[Pkg-javascript-devel] Bug#773671: Bug#773671: libv8-3.14: multiple security issues
Bálint Réczey
balint at balintreczey.hu
Mon Dec 29 11:28:30 UTC 2014
Hi Moritz,
2014-12-29 3:01 GMT+01:00 Moritz Mühlenhoff <jmm at inutil.org>:
> On Sun, Dec 21, 2014 at 03:19:42PM -0500, Michael Gilbert wrote:
>> package: src:libv8-3.14
>> severity: grave
>> tags: security
>>
>> Hi,
>>
>> the following vulnerabilities were published for libv8-3.14.
>
> So if I'm understanding the discussion on debian-devel correctly
> the libv8 maintainers want to see this treated as an RC-bug.
> Please clarify your intentions, do you
>
> a) intent to fix these issues with patches and if that's not possible
> remove libv8 along with its rev deps?
>
> b) want to keep this with RC severity and tag it jessie-ignore.
> I would consider that rather broken since foo-ignore is used for
> issues which are ignored for once, but which will be addressed
> in release+1. I don't see the libv8 situation change upstream...
The rationale behind opening the RC bugs was improving transparency on
my side. I think more people follow bugs than the security tracker.
I think the call between a) and b) is up to release management, but my
interpretation for b) is a bit different.
There are RC bugs ignored for several releases thus I think foo-ignore
is not strictly for one-off issues and b) would be the proper way of
letting liv8 released with Jessie if the security issues stay open.
Cheers,
Balint
>
> c) plan something else I'm missing
>
> Cheers,
> Moritz
More information about the Pkg-javascript-devel
mailing list