[Pkg-javascript-devel] dh-sequence-nodejs improvements
Yadd
yadd at debian.org
Fri Feb 4 10:06:53 GMT 2022
On 04/02/2022 10:50, Nilesh Patra wrote:
> Hi Yadd,
>
> On 2/4/22 2:57 PM, Yadd wrote:
>> Hi all,
>>
>> when dh-sequence-nodejs (0.11.9, better with 0.11.10) detects a
>> "maybe-bundled-package" (ie webpack/browserify/rollup), it:
>> * generates some pkgjs-lock.json files
>> * generates a ${nodejs:BuiltUsing} variable usable in debian/control
>> (see [1])
>>
>> The goal here is to be able to launch a transition is case of CVE in a
>> source of a bundled package.
>>
>> To use ${nodejs:BuiltUsing}, simply add:
>
> Thanks for your work!
> I had a question: wouldn't that be a violation of the policy?
> Since at the same link you passed, it says:
>
> | This field should be used only when there are license or DFSG
> requirements to
> | retain the referenced source packages. It should not be added solely
> as a way
> | to locate packages that need to be rebuilt against newer versions of
> their build dependencies.
You're right, it's probably not the good field.
> Although the goal here is to track CVE's, but it does not seem to do
> much with licenses.
>
> Actually, even golang team uses something similar (not exactly same);
> please consider to look at this link[2]
> and they were thinking of doing
> it on something on the lines of the rust team, i.e. introducing a
> XS-<lang>-Built-Using or something similar;
> do you think using a XS-javascript-Built-Using could be a more sensible
> option on our side?
>
> Let me know.
Or X-Javascript-Built-Using ?
>> [1]:
>> https://www.debian.org/doc/debian-policy/ch-relationships.html#additional-source-packages-used-to-build-the-binary-built-using
>>
> [2]:
> https://wiki.debian.org/Teams/DebianGoTeam/2020/GoEcosystemIssues#unstable-.3Etesting_migration
>
>
> Regards,
> Nilesh
More information about the Pkg-javascript-devel
mailing list