[Pkg-javascript-devel] Bug#1074059: bookworm-pu: package nodejs/18.19.0+dfsg-6~deb12u2
Jérémy Lal
kapouer at melix.org
Thu Jul 4 08:01:17 BST 2024
Le jeu. 4 juil. 2024 à 06:33, Salvatore Bonaccorso <carnil at debian.org> a
écrit :
> Hi,
>
> On Wed, Jul 03, 2024 at 11:36:46PM +0200, Jérémy Lal wrote:
> > Le mer. 3 juil. 2024 à 23:04, Andres Salomon <dilinger at queued.net> a
> écrit :
> >
> > >
> > >
> > > On 6/25/24 16:34, Jérémy Lal wrote:
> > > >
> > > >
> > > > Le mar. 25 juin 2024 à 22:22, Salvatore Bonaccorso <
> carnil at debian.org
> > > > <mailto:carnil at debian.org>> a écrit :
> > > [...]
> > > >
> > > > Thanks a lot for your work Adrian. Please note that there is
> > > currently
> > > > a nodejs upload pending for releasing via a DSA, which will
> rebase
> > > > nodejs to 18.20.3+dfsg-1~deb12u1 so this might invalidate those
> > > > changes.
> > > >
> > > > Jérémy, Aron is that something you want to have included in your
> > > > prepared update?
> > > >
> > > >
> > > > Indeed, it's applied to 18.20.3+dfsg-1~deb12u1, along with other
> skipped
> > > > tests.
> > > > I'll resume work on this by the end of the week.
> > > >
> > >
> > > While we wait for this, is there any reason to keep the existing
> > > 18.20.3+dfsg-1~deb12u1 upload in the embargoed security queue? Security
> > > packages are actively building against it, which is a bit of a problem
> > > for reproducibility. Someone actually asked me about oddities in the
> > > chromium package that was originally built for bookworm-security, and
> > > now sits in the 12.6 point release. It turns out that it built against
> > > the embargoed nodejs, but since that nodejs package was never released,
> > > they can't use it to reproduce the chromium in 12.6.
> > >
> > > If there's a new nodejs bookworm-security package being uploaded at
> some
> > > point and the currently embargoed nodejs package will never be
> released,
> > > perhaps we should REJECT it now?
> > >
> >
> > Sorry, probably me being overbooked here.
> > I was supposed to check the regressions against it, and been on another
> job
> > since then.
>
> Aron is taking care of the DSA, so I do not want to interfer here with
> his planning, but sharing an idea: There will be an upcoming release
> for nodejs on Monday, 8th (actually was planned for today):
> https://nodejs.org/en/blog/vulnerability/july-2024-security-releases
>
> Do you think you will be less overbooked, can review the regression
> report and with Aron's help work on fixing the new CVEs for mondays
> release and we base the update upon that?
>
Yes, I'll have more time next week, so it's doable.
>
> Again, I do not mean to interfer here with Aron was thinking about
> releasing the packages.
>
> Regards,
> Salvatore
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20240704/6f2f3688/attachment.htm>
More information about the Pkg-javascript-devel
mailing list