Hi Santiago, Am Sat, Dec 14, 2024 at 07:38:40AM -0300 schrieb Santiago Ruano Rincón: > > thank you for working on LTS! Intake is replacing a link to some online > > version of bootstrap3 to avoid privacy breaches of the user[1]. I admit > > we have no capacity to port the code to any later bootstrap version and > > my plan would be to simply drop the patch and rather use the online > > version. > > To check if I understand correctly: your plan is to drop [1] as a way to > get rid off the dependency?
This would be ony way to enable Debian getting rid of the bootstrap3 package (not to bring the package intake in a better state). > > For me it looks sensibly safe since an sha sum is provided to > > ensure that the user is working with the correct file. > > > > What do you think? > > The problem is that you are not solving the problem, you are rather > re-introducing a regression. > > 1. The online version that would be used (again?) is EOL'ed too, and the > user would be impacted by any security issues. Look at the upstream > paying version to see how the opposite would work. What do you mean by "upstream paying version"? > 2. You would be introducing the privacy breach, because of intake users > would contact the bootstrap CDN to get the javascript code (of an > insecure bootstrap version). The checksum doesn't help here. Good argument. > > [1] > > https://salsa.debian.org/med-team/intake/-/blob/master/debian/patches/fix_privacy_breach.patch?ref_type=heads > > [snip] > > I am CC'ing Daniel Baumann <daniel.baum...@progress-linux.org>: would it > help maintainers and upstreams if we create a wiki page with info/tips > from projects that have already moved to bootstrap 5, and that could > serve as an example data base? So making Debian upstream of quite a view packages (like intake)? It might help in principle, but we do not have the capacity to do the porting work. Kind regards Andreas. -- https://fam-tille.de
