Comment 33 for bug 1636666

It is clear that we cannot drop pcre3 any time soon due to the number of supported packages that only support it and not pcre2. pcre3 has a *significant* CVE history (52 since 2005 with the latest in 2017 - granted many of those were the result of fuzzing, but the nature of pcre means it will often be fed untrusted input). Furthermore, our goals for main are clear: https://wiki.ubuntu.com/MIRTeam#Duplication. With pcre3 and pcre2 as alternative APIs for working with Perl Compatible Regular Expressions, that is clear duplication. pcre2 comes from the pcre3 codebase and there is no reason to think it won't have a similar number of CVEs-- indeed, pcre2 already has had 26 CVEs assigned to it so far. IMHO, it was premature for vte and gnome-terminal to drop support for the old APIs (even glib2.0 is using pcre3).

-1 for having both implementations in main at this time. In terms of effort, it's clear (to me) that today the least effort overall is continuing to adjust vte/gnome-terminal so we don't have to migrate a bunch of other packages. From a security POV, it seems one is not preferable to the other in terms of raw CVEs since at least for the time being upstream is committed to bug fixes for the old APIs[1]. I suspect pcre2 is going to be better supported by its upstream over time so adding support for pcre2 to the packages we care about is probably a good thing. I wonder if instead of patching pcre2 out of vte, we patch back in support for pcre3 and allow people to choose which they prefer at compile time. This would hopefully be upstreamable.

[1]https://www.pcre.org/ - "The older, but still widely deployed PCRE library, originally released in 1997, is at version 8.42. Its API and feature set are stable-- future releases will be for bugfixes only. Any new features will be added to PCRE2, and not to the PCRE 8.x series."