Bug#1028286: transition: xml-security-c
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: transition
Dear Release Team,
In a recent message [1] Shibboleth upstream strongly recommended
building xml-security-c without Xalan support to reduce the attack
surface of Shibboleth installations, because Xalan is dead upstream and
pulling it in carries a considerable risk. The Shibboleth stack is the
only consumer of the xml-security-c library in Debian, so we'd like to
follow upstream's recommendation. This means flipping a configure
switch, which removes some features (and a dependency) of the library,
but does not change the library SONAME. The resulting new library
version is usable as-is by the upper layers of Shibboleth stack, which
does not use the dropped functionality, so this wouldn't be a transition
in that sense, but we (the Shibboleth packaging team) still wanted to
run this by you. We don't expect any fallout, xml-security-c was built
without Xalan until version 2.0.2-2 without issues. Some maintenance
uploads of the upper layers were planned and will be done anyway.
[1] https://alioth-lists.debian.net/pipermail/pkg-shibboleth-devel/2023-January/005929.html
Unusable Ben file:
title = "xml-security-c";
is_affected = .depends ~ "libxml-security-c20" | .depends ~ "libxml-security-c20";
is_good = .depends ~ "libxml-security-c20";
is_bad = .depends ~ "libxml-security-c20";
Reply to: