Package: src:pjproject
Version: 2.7.2~dfsg-4
Severity: serious
Hi,
as the sole Uploader of src:pjproject for the last two years I think we should
not release Buster with src:pjproject.
Reasons:
- pjsip is a library where a lot of functionality and behaviour is selected at
compile time using #define statements. Most of these define statements alter
the ABI due to changing structs, which makes it ill-suited as a system wide
library to be used by several programs.
- Consequently, src:ring (now called jami) has always been built against an
embedded copy and src:asterisk also switched to an embedded copy, both
tailored to their needs. There are no other source packages depending on
src:pjproject left
- python-pjproject shipped by the same source package includes the old pjsua
module that has been deprecated according to
https://trac.pjsip.org/repos/wiki/Python_SIP_Tutorial . There is no rdep in
the
Debian archive. We don't package the newer pjsua2 module.
- Due to the gone rdeps the version currently in the archive is not the latest
upstream version.
- Upstream sometimes mixes security fixes with large scale code
refactoring/formatting, which makes security updates more painful than they
need to be. We don't want to have this additional work for Buster when it's
not necessary. Note that at least Asterisk upstream has published security
advisories for issues in pjsip before and has patched them by adding the fix
as
patch to the Asterisk source, which makes it much easier to follow.
I'm therefor filing this RC bug to start the autoremoval from Buster. I will
revisit the packaging after the release of Buster and either drop the package
or get it updated (and possibly backported to buster-backports).
Bernhard
