[Debian-med-packaging] Bug#1088416: Getting rid of twitter-bootstrap3 as trade off for privacy breach

[Santiago Ruano Rincón]

Hallo Andreas,

El 12/12/24 a las 14:43, Andreas Tille escribió:
> Hi Santiago,
> 
> thank you for working on LTS!  Intake is replacing a link to some online
> version of bootstrap3 to avoid privacy breaches of the user[1].  I admit
> we have no capacity to port the code to any later bootstrap version and
> my plan would be to simply drop the patch and rather use the online
> version.

To check if I understand correctly: your plan is to drop [1] as a way to
get rid off the dependency?

> For me it looks sensibly safe since an sha sum is provided to
> ensure that the user is working with the correct file.
> 
> What do you think?

The problem is that you are not solving the problem, you are rather
re-introducing a regression.

1. The online version that would be used (again?) is EOL'ed too, and the
user would be impacted by any security issues. Look at the upstream
paying version to see how the opposite would work.
2. You would be introducing the privacy breach, because of intake users
would contact the bootstrap CDN to get the javascript code (of an
insecure bootstrap version). The checksum doesn't help here.

> 
> Kind regards
>     Andreas.
> 
> 
> [1] https://salsa.debian.org/med-team/intake/-/blob/master/debian/patches/fix_privacy_breach.patch?ref_type=heads

[snip]

I am CC'ing Daniel Baumann <daniel.baumann at progress-linux.org>: would it
help maintainers and upstreams if we create a wiki page with info/tips
from projects that have already moved to bootstrap 5, and that could
serve as an example data base?

Cheers,

 -- Santiago
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20241214/978b26c3/attachment-0001.sig>