[Pkg-javascript-devel] Bug#963764: Bug#963764: Bug#963764: node-node-sass: uses embedded old security-buggy libsass
Jonas Smedegaard
jonas at jones.dk
Wed Jul 8 15:52:14 BST 2020
Quoting Nilesh Patra (2020-07-08 16:26:34)
> On Wed, 8 Jul 2020, 19:30 Jonas Smedegaard, <jonas at jones.dk> wrote:
> > Please strongly consider to not only make the package link with
> > system-shared libsass, but also repackage upstream tarball with
> > embedded code copy removed, to ensure not accidentally using that
> > code (and to lighten the size of what gets distributed in Debian and
> > simplify copyright tracking and ease security tracking).
>
>
> @Jonas:
> I considered the same approach after the first source-only-upload was done.
> However, it might so happen that going forward the version of sass is
> updated to a newer upstream, and Debian adapts to that particular release,
> but the node-sass upstream might only have support for libsass 3.6.3 -
> considering that upstream of node-node-sass is slower to adapt to changes.
>
> This would cause node-node-sass to FTBFS.
Yes. That is how Debian generally works.
Please explain why this package needs exceptional handling.
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20200708/cff0bba5/attachment.sig>
More information about the Pkg-javascript-devel
mailing list