Source: mariadb-10.5 Version: 1:10.3.24-2 Severity: important Hi Otto,
I'm a bit disappointed. You told me that mariadb would stop using libreadline-gplv2-dev in >= 10.4. While that's technically correct, it's not the whole truth. In 10.5, mariadb has a vendor copy of it. Instead of actually moving to a recent version, mariadb just added an embedded code copy. The Debian policy discourages such copies. I don't think it makes sense to reiterate the reasons. Please figure out whether you can unembed readline. This may be difficult to do and you may come to the conclusion that doing so is infeasible. In that case, please register your copy with the security tracker to enable the security team supporting mariadb. Refer to https://wiki.debian.org/EmbeddedCopies for details. Helmut
