Control: severity -1 wishlist Control: tags -1 help On Thu, 18 Nov 2021 11:49:04 +0000 Matthew Vernon <matt...@debian.org> wrote: > Source: generator-scripting-language > Severity: important > User: matthew-pcre...@debian.org > Usertags: obsolete-pcre3 > > Dear maintainer, > > Your package still depends on the old, obsolete PCRE3[0] libraries > (i.e. libpcre3-dev). This has been end of life for a while now, and > upstream do not intend to fix any further bugs in it. Accordingly, I > would like to remove the pcre3 libraries from Debian, preferably in > time for the release of Bookworm. > > The newer PCRE2 library was first released in 2015, and has been in > Debian since stretch. Upstream's documentation for PCRE2 is available > here: https://pcre.org/current/doc/html/ > > Many large projects that use PCRE have made the switch now (e.g. git, > php); it does involve some work, but we are now at the stage where > PCRE3 should not be used, particularly if it might ever be exposed to > untrusted input.
As already mentioned, this package is not used to process untrusted input, it is a 'done' project that hasn't been touched in a decade and just works as part of an existing toolchain. If someone provides a patch, that is tested against such workflows to confirm that they are not affected, then I'd merged it, upstream. If push came to shove, I will simply vendor the existing pcre code. -- Kind regards, Luca Boccassi
signature.asc
Description: This is a digitally signed message part
