Comment 21 for bug 2023971

Hi all,

During the security review I noticed that several dependencies for this package were replaced with those that already exist in main:
- Net::IDN::Encode -> Net::LibIDN [1]
- Email::MIME -> MIME::Parser & MIME::Entity [2]
To my understanding, this was done to avoid introducing unnecessary and/or duplicate functionality to main, and to mitigate a known security vulnerability in the Email::MIME library [3].

I have some concerns regarding the patch needed to replace Email::MIME which I wanted to bring up for discussion, especially in light of the fact that the vulnerability has since been confirmed fixed [4] . Although an elegant solution, the patch makes non-trivial changes to the source, and, although it passes all tests, these change have not been battle tested. Moreover, I suspect there will be some unwanted implications on maintenance and support for the modified library on the long run if upstream does not accept the proposed changes (see ongoing discussion in [5]). Should we still consider this the same library as upstream in the end and who will maintain the modified code? I'm wondering if this is still the best approach considering that the vulnerability has been fixed, and that upstream is not leaning in our direction [5].

[1]: https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
[2]: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
[3]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960062
[4]: https://github.com/msimerson/mail-dmarc/issues/216#issuecomment-1945033737
[5]: https://github.com/msimerson/mail-dmarc/pull/217