[Pkg-javascript-devel] Bug#760385: Unfixed old CVEs should really be RC
Moritz Muehlenhoff
jmm at inutil.org
Mon Apr 3 19:01:34 UTC 2017
On Mon, Apr 03, 2017 at 09:13:56PM +0300, Adrian Bunk wrote:
> On Mon, Apr 03, 2017 at 08:03:16PM +0200, Moritz Muehlenhoff wrote:
> > On Tue, Feb 28, 2017 at 02:28:28PM +0200, Adrian Bunk wrote:
> > > Control: severity -1 serious
> > >
> > > Dozens of unfixed CVEs, the oldest unfixed CVEs will be more than
> > > 4 years old when stretch gets released.
> > >
> > > In the current state the package is really too buggy for shipping
> > > in a new stable release.
> >
> > Note that nodejs will not be covered by security support in stretch (as it was
> > done for jessie already). We had initially considered it, but with
> > nodejs 6 not having it made into stretch, that's not realistic.
> >
> > So these can be downgraded to non-RC (or if the release team thinks
> > nodejs should rather be remove from testing, removal is also an option
> > of course).
>
> This is not even the normal Node.js, this is a version of V8 from an
> upstream branch that is dead for 4 years already.
Right. Initially there was some plan to provide a supported libv8
from src:nodejs, though.
libv8 has never been covered by security support in any Debian release
so far, upstream does no real security support apart from what lands
in Chrome.
Cheers,
Moritz
More information about the Pkg-javascript-devel
mailing list