Package: src:pjproject
Version: 2.7.2~dfsg-4
Severity: serious

Hi,

as the sole Uploader of src:pjproject for the last two years I think we should
not release Buster with src:pjproject.

Reasons:
- pjsip is a library where a lot of functionality and behaviour is selected at
  compile time using #define statements. Most of these define statements alter
  the ABI due to changing structs, which makes it ill-suited as a system wide
  library to be used by several programs.
  - Consequently, src:ring (now called jami) has always been built against an
    embedded copy and src:asterisk also switched to an embedded copy, both
    tailored to their needs. There are no other source packages depending on
    src:pjproject left
- python-pjproject shipped by the same source package includes the old pjsua
  module that has been deprecated according to
  https://trac.pjsip.org/repos/wiki/Python_SIP_Tutorial . There is no rdep in 
the
  Debian archive. We don't package the newer pjsua2 module.
- Due to the gone rdeps the version currently in the archive is not the latest
  upstream version.
- Upstream sometimes mixes security fixes with large scale code
  refactoring/formatting, which makes security updates more painful than they
  need to be. We don't want to have this additional work for Buster when it's
  not necessary. Note that at least Asterisk upstream has published security
  advisories for issues in pjsip before and has patched them by adding the fix 
as
  patch to the Asterisk source, which makes it much easier to follow.

I'm therefor filing this RC bug to start the autoremoval from Buster. I will
revisit the packaging after the release of Buster and either drop the package
or get it updated (and possibly backported to buster-backports).

Bernhard

Reply via email to