I am the upstream maintainer. We can't re-license or grant exceptions to our license as we have never had a CLA or a DCO and some of our are companies that no longer exist and there are individuals that are deceased.
This issue is tagging 28 packages total for removal from Debian. All for a mistake someone made at least 16 years (when we renamed to pidgin https://salsa.debian.org/debian/pidgin/-/blob/7632fac272011c7bed2c04fbdff32ad1aa31a491/debian/rules). It does appear that it goes back to when we were still using the name Gaim but I can't find the Debian packaging for that to figure out the real date. At any rate, forcing the removal of these 28 packages seems blatantly wrong as it's punishing users and will take a non-trivial amount of time to fix properly. My suggestion, disable Cyrus-SASL. The only 2 protocols that use it are IRC and XMPP. XMPP has its own implementations for SASL and falls back to Cyrus if it needs to, which will of course break those users. IRC will break for a lot of people and they'll be upset and report bugs to both Debian and me, but at least they'll still have a pidgin package and the other 27 related packages. In the meantime, I suppose I will somehow find the time to get our new SASL library (not written for this bug and not easily integrated into Pidgin 2) through the Debian new queue and get Pidgin 2 updated for it even though that's supposed to be in maintenance only mode. This is going to cost a considerable amount of development time that'd be better spent on the new version but this seems to be the only choice to keep users running for the moment due to the insistence that this is a "serious" level bug and that libpurple0 should be removed from Debian because of it. Ideally, we could just leave this at anything but serious or grave so the 28 packages that this bug threatens could then stay in Debian for the time being and no one would have to do any work that's never going to be part of a stable Debian release. On Sun, May 28, 2023 at 6:03 PM Bastian Germann <b...@debian.org> wrote: > > Am 26.05.23 um 04:26 schrieb Richard Laager: > > Are the problems just limited to MD5? If so: > > I do not think so. > > > 5) Replace the MD5 implementation in Cyrus SASL with a different one. > > > > 6) Cyrus SASL uses OpenSSL for MD5 instead of its built-in MD5 code. > > See https://github.com/cyrusimap/cyrus-sasl/issues/513 for an implementation > that leaves only one RSA-MD licensed file. > -- Thanks, -- Gary Kramlich <g...@reaperworld.com>
