[Debian-med-packaging] Bug#1088416: Getting rid of twitter-bootstrap3 as trade off for privacy breach
Andreas Tille
tille at debian.org
Sat Dec 14 13:15:27 GMT 2024
Hi Santiago,
Am Sat, Dec 14, 2024 at 07:38:40AM -0300 schrieb Santiago Ruano Rincón:
> > thank you for working on LTS! Intake is replacing a link to some online
> > version of bootstrap3 to avoid privacy breaches of the user[1]. I admit
> > we have no capacity to port the code to any later bootstrap version and
> > my plan would be to simply drop the patch and rather use the online
> > version.
>
> To check if I understand correctly: your plan is to drop [1] as a way to
> get rid off the dependency?
This would be ony way to enable Debian getting rid of the bootstrap3
package (not to bring the package intake in a better state).
> > For me it looks sensibly safe since an sha sum is provided to
> > ensure that the user is working with the correct file.
> >
> > What do you think?
>
> The problem is that you are not solving the problem, you are rather
> re-introducing a regression.
>
> 1. The online version that would be used (again?) is EOL'ed too, and the
> user would be impacted by any security issues. Look at the upstream
> paying version to see how the opposite would work.
What do you mean by "upstream paying version"?
> 2. You would be introducing the privacy breach, because of intake users
> would contact the bootstrap CDN to get the javascript code (of an
> insecure bootstrap version). The checksum doesn't help here.
Good argument.
> > [1] https://salsa.debian.org/med-team/intake/-/blob/master/debian/patches/fix_privacy_breach.patch?ref_type=heads
>
> [snip]
>
> I am CC'ing Daniel Baumann <daniel.baumann at progress-linux.org>: would it
> help maintainers and upstreams if we create a wiki page with info/tips
> from projects that have already moved to bootstrap 5, and that could
> serve as an example data base?
So making Debian upstream of quite a view packages (like intake)? It
might help in principle, but we do not have the capacity to do the
porting work.
Kind regards
Andreas.
--
https://fam-tille.de
More information about the Debian-med-packaging
mailing list