Source: perl Version: 5.32.1-5 While fixing https://security-tracker.debian.org/tracker/CVE-2021-36770 in Encode, we noticed that we could not bump the Breaks in libperl5.32 the way we expected to forbid a combination of a patched Perl core package and an unpatched separate libencode-perl package. (The problem about this combination is that the separate package has precedence on @INC, so it hides the fixed version.)
Specifically, as perl Provides: libencode-perl (= 3.06) we couldn't make libperl5.32 Break libencode-perl (<< 3.08-1+deb11u1) as that would have made perl uninstallable. Bumping the Provides to 3.06-1+deb11u1 would not help, and bumping them past 3.08 would be lying. The best I came up with would be to add an epoch, and that seemed too intrusive. In the context of security updates, it does not seem surprising that a partial upgrade can leave the system vulnerable. So we decided to live with this. I'm filing this mostly to document the general issue. I'm not sure if there's a solution other than the epoch one, but maybe somebody else finds one. If not, we can probably live with it in the future too. The last time we needed this feature was in 5.26.1-4, before we adopted versioned Provides. -- Niko