Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: transition
Dear Release Team, In a recent message [1] Shibboleth upstream strongly recommended building xml-security-c without Xalan support to reduce the attack surface of Shibboleth installations, because Xalan is dead upstream and pulling it in carries a considerable risk. The Shibboleth stack is the only consumer of the xml-security-c library in Debian, so we'd like to follow upstream's recommendation. This means flipping a configure switch, which removes some features (and a dependency) of the library, but does not change the library SONAME. The resulting new library version is usable as-is by the upper layers of Shibboleth stack, which does not use the dropped functionality, so this wouldn't be a transition in that sense, but we (the Shibboleth packaging team) still wanted to run this by you. We don't expect any fallout, xml-security-c was built without Xalan until version 2.0.2-2 without issues. Some maintenance uploads of the upper layers were planned and will be done anyway. [1] https://alioth-lists.debian.net/pipermail/pkg-shibboleth-devel/2023-January/005929.html Unusable Ben file: title = "xml-security-c"; is_affected = .depends ~ "libxml-security-c20" | .depends ~ "libxml-security-c20"; is_good = .depends ~ "libxml-security-c20"; is_bad = .depends ~ "libxml-security-c20";