#1000110 leafnode: depends on obsolete pcre3 library

Package:
src:leafnode
Source:
leafnode
Submitter:
Matthew Vernon
Date:
2022-06-05 21:51:04 UTC
Severity:
important
Tags:
#1000110#5
Date:
2021-11-18 11:49:04 UTC
From:
To:
Dear maintainer,

Your package still depends on the old, obsolete PCRE3[0] libraries
(i.e. libpcre3-dev). This has been end of life for a while now, and
upstream do not intend to fix any further bugs in it. Accordingly, I
would like to remove the pcre3 libraries from Debian, preferably in
time for the release of Bookworm.

The newer PCRE2 library was first released in 2015, and has been in
Debian since stretch. Upstream's documentation for PCRE2 is available
here: https://pcre.org/current/doc/html/

Many large projects that use PCRE have made the switch now (e.g. git,
php); it does involve some work, but we are now at the stage where
PCRE3 should not be used, particularly if it might ever be exposed to
untrusted input.

This mass bug filing was discussed on debian-devel@ in
https://lists.debian.org/debian-devel/2021/11/msg00176.html

Regards,

Matthew [0] Historical reasons mean that old PCRE is packaged as
pcre3 in Debian

#1000110#12
Date:
2022-05-27 19:23:29 UTC
From:
To:
Please note that I have very recently released leafnode 1.12.0 which now
uses PCRE2 instead of PCRE1.

Also note that there is no longer a .bz2 package, only .xz and .gz.

https://sourceforge.net/projects/leafnode/files/leafnode/1.12.0/

Changelog (high-level, edited):
https://gitlab.com/leafnode-2/leafnode-1/-/raw/1.12.0/NEWS

Changelog (low-level, semiautomated):
https://gitlab.com/leafnode-2/leafnode-1/-/raw/1.12.0/ChangeLog

#1000110#25
Date:
2022-06-05 21:48:50 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
leafnode, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1000110@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Muehlenhoff <jmm@debian.org> (supplier of updated leafnode package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 01 Jun 2022 21:09:07 +0200
Source: leafnode
Architecture: source
Version: 1.12.0-1
Distribution: unstable
Urgency: medium
Maintainer: Moritz Muehlenhoff <jmm@debian.org>
Changed-By: Moritz Muehlenhoff <jmm@debian.org>
Closes: 989086 1000110
Changes:
 leafnode (1.12.0-1) unstable; urgency=medium
 .
   * New upstream version 1.12.0, in a sense also (Closes: #989086)
   * Switch to PCRE2 (Closes: #1000110)
   * Use debhelper 13
Checksums-Sha1:
 66b7a8d5bde4781eb07160515b8f96227fe91c72 1848 leafnode_1.12.0-1.dsc
 048bb68b757e87a7b1a905f258d9d409a06995cf 464572 leafnode_1.12.0.orig.tar.xz
 e9bb61db81f89084c5675f532533692a979ddfff 48088 leafnode_1.12.0-1.debian.tar.xz
 43505a814b543dab3711cfe77b6e98095e74bd87 6513 leafnode_1.12.0-1_amd64.buildinfo
Checksums-Sha256:
 59d46deec75ec14332f90eacec0a5e4483c14b1ab5075128f1f2137e9733a880 1848 leafnode_1.12.0-1.dsc
 8310b78006a2088b82dcf9a6b18504ec4f7279bd1047af58d3dac5aaf607ce58 464572 leafnode_1.12.0.orig.tar.xz
 9136bb290b3303f96b916b6a35069c652ebf31cb8a574c2a5460a71c0fec27e8 48088 leafnode_1.12.0-1.debian.tar.xz
 c753f6c33400b425c4fef967cb7e21bec0ea1d7783babac285c2674eacdb25fd 6513 leafnode_1.12.0-1_amd64.buildinfo
Files:
 8850b137a94f1cf04f40e6c92131a773 1848 news optional leafnode_1.12.0-1.dsc
 0fe11436e77158b0cc03cd1808366d3c 464572 news optional leafnode_1.12.0.orig.tar.xz
 ebb85c74d0c57480455404748ba1080f 48088 news optional leafnode_1.12.0-1.debian.tar.xz
 c28263ed6c25dde159d05c4527daa37a 6513 news optional leafnode_1.12.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmKdIboACgkQEMKTtsN8
TjYLAQ//dJp5OwFY+lW0pwOb2C8mZNWiNcS0Uht7cn9gnGBSyPw2NTns0l0B/T5w
0UT8bm1qkmmtI15TzNALqvcORj5ND00KR/4BV3roXlnL9KrhljRgGKEyQ5bQ07ga
7aBlRv86Uw3aEy5unlJthhpfvK+TMhAPBCe7rj9A34rlbyZhpx2Dfz28sARXnlAy
w9/4KJDP5lftDkh8zwoolO6GRSgFg1UN4Ih9SwPJGqQBBGswT9adfmkAEPxP3Xlq
3YLMnn9D1mi+ph24TfUrd4p/BO0l6kPu4bB/4eS72f3SWIGkc8IlFG/zGfGGOaAZ
EaGSNEz43eOLick8zrFjyNqxtR/ISHdhU94VfCAHAruxGii/367qJovuGmsLQWcA
Br7JWYKkrvSfk9lZyDB8QO+5+SRq85Bq2KvDDjVBQ2maneO5+BrpLUSWzUo96Ywl
LzjbFbCU05/AThG0Aj3mfxWO5pU53ArZRi24lCLecc45aiVzwhW+lltwR6xH4FuO
i8vs/WWyd6nHcPMOMi38crT740d3yofIpTiAthzxmlx0sG1nGDIZXcD3ArIuB5jC
arWZVt8ugt3dbKlcMcM+JMpdcwDEF0qYclNaM4ymLZYmqxOJs0FQyrWIQHCLpwY8
2MzV1b22Cfv0FWy3+v0/xAJ+R1IMungg9NL8L7a6APGZ4YbTk3Q=
=h8pG
-----END PGP SIGNATURE-----