amazon-linux-2023 icon indicating copy to clipboard operation
amazon-linux-2023 copied to clipboard
verified publisher icon amazonlinux

[Package Upgrade Request] - libicu

Open Jetski5822 opened this issue 6 months ago • 2 comments

What package is missing from Amazon Linux 2023? Please describe and include package name.

The libicu package is not missing from Amazon Linux 2023, but it requires an update to a more recent version.

Is this an update to existing package or new package request?

This is an update to an existing package.

Is this package available in Amazon Linux 2? If it is available via external sources such as EPEL, please specify.

libicu is available via Fedora. For example: https://packages.fedoraproject.org/pkgs/icu/libicu/fedora-42.html

Any additional information you'd like to include. (use-cases, etc)

ICU (International Components for Unicode) is actively maintained and frequently updated:

  • ICU project releases: https://github.com/unicode-org/icu/releases

  • Fedora package updates: https://packages.fedoraproject.org/pkgs/icu/libicu/

Upgrading this package will ensure better compatibility and security for applications that rely on Unicode and internationalization support.

Looks like this is on the list of Pending Fixes - https://explore.alas.aws.amazon.com/CVE-2025-5222.html

This package however should be updated regularly regardless of security fixes.

Jetski5822 avatar Jun 23 '25 22:06 Jetski5822

@Jetski5822 Thank you for the request, the Amazon Linux Team is taking a look.

joeysk2012 avatar Jun 24 '25 20:06 joeysk2012

The system ICU cannot be updated in the lifetime of a distro. It would break way to many things. You will notice that other "enterprise" distributions also do not update it (CentOS 9 is on 67 as well and remains there).

There are a number of reasons for this. A few examples:

  • Each release of ICU provides a different soname (libicu.so. major version changes). So they are incompatible with each other, there is no attempt at keeping a stable ABI. So just "updating" it would break anything that was built with the previous version unless a "compat" package is also provided with the older version. This somewhat breaks our ABI guarantees.

  • The API also changes sometimes in breaking ways, so updating it would probably break the build of some applications including customer applications.

  • The subtle changes to collations (notably ordering of words) between versions are known to cause sneaky issues with some software. For example, a postgresql databases can get corrupted and crash if used with different collations than the ones they were created with. This has been a real issue in the past with glibc collations for example. We don't necessary know all the similar corner cases that could be exposed by an ICU update.

If there is a real and legitimate need to provide an updated ICU version it thus would have to be namespaced. Namespacing the runtime libraries is easy. Namespacing the tools and -devel package is not unless they can be made to conflict with the existing version, but that in turn complicates things when multiple components of a project require different versions for example.

So no we will not "update" icu for the lifetime of AL2023, just like RedHat will not update it for the lifetime of a RHEL version. We might be able to provide a namespaced updated version with the right justification but the bar is fairly high.

ozbenh avatar Jun 25 '25 01:06 ozbenh