On Thursday, November 18, 2021 8:06:55 AM EST Scott Kitterman wrote: > On November 18, 2021 11:49:06 AM UTC, Matthew Vernon <matt...@debian.org> wrote: > >Source: postfix > >Severity: important > >User: matthew-pcre...@debian.org > >Usertags: obsolete-pcre3 > > > >Dear maintainer, > > > >Your package still depends on the old, obsolete PCRE3[0] libraries > >(i.e. libpcre3-dev). This has been end of life for a while now, and > >upstream do not intend to fix any further bugs in it. Accordingly, I > >would like to remove the pcre3 libraries from Debian, preferably in > >time for the release of Bookworm. > > > >The newer PCRE2 library was first released in 2015, and has been in > >Debian since stretch. Upstream's documentation for PCRE2 is available > >here: https://pcre.org/current/doc/html/ > > > >Many large projects that use PCRE have made the switch now (e.g. git, > >php); it does involve some work, but we are now at the stage where > >PCRE3 should not be used, particularly if it might ever be exposed to > >untrusted input. > > > >This mass bug filing was discussed on debian-devel@ in > >https://lists.debian.org/debian-devel/2021/11/msg00176.html > > > >Regards, > > > >Matthew [0] Historical reasons mean that old PCRE is packaged as > >pcre3 in Debian > > I've investigated this and some non-trivial porting is needed. I've > discussed this with upstream and it's one their TODO list for the next > postfix release.
It's implemented now for postfix 3.7, so this should be closed well before our next release. Scott K
