Comment 0 for bug 1952738

Debian exim4 >= 4.95~RC0-1 depends on src:libspf2 via a new Build-Depends on libspf2-dev, which also results in new binary dependencies. That's a C library implementing SPF [1].

The change closes Debbug #528344 [2] which is a decade-old request for adding SPF support to exim4 via that library. Up to now implementing SPF in exim4 has been possible using the spf-tools-perl package (in universe, but not a dependency). This is now replaced by linking to libspf2; the mechanism is clearly visible in the commit implementing the change [3].

After discussing the issue with the team, we decided to revert the change [3] in Ubuntu for now.

Rationale:

* Linking against the library doesn't provide a clear advantage over using the external query tool from spf-tools-perl. I imagine the issue is performance, but this is not clearly stated. In other words, a compelling reason for a MIR is missing.
* The status of the upstream project is not entirely reassuring. The latest publicized release is from 2013 [4]. Issues are mostly unanswered, including one requesting to cut a release including a fix for a CVE [6]. (A newer release has been tagged in git, but not announced anywhere, and the issue is still open. Note: the CVE is fixed in Debian via a security NMU.)
* The latest upload from the Debian Maintainer is from 2016.
* We didn't really have requests for enabling libspf2 in exim4 in Ubuntu.

This why we prefer not to MIR libspf2, at least for now, but we're fully open on re-discussing this decision, now or in the future.

[1] https://en.wikipedia.org/wiki/Sender_Policy_Framework
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528344
[3] https://salsa.debian.org/exim-team/exim4/-/commit/494f1fe56f80243441c97de4b73e032949bd8b5d
[4] https://www.libspf2.org/
[5] https://github.com/shevek/libspf2/
[6] https://github.com/shevek/libspf2/issues/36