

The newer PCRE2 library was first released in 2015, and has been in
Debian since stretch. Upstream's documentation for PCRE2 is available
here: https://pcre.org/current/doc/html/

Many large projects that use PCRE have made the switch now (e.g. git,
php); it does involve some work, but we are now at the stage where
PCRE3 should not be used, particularly if it might ever be exposed to
untrusted input.

This mass bug filing was discussed on debian-devel@ in
https://lists.debian.org/debian-devel/2021/11/msg00176.html

Regards,

Matthew [0] Historical reasons mean that old PCRE is packaged as
pcre3 in Debian

#1000065#16
Date:
2023-12-09 08:17:54 UTC
From:
To:
Please find a patch attached.  Tested with the examples only.  Also
tested discogrok with

$ discogrok --verbose --patterns /usr/share/grok/patterns/base

It hangs at this line:

[855838]   [capture] [grok_capture_add:28] Adding pattern 'YEAR' as capture 0 (pcrenum 1)

But so does unpatched discogrok from sid.

Note that this patch breaks the libgrok ABI since the library exposes
the PCRE API.  As libgrok does not have any reverse dependencies in
Debian (even grok itself doesn't link with it), the second patch
simply removes it.  Alternatively, if you wish to retain it, you'd
have to bump the SONAME (using a Debian-specific one, perhaps) and the
package has to pass through NEW.  IMHO that's too much trouble for an
unused library, but of course it's up to you as maintainer.