[Pkg-javascript-devel] Potential MBF: Migration from twitter-bootstrap{3, 4} to bootstrap-html (v5)
Emilio Pozuelo Monfort
pochu at debian.org
Fri Feb 7 09:47:15 GMT 2025
On 06/02/2025 09:21, Paul Gevers wrote:
> Hi Security team, Santiago,
>
> On 03-02-2025 23:49, Santiago Ruano Rincón wrote:
>> You may be probably be aware that I filled the bootstrap v5
>> migration-related bugs, that can be listed with:
>> https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=bootstrap-v5-
>> migration;users=debian-lts at lists.debian.org
>>
>> Do you believe their severity could be increased? If yes, to important,
>> to grave?
>>
>> It would be great to get rid of the dependencies on those unmaintained
>> bootstrap versions, whose outstanding (minor-severity) CVEs are
>> difficult to get fixed, and it will be the case for any future issue.
>> https://security-tracker.debian.org/tracker/source-package/twitter-bootstrap3
>> https://security-tracker.debian.org/tracker/source-package/twitter-bootstrap4
>>
>> The time for fixing all of those dependencies is probably too short for
>> trixie. But I would bring it for discussion.
>
> @Santiago, are there key packages involved in this? If so, which?
>
> What's the opinion of the security team on this? I want to follow your lead
> here. If you think it's better from a security standpoint to not have this in
> trixie, I'm fine with raising severity now (assuming no key packages are involved).
I checked for twitter-bootstrap3 and there are 77 (build-)rdeps in testing, of
which 7 are key packages:
ffmpeg
fmtlib
guzzle-sphinx-theme
jupyter-server
libevdev
pydoctor
ruby-sidekiq
I haven't checked twitter-bootstrap4.
Cheers,
Emilio
More information about the Pkg-javascript-devel
mailing list