component mismatch: exim4 (main) depends on src:libspf2 (universe)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
exim4 (Ubuntu) |
Fix Released
|
High
|
Paride Legovini |
Bug Description
Debian exim4 >= 4.95~RC0-1 depends on src:libspf2 via a new Build-Depends on libspf2-dev, which also results in new binary dependencies. That's a C library implementing SPF [1].
The change closes Debbug #528344 [2] which is a decade-old request for adding SPF support to exim4 via that library. Up to now implementing SPF in exim4 has been possible using the spf-tools-perl package (in universe, but not a dependency). This is now replaced by linking to libspf2; the mechanism is clearly visible in the commit implementing the change [3].
After discussing the issue with the team, we decided to revert the change [3] in Ubuntu for now.
Rationale:
* Linking against the library doesn't provide a clear advantage over using the external query tool from spf-tools-perl. I imagine the issue is performance, but this is not clearly stated. In other words, a compelling reason for a MIR is missing.
* The status of the upstream project is not entirely reassuring. The latest publicized release is from 2013 [4]. Issues are mostly unanswered, including one requesting to cut a release including a fix for a CVE [6]. (A newer release has been tagged in git, but not announced anywhere, and the issue is still open. Note: the CVE is fixed in Debian via a security NMU.)
* The latest upload from the Debian Maintainer is from 2016.
* We don't really have requests for enabling libspf2 in exim4 in Ubuntu.
This why we prefer not to MIR libspf2, at least for now, but we're fully open on re-discussing this decision, now or in the future.
[1] https:/
[2] https:/
[3] https:/
[4] https:/
[5] https:/
[6] https:/
Related branches
- Andreas Hasenack: Approve
- Canonical Server: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 1499 lines (+992/-20)6 files modifieddebian/EDITME.exim4-heavy.diff (+0/-12)
debian/changelog (+905/-0)
debian/control (+3/-2)
debian/debconf/conf.d/acl/30_exim4-config_check_rcpt (+28/-6)
debian/patches/fix_smtp_banner.patch (+55/-0)
debian/patches/series (+1/-0)
- Bryce Harrington (community): Approve
- Canonical Server: Pending requested
-
Diff: 121 lines (+45/-21)4 files modifieddebian/EDITME.exim4-heavy.diff (+2/-14)
debian/changelog (+15/-0)
debian/control (+0/-1)
debian/debconf/conf.d/acl/30_exim4-config_check_rcpt (+28/-6)
description: | updated |
Changed in exim4 (Ubuntu): | |
assignee: | nobody → Paride Legovini (paride) |
tags: | added: server-next |
Changed in exim4 (Ubuntu): | |
importance: | Undecided → High |
status: | New → In Progress |
This bug was fixed in the package exim4 - 4.95-2ubuntu2
---------------
exim4 (4.95-2ubuntu2) jammy; urgency=medium
* New delta: tools-perl, as documented in exim4.conf. template. (LP: #1952738) 30_exim4- config_ check_rcpt: restore SPF logic based mail-spf- perl from spf-tools-perl. exim4-heavy. diff: disable support for libspf2.
- Disable external SPF support to avoid Build-Depends on libspf2-dev
(only available in universe). SPF can still be implemented via
spf-
This reverts Vcs-Git commit 494f1fe, first released in 4.95~RC0-1.
Changes:
+ d/control: drop Build-Depends on libspf2-dev.
+ d/d/c/a/
on spfquery.
+ d/EDITME.
-- Paride Legovini <email address hidden> Wed, 01 Dec 2021 11:48:10 +0100