Bug#565500: must not depend on libthai

[Theppitak Karoonboonyanan]

Package: pango1.0
Followup-For: Bug #565500

For the record, CVE-2009-4012 (DSA-1971) was later analyzed by Red Hat [1]
to be ineffective. Instead, Pango itself was found to be vulnerable.

  [1] https://bugzilla.redhat.com/show_bug.cgi?id=554416

Although I couldn't find an obvious exploit when I got the report, I took
the action immediately anyway, and I don't think taking this as a penalty
is fair.

But yes, technically speaking, downgrading libthai to Recommends is possible,
by splitting pango-thai-lang.so into a new subpackage and let libpango1.0-0
recommends it. But as Loic said, it's a trade-off. Thai users must be
guaranteed not to miss it by the default installation.

If I'm right, the default installation already includes the recommended
packages. If that's confirmed, the split should not cause problem to Thai
users, while removing it would still be allowed.

BTW, I have got another compelling reason to split: I'd like to re-fork
the removed pango-libthai, after upstream has ignored my proposed patches
for too long (it's 2 years now without any progress). The split, probably
with pango-thai-fc.so as well, should allow alternative implementation
which I can maintain myself and respond to bugs more quickly.

But if all patches in bug #620001, #620002 and #620004 are accepted into
sid, the urge for the split can be dropped.

Regards,
-- 
Theppitak Karoonboonyanan
http://linux.thai.net/~thep/