#958250 Use system libjsonparser-dev

Package:
src:vlc
Source:
vlc
Submitter:
Yangfl
Date:
2022-05-17 17:39:05 UTC
Severity:
wishlist
Tags:
#958250#5
Date:
2020-04-20 01:06:51 UTC
From:
To:
Hi,

As libjsonparser-dev is now available, please consider linking against
system library instead of bundled json.c.

#958250#10
Date:
2020-04-20 10:51:09 UTC
From:
To:
Control: tags -1 moreinfo

The last release of libjsonparser was in 2014. In the meantime, vlc's
copy has seen some fixes (more so in the master branch than the current
version in Debian). Are there any plans upstream to release a new
version of libjsonparser? I don't think switching vlc to an
older libjsonparser makes sense.

Cheers

#958250#17
Date:
2020-04-20 11:07:40 UTC
From:
To:
Quoting Sebastian Ramacher (2020-04-20 12:51:09)
libjsonparser propably don't follow this bugreport.

Probably helpful to go the other way: Inform libjsonparser upstream (or
at least Debian maintainers ot its package) about fixes existing
downstream in VLC.


 - Jonas

#958250#22
Date:
2020-04-20 11:20:59 UTC
From:
To:
Yangfl is the package maintainer of libjsonparser in Debian …

Cheers

#958250#27
Date:
2020-04-20 11:29:29 UTC
From:
To:
Quoting Sebastian Ramacher (2020-04-20 13:20:59)

Good point.

Still, better to share issues with libjsonparser as a bugreport against
libjsonparser rather than here.

 - Jonas

#958250#32
Date:
2020-04-21 04:49:09 UTC
From:
To:
Jonas Smedegaard <jonas@jones.dk> 于2020年4月20日周一 下午7:29写道:
I reviewed json.c in vlc and it seems an outdated version (1.0.0)
rather than 1.1.0. Some problems (like 'Fix check for
json_relaxed_commas') already fixed in 1.1.0 in another way. Other
fixes https://github.com/videolan/vlc/commits/master/modules/misc/webservices/json.c
are all minor but I will pick them into Debian package.

#958250#37
Date:
2020-04-21 07:18:47 UTC
From:
To:
Okay, thanks for the investigation.

But anyway, is libjsonparser's upstream still active? No release since
2014 doesn't suggest that they are. If that is not the case and we end
up with libjsonparser being maintained in Debian, this means that
changing vlc to libjsonparser is not upstreamable. Due to the size and
security history of vlc, I'd like to avoid that.

Cheers

#958250#42
Date:
2020-04-21 07:23:57 UTC
From:
To:
Control: tags -1 + wontfix

I think I just found the answer:
https://github.com/udp/json-parser/issues/82, so that's a no.

Cheers

#958250#49
Date:
2020-04-21 09:59:20 UTC
From:
To:
Quoting Sebastian Ramacher (2020-04-21 09:23:57)

A security bug in libjsonparser should be fixed for all consumers of
that library, not only for VLC.

If upstream project is dead, and VLC discovers and fixes a bug in the
library, then that bugfix should be forwarded to the Debian package so
that other consumers benefit from it as well.

Only if VLC changes the API of libjsonparser, effectively forking it
(and that fork is not packaged separately in Debian!) does it make sense
to keep using an embedded code copy.

 - Jonas

#958250#54
Date:
2022-05-17 17:28:32 UTC
From:
To:
Le tiistaina 21. huhtikuuta 2020, 12.59.20 EEST Jonas Smedegaard a écrit :

As an upstream developer, I would counter that it is up to Debian,
specifically, the maintainers of the affected package (not VLC) to take bug fixes
if their upstream is dead.

In general and overall, VLC has a pretty good track record of enabling Linux
distros to use system library builds rather than embedded ones.

But to put things back into historical context, libjsonparser was added to
Debian in 2018. VLC has depended on it since 2012 and it is quite a small
library, so that's that.

With that said, in this particular case, VLC 4.0 is probably getting rid of
libjsonparser entirely in favour of a different implementation, so the
motivation for overhauling the build system around it is pretty much
nonexistent from the VLC project side.