Quoting Paul Wise (2016-02-29 04:30:02) > On Mon, Feb 29, 2016 at 5:05 AM, Antonio Terceiro wrote: > >> IMO both in this specific case, and in the general case, the correct >> technical decision is to track the actual upstream as a proper >> Javascript package (supporting both browser usage and NodeJS, if it >> makes sense), and make the convenience packages for other languages >> use and depend on the proper Javascript one. Do I read you correctly that in your opinion it _is_ a severe bug to not follow the actual upstream when available. I would agree with that. So what next? Do I simply try assume it is a severe bug even if not written into Policy yet, and see if others agree with that - enough that eventually we can conclude that yes this should probably be written into Policy? >> I think this situation is exactly the same as convenience copies of C >> libraries: we always want to have a single copy of each library in >> the archive, first because of security updates, but also to keep some >> level of sanity. In most cases we will be able to do that, and in a >> few cases we will have to make -- temporary, one hopes -- exceptions. > > Agreed. In the case of exceptions, please tell the security team about > them: > > https://wiki.debian.org/EmbeddedCodeCopies I believe you mean exceptions of having only one copy of some code in Debian. What I talk about is exceptions to code being tracked from its real source, which I believe is not tracked anywhere, nor treated as a security matter in general - I believe it is not currently recognized as a matter of concern at all, generally in Debian. That is why I ask how to improve on that (assuming others agree it is something we want to improve on). - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
Attachment:
signature.asc
Description: signature