Am 27.06.23 um 23:34 schrieb Richard Laager:
Cyrus SASL has reverse (binary) dependencies in the ballpark of 7,500. Quickly taking that list through UDD gives me just over 4,500 source packages. Surely, a large number of those are going to be GPL licensed. Is your plan to file Severity: serious bugs against all of them?
No, but at least the ones that directly depend on cyrus-sasl. There are not many; most reverse dependencies are via libldap.
If so, isn't that an MBF that needs discussion on debian-devel first?
I do not have the capacity for a mass bug filing. Once in a while I will look at the list of direct reverse dependencies and send a bug.
If not, then why are you singling out Pidgin, a project that is struggling to stay alive right now?
I am not singling out Pidgin. I have files similar bugs on other direct reverse deps.
Your position in bug #996892 is that cyrus-sasl2 / libsasl2 should be considered a system library. If libsasl2 can be considered a system library, then by your own position, there is no bug in libpurple0. I don't see how you can have it both ways.
I would like to have a decision on it. No FTP Master has had the time to answer the bug. As long as there is no official stance from the responsible group in Debian the library is not to be considered a system library and the serious severity is valid. If I were the package maintainer I would disable SASL and send the unstable/testing users who want it back to comment on #996892 to get a decision.
