[Pkg-javascript-devel] Bug#963764: Bug#963764: Bug#963764: node-node-sass: uses embedded old security-buggy libsass
Jonas Smedegaard
jonas at jones.dk
Wed Jul 8 16:46:09 BST 2020
Quoting Nilesh Patra (2020-07-08 17:13:49)
> On Wed, 8 Jul 2020, 20:38 Jonas Smedegaard, <jonas at jones.dk> wrote:
> > If we expect this package to evolve badly, then we should *not* keep
> > an embedded copy of libsass, but instead remove this package and all
> > its reverse dependencies, because libsass has been proven insecure
> > if left unmaintained,
>
>
> It has a few reverse dependencies - I mainly packaged this for getting
> node-mermaid to Debian which is still in NEW, and hopefully will be
> accepted. I am interested in maintaining mermaid and hence do not want
> to remove node-node-sass.
I don't want packages removed either - and for this one specifically, I
very much look forward to having mermaid in Debian - cool stuff!)
My point was that it is not a viable path forward to expect upstream
code to evolve badly: Either there is some expectancy of healthy
maintenance upstream, or it is unsuitable for inclusion in Debian -
there is no third option of (...or we stuff the package with dead code
to keep it limping).
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20200708/a7953838/attachment.sig>
More information about the Pkg-javascript-devel
mailing list