Bug#1101756: Should libbson-xs-perl be shipped in trixie?
Adrian Bunk
bunk at debian.org
Mon Mar 31 22:04:31 BST 2025
On Mon, Mar 31, 2025 at 10:12:03PM +0200, Salvatore Bonaccorso wrote:
>...
> On Mon, Mar 31, 2025 at 04:58:15PM +0300, Adrian Bunk wrote:
> > Package: libbson-xs-perl
> > Version: 0.8.4-3
> > Severity: serious
> > Tags: security
> > X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
> >
> > https://metacpan.org/dist/BSON-XS
> >
> > Changes for version v0.8.4 - 2020-08-13
> > !!! END OF LIFE NOTICE !!!
> > As of August 13, 2020, the BSON-XS library has reached end of life and is no longer supported by MongoDB.
> >
> >
> > The security aspect of this bug is that some/all of the bson CVEs
> > against mongo-c-driver might also apply to the copy of the bson code
> > in libbson-xs-perl.
> >
> > An alternative solution for the latter might be patching the source to
> > build with libbson-dev.
>
> "Ideally" the removal would be the right choice gien the
> deprecation/end-of-life, but I fear that is not possible at this stage
> in the freeze. libmongodb-perl has AFAICS a depends on libbson-xs-perl
Recommends, as performance optimization compared to the pure-Perl libbson-perl.
The build dependency is !nocheck, and the tests pass for me without
libbson-xs-perl.
> and libmongodb-perl has some reverse dependencies.
libmongodb-perl and libbson-perl are also EOL, but AFAIK removing
just libbson-xs-perl would only have a performance impact for rdeps.
> gregor, yadd, any opinions from you here?
>
> Regards,
> Salvatore
cu
Adrian
More information about the pkg-perl-maintainers
mailing list