Re: Dealing with embedded javascript libraries

[Ian Jackson <ijackson@chiark.greenend.org.uk>]

Pau Garcia i Quiles writes ("Re: Dealing with embedded javascript libraries"):
> On Thu, Oct 27, 2011 at 1:28 AM, Ian Jackson
> <ijackson@chiark.greenend.org.uk> wrote:
> > The difficulty is that if we end up with ten different versions of
> > some random javascript library, when it turns out to have a security
> > vulnerability we need to somehow backport the patch to each of those
> > ten versions.
> >
> > And here "we" means the security team, not the people who uploaded the
> > ten versions in the first place.
> >
> > So this is rather unpalatable.
> 
> What's the alternative?
> 
> It seems that we only have two choices:
> 
> - Either all packages use the same version of the JavaScript library
...
> - Each package works with the upstream-bundled version of the

We could do this:

 * No JS libraries should be bundled into binary packages; instead,
   each package should Depend on an appropriate separate JS library
   package.

 * JS library packages should be versioned in the name, like C runtime
   library packages are, so that multiple versions are coinstallable.

 * If the number of different versions of a single JS library becomes
   "too large", ftp-master and/or the security team will call a halt
   and the uploads and/or testing migrations of some of them will be
   blocked.

Ian.