Pau Garcia i Quiles writes ("Re: Dealing with embedded javascript libraries"):
> On Thu, Oct 27, 2011 at 1:28 AM, Ian Jackson
> <ijack...@chiark.greenend.org.uk> wrote:
> > The difficulty is that if we end up with ten different versions of
> > some random javascript library, when it turns out to have a security
> > vulnerability we need to somehow backport the patch to each of those
> > ten versions.
> >
> > And here "we" means the security team, not the people who uploaded the
> > ten versions in the first place.
> >
> > So this is rather unpalatable.
>
> What's the alternative?
>
> It seems that we only have two choices:
>
> - Either all packages use the same version of the JavaScript library
...
> - Each package works with the upstream-bundled version of the
We could do this:
* No JS libraries should be bundled into binary packages; instead,
each package should Depend on an appropriate separate JS library
package.
* JS library packages should be versioned in the name, like C runtime
library packages are, so that multiple versions are coinstallable.
* If the number of different versions of a single JS library becomes
"too large", ftp-master and/or the security team will call a halt
and the uploads and/or testing migrations of some of them will be
blocked.
Ian.
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20152.8090.30627.248...@chiark.greenend.org.uk
