Hello Daniel,
NDEBUG was discussed a few years ago in
<https://bugs.openldap.org/show_bug.cgi?id=8240>.
The package is built with --enable-debug intentionally, so that users
can enable debug logging if they need it. Some valuable diagnostics, for
example TLS diagnostics, are only available via debug logging.
I thought it was generally preferred from a security perspective to keep
assert() enabled in production, so that programs fail fast rather than
get into invalid states that might potentially be exploitable. I'm not
sure whether Debian has any official guidance on this, but see for
example <https://lists.debian.org/debian-devel/2013/02/msg00124.html>.
thanks,
Ryan
