[Pkg-javascript-devel] Bug#773671: Unfixed old CVEs should really be RC
Adrian Bunk
bunk at debian.org
Mon Apr 3 18:13:56 UTC 2017
On Mon, Apr 03, 2017 at 08:03:16PM +0200, Moritz Muehlenhoff wrote:
> On Tue, Feb 28, 2017 at 02:28:28PM +0200, Adrian Bunk wrote:
> > Control: severity -1 serious
> >
> > Dozens of unfixed CVEs, the oldest unfixed CVEs will be more than
> > 4 years old when stretch gets released.
> >
> > In the current state the package is really too buggy for shipping
> > in a new stable release.
>
> Note that nodejs will not be covered by security support in stretch (as it was
> done for jessie already). We had initially considered it, but with
> nodejs 6 not having it made into stretch, that's not realistic.
>
> So these can be downgraded to non-RC (or if the release team thinks
> nodejs should rather be remove from testing, removal is also an option
> of course).
This is not even the normal Node.js, this is a version of V8 from an
upstream branch that is dead for 4 years already.
> Cheers,
> Moritz
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
More information about the Pkg-javascript-devel
mailing list