[Debian-med-packaging] Bug#1000000: fixed in phast 1.6+dfsg-2
Andreas Tille
tille at debian.org
Fri Nov 19 06:03:04 GMT 2021
Hi,
Am Thu, Nov 18, 2021 at 11:12:12PM +0200 schrieb Adrian Bunk:
> On Thu, Nov 18, 2021 at 05:12:10PM +0100, Sebastiaan Couwenberg wrote:
> >...
> > For the Debian package you could drop use_debian_packaged_libpcre.patch and
> > use the embedded copy to not block the prce3 removal in Debian.
>
> As a general comment, this would be a lot worse than keeping pcre3.
Since I agree here I started (! not working yet!) with a patch[2]. I
remember that upstream - who has basically stopped development if I
remember correctly - was not even happy, that we replace the code copy.
Thus I assume that they are not very interested in providing a pcre2
patch and we are on our own.
> If any copy of this library should be used at all in bookworm,
> it should be provided by src:pcre3.
I agree and I assume we will need this. Several packages that received
this bug report are not actively developed any more but used by our
users. So it might be that we need to work on this ourselves and this
needs time (and knowledge).
> Switching from src:pcre3 to an older vendored copy would likely create
> additional security vulnerabilities for our users,[1] even with only one
> user in bookworm shipping it security supportable in src:pcre3 would be
> better than hiding vulnerabilities through vendoring.
+1
Kind regards
Andreas.
> [1] https://security-tracker.debian.org/tracker/source-package/pcre3
[2] https://salsa.debian.org/med-team/phast/-/blob/master/debian/patches/pcre2.patch
--
http://fam-tille.de
More information about the Debian-med-packaging
mailing list