On Sat, May 02, 2026 at 02:37:56AM +0200, Matěj Cepl wrote:
> Hi, this is the upstream maintainer of the M2Crypto,
>
> I would say that you were a bit hasty in removing M2Crypto from Debian.
> By saying that M2Crypto is for legacy applications and shouldn’t be used
> for new projects, I didn’t mean to say it is abandoned and there are no
> users of it.
Bastian worked on replacing m2crypto usage in Debian, for the next
release (Debian 14 / forky). Thus no users *in* Debian were left
(this however means something different than "no Debian users").
> Just contrary, I am always surprised how many people still use it in
> their applications, and it would be probably better if they got it
> through Debian with updates and security fixes, then they would have it
> unmaintained build from my tarball.
[..]
> Please, reconsider the removal of the package from Debian.
The removal was completed in March. By now someone would have to
spend time and work to introduce the package anew.
For libraries there is often a tradeoff weighing, and libraries that
have no direct users inside Debian ("leaf libraries") need to have
really dedicated maintainers that want to spend the time and work in
Debian on that library. You can imagine that finding such
maintainers is often not so easy. For security-relevant libraries
the work is of course higher and they should get security updates;
for leaf libraries the weighing often ends with the security teams
available volunteer resources.
Best,
Chris
