Public bug reported: Debian exim4 >= 4.95~RC0-1 depends on src:libspf2 via a new Build- Depends on libspf2-dev, which also results in new binary dependencies. That's a C library implementing SPF [1].
The change closes Debbug #528344 [2] which is a decade-old request for adding SPF support to exim4 via that library. Up to now implementing SPF in exim4 has been possible using the spf-tools-perl package (in universe, but not a dependency). This is now replaced by linking to libspf2; the mechanism is clearly visible in the commit implementing the change [3]. After discussing the issue with the team, we decided to revert the change [3] in Ubuntu for now. Rationale: * Linking against the library doesn't provide a clear advantage over using the external query tool from spf-tools-perl. I imagine the issue is performance, but this is not clearly stated. In other words, a compelling reason for a MIR is missing. * The status of the upstream project is not entirely reassuring. The latest publicized release is from 2013 [4]. Issues are mostly unanswered, including one requesting to cut a release including a fix for a CVE [6]. (A newer release has been tagged in git, but not announced anywhere, and the issue is still open. Note: the CVE is fixed in Debian via a security NMU.) * The latest upload from the Debian Maintainer is from 2016. * We didn't really have requests for enabling libspf2 in exim4 in Ubuntu. This why we prefer not to MIR libspf2, at least for now, but we're fully open on re-discussing this decision, now or in the future. [1] https://en.wikipedia.org/wiki/Sender_Policy_Framework [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528344 [3] https://salsa.debian.org/exim-team/exim4/-/commit/494f1fe56f80243441c97de4b73e032949bd8b5d [4] https://www.libspf2.org/ [5] https://github.com/shevek/libspf2/ [6] https://github.com/shevek/libspf2/issues/36 ** Affects: exim4 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1952738 Title: component mismatch: exim4 (main) depends on src:libspf2 (universe) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1952738/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
