Comment 6 for bug 1802533

I certainly can't see this as a small and easy package to maintain in general. Fortunately, right now it is in sync with Debian, but it's a pretty big codebase. Any issues that might come up, especially security issues, might be effort-intensive, though at a quick glance I didn't notice anything sensitive popping up -- that said, I only did a quick review of the code -- there's some 260 files of source code.

There doesn't appear to be open CVEs, the packaging quality is as one would expect.

There appears to be test sources at least for libspa, but those do not seem to get run by the upstream build process when running 'make check'.

Do you need all the binaries in main? You do mention "not libspa-ffmpeg", but what of the other binaries? If this is just for pipewire binary itself, then it would only require libpipewire-0.2-1 and pipewire.

Assigning to Security Team for a code review.