Re: Dealing with embedded javascript libraries

[Paul Wise <pabs@debian.org>]

On Thu, Oct 27, 2011 at 7:28 AM, Ian Jackson wrote:

> The difficulty is that if we end up with ten different versions of
> some random javascript library, when it turns out to have a security
> vulnerability we need to somehow backport the patch to each of those
> ten versions.
>
> And here "we" means the security team, not the people who uploaded the
> ten versions in the first place.

I would assume the security team would just file bugs and let the
maintainer deal with it, unless the issue is embargoed?

> So this is rather unpalatable.

Agreed with that part.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise