Hallo Andreas, El 12/12/24 a las 14:43, Andreas Tille escribió: > Hi Santiago, > > thank you for working on LTS! Intake is replacing a link to some online > version of bootstrap3 to avoid privacy breaches of the user[1]. I admit > we have no capacity to port the code to any later bootstrap version and > my plan would be to simply drop the patch and rather use the online > version.
To check if I understand correctly: your plan is to drop [1] as a way to get rid off the dependency? > For me it looks sensibly safe since an sha sum is provided to > ensure that the user is working with the correct file. > > What do you think? The problem is that you are not solving the problem, you are rather re-introducing a regression. 1. The online version that would be used (again?) is EOL'ed too, and the user would be impacted by any security issues. Look at the upstream paying version to see how the opposite would work. 2. You would be introducing the privacy breach, because of intake users would contact the bootstrap CDN to get the javascript code (of an insecure bootstrap version). The checksum doesn't help here. > > Kind regards > Andreas. > > > [1] > https://salsa.debian.org/med-team/intake/-/blob/master/debian/patches/fix_privacy_breach.patch?ref_type=heads [snip] I am CC'ing Daniel Baumann <daniel.baum...@progress-linux.org>: would it help maintainers and upstreams if we create a wiki page with info/tips from projects that have already moved to bootstrap 5, and that could serve as an example data base? Cheers, -- Santiago
signature.asc
Description: PGP signature
