[Pkg-javascript-devel] Bug#963764: Bug#963764: Bug#963764: node-node-sass: uses embedded old security-buggy libsass

[Nilesh Patra]

On Wed, 8 Jul 2020, 20:22 Jonas Smedegaard, <jonas at jones.dk> wrote:

> Quoting Nilesh Patra (2020-07-08 16:26:34)
> > On Wed, 8 Jul 2020, 19:30 Jonas Smedegaard, <jonas at jones.dk> wrote:
> > > Please strongly consider to not only make the package link with
> > > system-shared libsass, but also repackage upstream tarball with
> > > embedded code copy removed, to ensure not accidentally using that
> > > code (and to lighten the size of what gets distributed in Debian and
> > > simplify copyright tracking and ease security tracking).
> >
> >
> > @Jonas:
> > I considered the same approach after the first source-only-upload was
> done.
> > However, it might so happen that going forward the version of sass is
> > updated to a newer upstream, and Debian adapts to that particular
> release,
> > but the node-sass upstream might only have support for libsass 3.6.3 -
> > considering that upstream of node-node-sass is slower to adapt to
> changes.
> >
> > This would cause node-node-sass to FTBFS.
>
> Yes. That is how Debian generally works.
>
> Please explain why this package needs exceptional handling.


The upstream for node-node-sass took a considerable amount of time to
switch to libsass 3.6.3, and there is still no official upstream release
yet.

The same situation may arise in future, and it might take many months for
upstream to adapt.

Hence I considered it _might_ be sensible to keep the copy.

However, I admit that your reasoning is right here - this probably doesn't
need exceptional handling.


Kind regards,
Nilesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20200708/6c519b37/attachment.html>