Speaking for the security team, it seems there is no consensus on if pcre2 should be in main and therefore require a security review. I tend to agree with foundations that we should not support pcre and pcre2 if we can avoid it, however packages that are in main that simply bundle it is not avoiding the problem-- it is only hiding the fact that it is actually supported via an embedded code copy, which is against standard practice.
For the moment I am unsubscribing the security team, but considering my comments on embedded copies, feel free to resubscribe if its inclusion will be reconsidered.
Speaking for the security team, it seems there is no consensus on if pcre2 should be in main and therefore require a security review. I tend to agree with foundations that we should not support pcre and pcre2 if we can avoid it, however packages that are in main that simply bundle it is not avoiding the problem-- it is only hiding the fact that it is actually supported via an embedded code copy, which is against standard practice.
For the moment I am unsubscribing the security team, but considering my comments on embedded copies, feel free to resubscribe if its inclusion will be reconsidered.