[Pkg-javascript-devel] Bug#1074059: bookworm-pu: package nodejs/18.19.0+dfsg-6~deb12u2
Andres Salomon
dilinger at queued.net
Wed Jul 17 22:15:07 BST 2024
On 7/4/24 03:01, Jérémy Lal wrote:
>
>
> Le jeu. 4 juil. 2024 à 06:33, Salvatore Bonaccorso <carnil at debian.org
> <mailto:carnil at debian.org>> a écrit :
>
> Hi,
>
> On Wed, Jul 03, 2024 at 11:36:46PM +0200, Jérémy Lal wrote:
> > Le mer. 3 juil. 2024 à 23:04, Andres Salomon <dilinger at queued.net
> <mailto:dilinger at queued.net>> a écrit :
[...]
> > > While we wait for this, is there any reason to keep the existing
> > > 18.20.3+dfsg-1~deb12u1 upload in the embargoed security queue?
> Security
> > > packages are actively building against it, which is a bit of a
> problem
> > > for reproducibility. Someone actually asked me about oddities
> in the
> > > chromium package that was originally built for
> bookworm-security, and
> > > now sits in the 12.6 point release. It turns out that it built
> against
> > > the embargoed nodejs, but since that nodejs package was never
> released,
> > > they can't use it to reproduce the chromium in 12.6.
> > >
> > > If there's a new nodejs bookworm-security package being
> uploaded at some
> > > point and the currently embargoed nodejs package will never be
> released,
> > > perhaps we should REJECT it now?
> > >
> >
> > Sorry, probably me being overbooked here.
> > I was supposed to check the regressions against it, and been on
> another job
> > since then.
>
> Aron is taking care of the DSA, so I do not want to interfer here with
> his planning, but sharing an idea: There will be an upcoming release
> for nodejs on Monday, 8th (actually was planned for today):
> https://nodejs.org/en/blog/vulnerability/july-2024-security-releases
> <https://nodejs.org/en/blog/vulnerability/july-2024-security-releases>
>
> Do you think you will be less overbooked, can review the regression
> report and with Aron's help work on fixing the new CVEs for mondays
> release and we base the update upon that?
>
>
> Yes, I'll have more time next week, so it's doable.
>
>
> Again, I do not mean to interfer here with Aron was thinking about
> releasing the packages.
>
I just uploaded another chromium security update, and it's once again
building against a version of nodejs that hasn't been released to the
public.
I encourage Jérémy to take as long as he needs to in ensuring that the
nodejs upload (whether 18.19.x or 18.20.x) is properly tested and to his
preferred standard of quality rather than attempting to squeeze it in
based on my nagging him. And I also want to thank him for his continued
handling of nodejs.
However, in the meantime while we wait for the nodejs upload to be ready
for release, I'd encourage the security team to:
a) REJECT the upload until Jérémy has time to ensure it's ready for
release (unless Jérémy objects), and
b) come up with a policy about how long embargoed security uploads that
aren't quite ready for release can sit in the queue (and get used by
other uploads for building) before removing them.
Thanks,
Andres
--
I'm available for contract & employment work, see:
https://spindle.queued.net/~dilinger/resume-tech.pdf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20240717/58d9ca3d/attachment.sig>
More information about the Pkg-javascript-devel
mailing list