Hi, As libjsonparser-dev is now available, please consider linking against system library instead of bundled json.c.
Control: tags -1 moreinfo The last release of libjsonparser was in 2014. In the meantime, vlc's copy has seen some fixes (more so in the master branch than the current version in Debian). Are there any plans upstream to release a new version of libjsonparser? I don't think switching vlc to an older libjsonparser makes sense. Cheers
Quoting Sebastian Ramacher (2020-04-20 12:51:09) libjsonparser propably don't follow this bugreport. Probably helpful to go the other way: Inform libjsonparser upstream (or at least Debian maintainers ot its package) about fixes existing downstream in VLC. - Jonas
Yangfl is the package maintainer of libjsonparser in Debian … Cheers
Quoting Sebastian Ramacher (2020-04-20 13:20:59) Good point. Still, better to share issues with libjsonparser as a bugreport against libjsonparser rather than here. - Jonas
Jonas Smedegaard <jonas@jones.dk> 于2020年4月20日周一 下午7:29写道: I reviewed json.c in vlc and it seems an outdated version (1.0.0) rather than 1.1.0. Some problems (like 'Fix check for json_relaxed_commas') already fixed in 1.1.0 in another way. Other fixes https://github.com/videolan/vlc/commits/master/modules/misc/webservices/json.c are all minor but I will pick them into Debian package.
Okay, thanks for the investigation. But anyway, is libjsonparser's upstream still active? No release since 2014 doesn't suggest that they are. If that is not the case and we end up with libjsonparser being maintained in Debian, this means that changing vlc to libjsonparser is not upstreamable. Due to the size and security history of vlc, I'd like to avoid that. Cheers
Control: tags -1 + wontfix I think I just found the answer: https://github.com/udp/json-parser/issues/82, so that's a no. Cheers
Quoting Sebastian Ramacher (2020-04-21 09:23:57) A security bug in libjsonparser should be fixed for all consumers of that library, not only for VLC. If upstream project is dead, and VLC discovers and fixes a bug in the library, then that bugfix should be forwarded to the Debian package so that other consumers benefit from it as well. Only if VLC changes the API of libjsonparser, effectively forking it (and that fork is not packaged separately in Debian!) does it make sense to keep using an embedded code copy. - Jonas
Le tiistaina 21. huhtikuuta 2020, 12.59.20 EEST Jonas Smedegaard a écrit : As an upstream developer, I would counter that it is up to Debian, specifically, the maintainers of the affected package (not VLC) to take bug fixes if their upstream is dead. In general and overall, VLC has a pretty good track record of enabling Linux distros to use system library builds rather than embedded ones. But to put things back into historical context, libjsonparser was added to Debian in 2018. VLC has depended on it since 2012 and it is quite a small library, so that's that. With that said, in this particular case, VLC 4.0 is probably getting rid of libjsonparser entirely in favour of a different implementation, so the motivation for overhauling the build system around it is pretty much nonexistent from the VLC project side.