> On Thu, Oct 27, 2011 at 1:28 AM, Ian Jackson
> <email@example.com> wrote:
> > The difficulty is that if we end up with ten different versions of
> > vulnerability we need to somehow backport the patch to each of those
> > ten versions.
> > And here "we" means the security team, not the people who uploaded the
> > ten versions in the first place.
> > So this is rather unpalatable.
> What's the alternative?
> It seems that we only have two choices:
> - Each package works with the upstream-bundled version of the
We could do this:
* No JS libraries should be bundled into binary packages; instead,
each package should Depend on an appropriate separate JS library
* JS library packages should be versioned in the name, like C runtime
library packages are, so that multiple versions are coinstallable.
* If the number of different versions of a single JS library becomes
"too large", ftp-master and/or the security team will call a halt
and the uploads and/or testing migrations of some of them will be