[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to deal with "assets" packages shadowing real upstream



On Mon, Feb 29, 2016 at 5:05 AM, Antonio Terceiro wrote:

> IMO both in this specific case, and in the general case, the correct
> technical decision is to track the actual upstream as a proper
> Javascript package (supporting both browser usage and NodeJS, if it
> makes sense), and make the convenience packages for other languages use
> and depend on the proper Javascript one.
>
> I think this situation is exactly the same as convenience copies of C
> libraries: we always want to have a single copy of each library in the
> archive, first because of security updates, but also to keep some level
> of sanity. In most cases we will be able to do that, and in a few cases
> we will have to make -- temporary, one hopes -- exceptions.

Agreed. In the case of exceptions, please tell the security team about them:

https://wiki.debian.org/EmbeddedCodeCopies

-- 
bye,
pabs

https://wiki.debian.org/PaulWise


Reply to: