Package: pango1.0 Followup-For: Bug #565500 For the record, CVE-2009-4012 (DSA-1971) was later analyzed by Red Hat [1] to be ineffective. Instead, Pango itself was found to be vulnerable.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=554416 Although I couldn't find an obvious exploit when I got the report, I took the action immediately anyway, and I don't think taking this as a penalty is fair. But yes, technically speaking, downgrading libthai to Recommends is possible, by splitting pango-thai-lang.so into a new subpackage and let libpango1.0-0 recommends it. But as Loic said, it's a trade-off. Thai users must be guaranteed not to miss it by the default installation. If I'm right, the default installation already includes the recommended packages. If that's confirmed, the split should not cause problem to Thai users, while removing it would still be allowed. BTW, I have got another compelling reason to split: I'd like to re-fork the removed pango-libthai, after upstream has ignored my proposed patches for too long (it's 2 years now without any progress). The split, probably with pango-thai-fc.so as well, should allow alternative implementation which I can maintain myself and respond to bugs more quickly. But if all patches in bug #620001, #620002 and #620004 are accepted into sid, the urge for the split can be dropped. Regards, -- Theppitak Karoonboonyanan http://linux.thai.net/~thep/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org