[Pkg-nginx-maintainers] Bug#1050186: libnginx-mod-http-lua: depends on obsolete pcre3 library

Bastian Germann bage at debian.org
Mon Aug 21 16:24:33 BST 2023


Source: libnginx-mod-http-lua
Severity: serious
Version: 1:0.10.25-1
User: matthew-pcredep at debian.org
Usertags: obsolete-pcre3

Dear maintainer,

When the pcre3 -> pcre2 mass bug was filed, this package was left out.
I am filing this (edited copy) after the fact:

Your package still depends on the old, obsolete PCRE3 libraries
(i.e. libpcre3-dev). This has been end of life for a while now, and
upstream do not intend to fix any further bugs in it. Accordingly, we
would like to remove the pcre3 libraries from Debian.

The newer PCRE2 library was first released in 2015, and has been in
Debian since stretch. Upstream's documentation for PCRE2 is available
here: https://pcre.org/current/doc/html/

Many large projects that use PCRE have made the switch now (e.g. git,
php); it does involve some work, but we are now at the stage where
PCRE3 should not be used, particularly if it might ever be exposed to
untrusted input.

This mass bug filing was discussed on debian-devel@ in
https://lists.debian.org/debian-devel/2021/11/msg00176.html

Thanks,
Bastian



More information about the Pkg-nginx-maintainers mailing list