[Pkg-javascript-devel] Bug#963764: Bug#963764: Bug#963764: node-node-sass: uses embedded old security-buggy libsass

Jonas Smedegaard jonas at jones.dk
Wed Jul 8 16:07:59 BST 2020


Quoting Nilesh Patra (2020-07-08 17:00:01)
> On Wed, 8 Jul 2020, 20:22 Jonas Smedegaard, <jonas at jones.dk> wrote:
> 
> > Quoting Nilesh Patra (2020-07-08 16:26:34)
> > > On Wed, 8 Jul 2020, 19:30 Jonas Smedegaard, <jonas at jones.dk> wrote:
> > > > Please strongly consider to not only make the package link with
> > > > system-shared libsass, but also repackage upstream tarball with
> > > > embedded code copy removed, to ensure not accidentally using that
> > > > code (and to lighten the size of what gets distributed in Debian and
> > > > simplify copyright tracking and ease security tracking).
> > >
> > >
> > > @Jonas:
> > > I considered the same approach after the first source-only-upload was
> > done.
> > > However, it might so happen that going forward the version of sass is
> > > updated to a newer upstream, and Debian adapts to that particular
> > release,
> > > but the node-sass upstream might only have support for libsass 3.6.3 -
> > > considering that upstream of node-node-sass is slower to adapt to
> > changes.
> > >
> > > This would cause node-node-sass to FTBFS.
> >
> > Yes. That is how Debian generally works.
> >
> > Please explain why this package needs exceptional handling.
> 
> 
> The upstream for node-node-sass took a considerable amount of time to
> switch to libsass 3.6.3, and there is still no official upstream release
> yet.
> 
> The same situation may arise in future, and it might take many months for
> upstream to adapt.
> 
> Hence I considered it _might_ be sensible to keep the copy.
> 
> However, I admit that your reasoning is right here - this probably doesn't
> need exceptional handling.

None of us can predict the future.  But we can choose to assume that 
this package will evolve badly in the future or that it will evolve 
well.

If we expect this package to evolve badly, then we should *not* keep an 
embedded copy of libsass, but instead remove this package and all its 
reverse dependencies, because libsass has been proven insecure if left 
unmaintained,


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20200708/492fed18/attachment.sig>


More information about the Pkg-javascript-devel mailing list