Re: Dealing with embedded javascript libraries
On Thu, Oct 27, 2011 at 7:28 AM, Ian Jackson wrote:
> The difficulty is that if we end up with ten different versions of
> some random javascript library, when it turns out to have a security
> vulnerability we need to somehow backport the patch to each of those
> ten versions.
>
> And here "we" means the security team, not the people who uploaded the
> ten versions in the first place.
I would assume the security team would just file bugs and let the
maintainer deal with it, unless the issue is embargoed?
> So this is rather unpalatable.
Agreed with that part.
--
bye,
pabs
http://wiki.debian.org/PaulWise
Reply to: