Debian exim4 >= 4.95~RC0-1 depends on src:libspf2 via a new Build-Depends on libspf2-dev, which also results in new binary dependencies. That's a C library implementing SPF [1].
The change closes Debbug #528344 [2] which is a decade-old request for adding SPF support to exim4 via that library. Up to now implementing SPF in exim4 has been possible using the spf-tools-perl package (in universe, but not a dependency). This is now replaced by linking to libspf2; the mechanism is clearly visible in the commit implementing the change [3].
After discussing the issue with the team, we decided to revert the change [3] in Ubuntu for now.
Rationale:
* Linking against the library doesn't provide a clear advantage over using the external query tool from spf-tools-perl. I imagine the issue is performance, but this is not clearly stated. In other words, a compelling reason for a MIR is missing.
* The status of the upstream project is not entirely reassuring. The latest publicized release is from 2013 [4]. Issues are mostly unanswered, including one requesting to cut a release including a fix for a CVE [6]. (A newer release has been tagged in git, but not announced anywhere, and the issue is still open. Note: the CVE is fixed in Debian via a security NMU.)
* The latest upload from the Debian Maintainer is from 2016.
* We didn't really have requests for enabling libspf2 in exim4 in Ubuntu.
This why we prefer not to MIR libspf2, at least for now, but we're fully open on re-discussing this decision, now or in the future.
Debian exim4 >= 4.95~RC0-1 depends on src:libspf2 via a new Build-Depends on libspf2-dev, which also results in new binary dependencies. That's a C library implementing SPF [1].
The change closes Debbug #528344 [2] which is a decade-old request for adding SPF support to exim4 via that library. Up to now implementing SPF in exim4 has been possible using the spf-tools-perl package (in universe, but not a dependency). This is now replaced by linking to libspf2; the mechanism is clearly visible in the commit implementing the change [3].
After discussing the issue with the team, we decided to revert the change [3] in Ubuntu for now.
Rationale:
* Linking against the library doesn't provide a clear advantage over using the external query tool from spf-tools-perl. I imagine the issue is performance, but this is not clearly stated. In other words, a compelling reason for a MIR is missing.
* The status of the upstream project is not entirely reassuring. The latest publicized release is from 2013 [4]. Issues are mostly unanswered, including one requesting to cut a release including a fix for a CVE [6]. (A newer release has been tagged in git, but not announced anywhere, and the issue is still open. Note: the CVE is fixed in Debian via a security NMU.)
* The latest upload from the Debian Maintainer is from 2016.
* We didn't really have requests for enabling libspf2 in exim4 in Ubuntu.
This why we prefer not to MIR libspf2, at least for now, but we're fully open on re-discussing this decision, now or in the future.
[1] https:/ /en.wikipedia. org/wiki/ Sender_ Policy_ Framework /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 528344 /salsa. debian. org/exim- team/exim4/ -/commit/ 494f1fe56f80243 441c97de4b73e03 2949bd8b5d /www.libspf2. org/ /github. com/shevek/ libspf2/ /github. com/shevek/ libspf2/ issues/ 36
[2] https:/
[3] https:/
[4] https:/
[5] https:/
[6] https:/