Re: How to deal with "assets" packages shadowing real upstream
On Mon, Feb 29, 2016 at 5:05 AM, Antonio Terceiro wrote:
> IMO both in this specific case, and in the general case, the correct
> technical decision is to track the actual upstream as a proper
> Javascript package (supporting both browser usage and NodeJS, if it
> makes sense), and make the convenience packages for other languages use
> and depend on the proper Javascript one.
>
> I think this situation is exactly the same as convenience copies of C
> libraries: we always want to have a single copy of each library in the
> archive, first because of security updates, but also to keep some level
> of sanity. In most cases we will be able to do that, and in a few cases
> we will have to make -- temporary, one hopes -- exceptions.
Agreed. In the case of exceptions, please tell the security team about them:
https://wiki.debian.org/EmbeddedCodeCopies
--
bye,
pabs
https://wiki.debian.org/PaulWise
Reply to: