[Pkg-javascript-devel] Bug#963764: Bug#963764: Bug#963764: node-node-sass: uses embedded old security-buggy libsass

Nilesh Patra npatra974 at gmail.com
Wed Jul 8 16:13:49 BST 2020


On Wed, 8 Jul 2020, 20:38 Jonas Smedegaard, <jonas at jones.dk> wrote:

> Quoting Nilesh Patra (2020-07-08 17:00:01)
> > On Wed, 8 Jul 2020, 20:22 Jonas Smedegaard, <jonas at jones.dk> wrote:
> >
> > > Quoting Nilesh Patra (2020-07-08 16:26:34)
> > > > On Wed, 8 Jul 2020, 19:30 Jonas Smedegaard, <jonas at jones.dk> wrote:
> > > > > Please strongly consider to not only make the package link with
> > > > > system-shared libsass, but also repackage upstream tarball with
> > > > > embedded code copy removed, to ensure not accidentally using that
> > > > > code (and to lighten the size of what gets distributed in Debian
> and
> > > > > simplify copyright tracking and ease security tracking).
> > > >
> > > >
> > > > @Jonas:
> > > > I considered the same approach after the first source-only-upload was
> > > done.
> > > > However, it might so happen that going forward the version of sass is
> > > > updated to a newer upstream, and Debian adapts to that particular
> > > release,
> > > > but the node-sass upstream might only have support for libsass 3.6.3
> -
> > > > considering that upstream of node-node-sass is slower to adapt to
> > > changes.
> > > >
> > > > This would cause node-node-sass to FTBFS.
> > >
> > > Yes. That is how Debian generally works.
> > >
> > > Please explain why this package needs exceptional handling.
> >
> >
> > The upstream for node-node-sass took a considerable amount of time to
> > switch to libsass 3.6.3, and there is still no official upstream release
> > yet.
> >
> > The same situation may arise in future, and it might take many months for
> > upstream to adapt.
> >
> > Hence I considered it _might_ be sensible to keep the copy.
> >
> > However, I admit that your reasoning is right here - this probably
> doesn't
> > need exceptional handling.
>
> None of us can predict the future.  But we can choose to assume that
> this package will evolve badly in the future or that it will evolve
> well.
>

Correct.


> If we expect this package to evolve badly, then we should *not* keep an
> embedded copy of libsass, but instead remove this package and all its
> reverse dependencies, because libsass has been proven insecure if left
> unmaintained,


It has a few reverse dependencies - I mainly packaged this for getting
node-mermaid to Debian which is still in NEW, and hopefully will be
accepted.
I am interested in maintaining mermaid and hence do not want to remove
node-node-sass.

Maybe I'll keep nagging the upstream for evolving this properly time and
again ;-)

Kind regards,
Nilesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20200708/3480a727/attachment.html>


More information about the Pkg-javascript-devel mailing list