[Pkg-javascript-devel] dh-sequence-nodejs improvements

[Nilesh Patra]

Hi Yadd,

On 2/4/22 2:57 PM, Yadd wrote:
> Hi all,
> 
> when dh-sequence-nodejs (0.11.9, better with 0.11.10) detects a "maybe-bundled-package" (ie webpack/browserify/rollup), it:
>   * generates some pkgjs-lock.json files
>   * generates a ${nodejs:BuiltUsing} variable usable in debian/control
>     (see [1])
> 
> The goal here is to be able to launch a transition is case of CVE in a source of a bundled package.
> 
> To use ${nodejs:BuiltUsing}, simply add:

Thanks for your work!
I had a question: wouldn't that be a violation of the policy?
Since at the same link you passed, it says:

| This field should be used only when there are license or DFSG requirements to
| retain the referenced source packages. It should not be added solely as a way
| to locate packages that need to be rebuilt against newer versions of their build dependencies.

Although the goal here is to track CVE's, but it does not seem to do much with licenses.

Actually, even golang team uses something similar (not exactly same); please consider to look at this link[2]
and they were thinking of doing
it on something on the lines of the rust team, i.e. introducing a XS-<lang>-Built-Using or something similar;
do you think using a XS-javascript-Built-Using could be a more sensible option on our side?

Let me know.

> [1]: https://www.debian.org/doc/debian-policy/ch-relationships.html#additional-source-packages-used-to-build-the-binary-built-using
[2]: https://wiki.debian.org/Teams/DebianGoTeam/2020/GoEcosystemIssues#unstable-.3Etesting_migration

Regards,
Nilesh

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20220204/c4444ba6/attachment.sig>