[Pkg-javascript-devel] Bug#1074059: bookworm-pu: package nodejs/18.19.0+dfsg-6~deb12u2
Salvatore Bonaccorso
carnil at debian.org
Thu Jul 4 05:33:11 BST 2024
Hi,
On Wed, Jul 03, 2024 at 11:36:46PM +0200, Jérémy Lal wrote:
> Le mer. 3 juil. 2024 à 23:04, Andres Salomon <dilinger at queued.net> a écrit :
>
> >
> >
> > On 6/25/24 16:34, Jérémy Lal wrote:
> > >
> > >
> > > Le mar. 25 juin 2024 à 22:22, Salvatore Bonaccorso <carnil at debian.org
> > > <mailto:carnil at debian.org>> a écrit :
> > [...]
> > >
> > > Thanks a lot for your work Adrian. Please note that there is
> > currently
> > > a nodejs upload pending for releasing via a DSA, which will rebase
> > > nodejs to 18.20.3+dfsg-1~deb12u1 so this might invalidate those
> > > changes.
> > >
> > > Jérémy, Aron is that something you want to have included in your
> > > prepared update?
> > >
> > >
> > > Indeed, it's applied to 18.20.3+dfsg-1~deb12u1, along with other skipped
> > > tests.
> > > I'll resume work on this by the end of the week.
> > >
> >
> > While we wait for this, is there any reason to keep the existing
> > 18.20.3+dfsg-1~deb12u1 upload in the embargoed security queue? Security
> > packages are actively building against it, which is a bit of a problem
> > for reproducibility. Someone actually asked me about oddities in the
> > chromium package that was originally built for bookworm-security, and
> > now sits in the 12.6 point release. It turns out that it built against
> > the embargoed nodejs, but since that nodejs package was never released,
> > they can't use it to reproduce the chromium in 12.6.
> >
> > If there's a new nodejs bookworm-security package being uploaded at some
> > point and the currently embargoed nodejs package will never be released,
> > perhaps we should REJECT it now?
> >
>
> Sorry, probably me being overbooked here.
> I was supposed to check the regressions against it, and been on another job
> since then.
Aron is taking care of the DSA, so I do not want to interfer here with
his planning, but sharing an idea: There will be an upcoming release
for nodejs on Monday, 8th (actually was planned for today):
https://nodejs.org/en/blog/vulnerability/july-2024-security-releases
Do you think you will be less overbooked, can review the regression
report and with Aron's help work on fixing the new CVEs for mondays
release and we base the update upon that?
Again, I do not mean to interfer here with Aron was thinking about
releasing the packages.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list