[Debian-med-packaging] Bug#1000000: fixed in phast 1.6+dfsg-2

Adrian Bunk bunk at debian.org
Thu Nov 18 21:12:12 GMT 2021


On Thu, Nov 18, 2021 at 05:12:10PM +0100, Sebastiaan Couwenberg wrote:
>...
> For the Debian package you could drop use_debian_packaged_libpcre.patch and
> use the embedded copy to not block the prce3 removal in Debian.

As a general comment, this would be a lot worse than keeping pcre3.

If any copy of this library should be used at all in bookworm,
it should be provided by src:pcre3.

Switching from src:pcre3 to an older vendored copy would likely create 
additional security vulnerabilities for our users,[1] even with only one 
user in bookworm shipping it security supportable in src:pcre3 would be 
better than hiding vulnerabilities through vendoring.

> Kind Regards,
> 
> Bas

cu
Adrian

[1] https://security-tracker.debian.org/tracker/source-package/pcre3



More information about the Debian-med-packaging mailing list